Pwning Script Kiddies – Acunetix Buffer Overflow

Introduction

Recently a security researcher named “Danor Cohen – An7i” had found a buffer overflow vulnerability and he has written a nice exploit for Acunetix Web Vulnerability Scanner 8.0. As this exploit was an ascii based one I was interested in re-writing the exploit because my previous exploit was also an ascii based one. However with the emerging of bug bounties and responsible disclosure policies I’ve seen many people firing up web application security scanners against live hosts in which automated vulnerability assessments are not permitted at all. Well, by triggering this buffer overflow vulnerability we can have some fun owning the noobs 😉

Crash

When we submit a new website to be scanned by Acunetix it searches for html tags like <img src=”” >, <a href=””> to get the additional hosts from that website. So if we place an html tag in the page like

I first gave 1000 A chars to crash the app. I’ve created an html file with the above payload. Click “New Scan” and give the target and keep on clicking next until you get this dialog box.

Acunetix detects the http://AAAAAA as an external website under the Additional Hosts. Mark a tick on it and proceed forward 😉 The app will terminate. Let’s have a closer look with the debugger.

immunity debugger

We can clearly see that the app takes only ascii printable chars as we are dealing with a URL string. We cannot inject ascii special chars wither like ‘ “ / # they get url encoded. So our character set would be something like 1-0 a-z A-Z and chars like ={}!()[]. Also we can see that the EDX register is overwritten with A chars.

We can see that the EIP is pointing to this memory location which says

The address in EDX-8 will be moved to the ECX register.

We need to anyhow fix the flow of the application. According to An7i he had found this address 0x66303035 = f005 which is ascii printable chars without any url encodes or bad chars 🙂

Building the Exploit

It’s time to start developing the exploit. I will be using python for the exploit. You can use whatever you like, the language doesn’t really matter. First let’s create a pattern and get the exact offset of the EDX register.

The EDX contains this value 6A413969. Let’s check the offset.

After 268 bytes we can write our address which will make the app flow in the EDX register. Yes! We were able to overwrite the EIP register. It is after 4 bytes. Next we can place our shellcode in the ESP register and pwn the system. But our jmp esp address should be in printable ascii chars.

Let’s find a printable ascii jmp esp address by using mona.

I will be using the address from “WINHTTP.dll” That address is equal to “MRcI” which is perfect for our exploit. For the payload we have to encode using the x86/alpha_mixed encoder. You can manually encode your payload like this

Or directly pipe msfencode to msfpayload and get our job done.

Final Exploit


The latest version 9 is not vulnerable. Don’t get pwned kiddies 😉

CVE-2014-2994
http://packetstormsecurity.com/files/126307/Acunetix-8-Scanner-Buffer-Overflow.html

SANS InfoSec Handlers Diary Blog:
https://isc.sans.edu/diary/Using+Security+Tools+to+Compromize+a+Network/21903

8 thoughts on “Pwning Script Kiddies – Acunetix Buffer Overflow

  1. Great …
    But Danor Cohen –> An7i Say
    ———————————————————————————————————–
    well, I can tell you that, newer version’s are vulnerable too,I just I didn’t mention that in my article but I tested it myself. version 9 is the only one that isn’t vulnerable. 🙁
    ————————————————————————————————————-
    My ? is
    i can’t find v8 of Acunetix .. Can you Give Me Link Of Yours ? & is it Cracked ?
    Thanks 4 Share 🙂
    #

Leave a Reply to PYaeNYeinChAnCancel reply